Creating a Bastion

Create a bastion to provide restricted access to target resources that don't have public endpoints.

Before you begin, ensure that you have the following information about the target resource, such as an instance or database) that you intend to use this bastion to host sessions for:

The VCN (virtual cloud network) that the target was created in
Tip

If you haven't created a VCN, consider using a Virtual Networking Quickstart wizard.
A private subnet in the VCN
- The name of the subnet that the target resource was created in
- Another subnet that has access to the target resource's subnet if the target's subnet allows ingress network traffic from the selected subnet
The IPv4 addresses from which you plan to connect to sessions hosted by the bastion

The VCN must include a service gateway and a route rule for the service gateway. See Access to Oracle Services: Service Gateway.

Note

A bastion is associated with a single VCN. You can't create a bastion in one VCN and then use it to access target resources in a different VCN.

1. Open the navigation menu and click Identity & Security. Click Bastion.
2. Under List Scope, select the compartment where you want to create a bastion.
3. Click Create bastion.
4. Enter a name for the bastion.
  
  Avoid entering any confidential information in this field. Only alphanumeric characters are supported.
5. Under Configure networking, select the target VCN of the target resource that you intend to connect to by using sessions hosted on this bastion.
  
  If needed, change the compartment to find the VCN.
6. Select the target subnet. The subnet must either be the same as the target resource's subnet or it must be a subnet from which the target resource's subnet accepts network traffic.
  
  If needed, change the compartment to find the subnet.
7. (Optional) Select Enable FQDN Support and SOCKS5 to extend the local port forwarding session type to accept domain names as a target resource identifier, or to enable the bastion to use the dynamic port forwarding (SOCKS5) session type.
8. Under CIDR block allowlist, add one or more address ranges in CIDR notation that you want to allow to connect to sessions hosted by this bastion.
  
  For example, 203.0.113.0/24.
  
  Enter a CIDR block into the input field, and then either click the value or press Enter to add the value to the list. The maximum allowed number of CIDR blocks is 20.
  
  A more limited address range offers better security.
9. (Optional) Change the maximum amount of time that any session on this bastion can remain active.
  
  Click Show advanced options.
  
  Click the Management tab.
  
  Enter a value for Maximum session time-to-live.
  
  Provide a value of at least 30 minutes that doesn't exceed 180 minutes (3 hours).
10. (Optional) Assign tags to the bastion.
  
  Click Show advanced options.
  
  Click Tagging.
  
  If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags.
  
  You can also assign tags to a resource after creating it.
11. When you're finished, select one of the following options:
  
  To create the bastion, click Create bastion.
  
  To save the resource definition as a Terraform configuration, click Save as Stack.
  
  For more information about saving stacks from resource definitions, see Creating a Stack from a Resource Creation Page.
After you create a bastion, you can create a session. For options, see Managing Sessions.
Use the oci bastion bastion create command and required parameters to create a bastion:
oci bastion bastion create --bastion-type Standard --compartment-id <compartment_ocid> --target-subnet-id <target_subnet_ocid> [OPTIONS]
For a complete list of flags and variable options for CLI commands, see the Command Line Reference.
Run the CreateBastion operation to create a bastion.

Oracle Cloud Infrastructure Documentation

Creating a Bastion