Oracle Cloud Infrastructure Documentation

Connecting to Sessions in Bastion

This topic describes how to connect to bastion sessions.

For information about how to create and manage bastion sessions, see Managing Sessions in Bastion. For information about creating and managing bastions, see Managing Bastions.

Bastions are Oracle-managed services. You use a bastion to create Secure Shell (SSH) sessions that provide access to other private resources. But you can't connect directly to a bastion with SSH and administer or monitor it like a traditional host.

When connecting to a bastion session, we recommend that you follow the SSH best practices described in Securing Bastion.

You can connect to the following types of sessions:

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be granted security access in a policy  by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment  to work in.

To use all Bastion features, you must have the following permissions:

  • Manage bastions, sessions, and networks
  • Read compute instances
  • Read compute instance agent (Oracle Cloud Agent) plugins
  • Inspect work requests
Example policy:
Allow group SecurityAdmins to manage bastion-family in tenancy
Allow group SecurityAdmins to manage virtual-network-family in tenancy
Allow group SecurityAdmins to read instance-family in tenancy
Allow group SecurityAdmins to read instance-agent-plugins in tenancy
Allow group SecurityAdmins to inspect work-requests in tenancy
See Bastion IAM Policies for detailed policy information and more examples.

If you're new to policies, see Getting Started with Policies and Common Policies.

Allowing Network Access From the Bastion

The VCN (virtual cloud network)  that the target resource was created in must allow incoming network traffic from the bastion on the target port.

For example, if you want to use a session to connect to port 8001 on a compute instance  from a bastion with the IP address 192.168.0.99, then the subnet used to access the instance needs to allow ingress traffic from 192.168.0.99 on port 8001.

  1. Open the navigation menu and click Identity & Security. Click Bastion.
  2. Under List Scope, in the Compartment list, click the name of the compartment where the bastion was created.
  3. Click the name of the bastion.
  4. Copy the Private endpoint IP address.
  5. Click the Target subnet.

    If the target resource is on a different subnet than the one used by the bastion to access this VCN, edit the target resource's subnet.

  6. From the Subnet Details page, click an existing security list that is assigned to this subnet.

    Alternatively, you can create a security list and assign it to this subnet.

  7. Click Add Ingress Rules.
  8. For Source CIDR, enter a CIDR block that includes the Private endpoint IP address of the bastion.

    For example, the CIDR block <bastion_private_IP>/32 includes only the bastion's IP address.

  9. For IP Protocol, select TCP.
  10. For Destination Port Range, enter the port number on the target resource.

    For Managed SSH sessions, specify port 22.

  11. Click Add Ingress Rules.

To learn more, see Security Lists.