Oracle Cloud Bastion Service: Easy and Secured Route to Private Resources

The new, fully managed, built-in Oracle Cloud Infrastructure (OCI) Bastion service is now available for enterprises to take advantage of the secured and short-term Secure Shell (SSH) passage to their private resources in the Oracle cloud. Much like the bastion-style forts that helped empires cover the ‘blind spots’ in the early modern era – the Oracle Cloud Bastion service enhances enterprise security posture by adding a new layer of protection against inbound threats originating at the open/public side of the internet.

Related readings by Infolob:

  1. Oracle Support Rewards Incentivize Oracle Cloud Adoption
  2. Benefits of Oracle Data Safe for Database Security
  3. Oracle Cloud Managed Services

Until now, enterprises had to rely on complicated public/private subnets networking architectures, jump hosts, and third-party solutions for their access to the private resources in the cloud. Such methods were not only expensive, however, also challenging to maintain, keep up to date with the compliance, and simultaneously sustain a robust security posture. Oracle Cloud Infrastructure Bastion service removes the use of jump hosts or complex networking for a seamless SSH access building to private resources, precisely in line with Oracle’s approach to cloud security, i.e., simple and prescriptive.

OCI Bastion Service: Overcoming the Jump Host

The expenses, deployment, and administration of a jump host are sore spots for many enterprises. Hence, the OCI Bastion service seeks to eliminate the inconveniences of public/private virtual cloud network (VCN) for jump host access. And, because it renders the public IP requirement obsolete, the zero-day vulnerabilities with dedicated jump host and surface attack area are also removed.

With OCI Bastion, enterprises also give up shared credentials, broad access limits, and several other poor habits of utilizing jump hosts. Oracle cloud Bastion in cooperation with OCI Identity and Access Management (IAM) enables enterprises to conveniently govern users accessing a bastion – such as discovering the specific privileges these users are entitled to perform on the resources. Moreover, the quality, capabilities, and performance of OCI Bastion can also be traced via metrics, notifications, etc., linked with OCI Audit, OCI Events, and the Oracle Cloud Guard.

Oracle Cloud Bastion: Experiencing the Ease of Setting Up SSH Connections

With Oracle cloud Bastion, security administrators gain consolidated control over IAM users/groups accessing private endpoint(s) while also limiting the IP range allowlist of the operators. Connections, on the other hand, are also brief – meaning, upon the termination of admin-defined/user-defined session time-to-live (TTL) and explicit session, the overall session also expires.

Security lists are also utilized at the subnet level to block incoming requests to the IP address that meet a specific, ‘allowed’ Classless Inter-Domain Routing (CIDR) – set and enforced by the enterprise administrator. Following are the steps to set up a bastion:

  1. Permit various administrators to control bastions and use sessions to operators
  2. Form a bastion declaring the particular VCN as the private endpoint resource, the allowlist, along with the upper limit for session TTL
  3. Limit the subnet ingress rule for VCN target for permitting port traffic from the bastion’s private endpoint

OCI Bastion: Industry-Leading Security at Administrators and Operator’s Convenience

Once an operator decides to admit to a private endpoint, they head over to OCI Bastion where only the permitted bastions are visible to them. Next, for starting a session – the operator chooses the session parameters within the pre-applied limitations of the bastion. They may normally utilize SSH for logging into a remote instance, run commands, initiate tunneling via forwarded TCP ports, send files via the SSH file transfer (SFTP) and secure copy protocols (SCP), and establish networks to a database.

Next up are the types of sessions – the managed SSH and the SSH tunneling, both of which depend on the category of target resource.

  1. The managed SSH sessions demystify SSH admission to native Oracle Linux images with Oracle Cloud Agent (OCA) by broadcasting the credential to the host
  2. SSH tunneling/Port forwarding, on the other hand, establishes a secure connection amongst specific ports on the client instance and the target resource. With this type of connection, users/operators can send other protocols to resources including MySQL, OKE, ATP, Windows RDP over SSH, and others with SSH access compatibility.

Having the session type identified, the operator can then select a session target out of the private endpoint resources allocated by the administrator at the time of bastion creation. The operator inserts the target resource username, reproduces the public SSH key, and initiates a session. While linking to a session, the operator simply pastes the SSH command for the session delivered by OCI Bastion into the Cloud Shell or the local terminal window.

The OCI Bastion sessions let authenticate and permit users/operators in ownership of the private key in the SSH key pair to establish connection to a target resource for a pre-defined period. The public key is released to the user in the SSH key pair during session creation, and the private key once the connection is established. Apart from authenticating with the private key, the permitted user must also adhere to the acceptable range allowed by the OCI bastion’s client – CIDR block allowlist.