Oracle Analytics Cloud: Private Access via OCI Bastion

What is Bastion? Why do you need Oracle Analytics Cloud instance in Private Network? How can we connect to Oracle Analytics Cloud instance in Private Network using OCI Bastion in Public network?

These are the usual questions we come across and sometimes we get asked by customers to keep their Oracle Analytics Cloud instance in Private network and provide restricted access to it.

In this blog, we will learn about these things

Access Private OAC via OCI Bastion

We will see how to access Oracle Analytics Cloud Instance created in Private network/subnet using Bastion created in Public network/subnet.

Assuming that you know how to provision OAC instance in Private Network/subnet by now.

What is OCI Bastion ?

OCI Bastion provides restricted and time-limited access to target resources that don’t have public endpoints. Bastions let authorized users connect from specific IP addresses to target resources using Secure Shell (SSH) sessions, these sessions last only for 3 hours providing more security.

How to create an OCI Bastion instance?

Now, let us see how to create an OCI Bastion.

Navigate to “Identity & Security” → “Bastion” and click on Create Bastion.

Provide Name for the Bastion, choose the VCN, Subnet and the allow list CIDR Block.

For the purpose of this blog I have chosen Public subnet and added by local IP to allow list and completed Bastion creation.

This completes creation of Bastion.

Now, I will assume that you already have an Oracle Analytics Cloud (OAC) Instance provisioned in Private Network, which you want to access from Bastion.

How to connect Private OAC via Bastion?

For this we have to start with creating a session in Bastion as shown below:

Create OCI Bastion Session

1. Open the Bastion instance created and click on create session

2. Choose the session type as “SSH port forwarding session”

3. Provide your OAC Private IP (which can be fetched from additional details section of OAC instance page)

4. Choose the port as 443

5. Provide a public key to establish a secured session and click on create session.

Session created in OCI Bastion

Now, let us run the SSH command by copying the command from here

Run the above command by replacing <privateKey> (for the public key you used while creating session and <localport> with 443 as that is the port we will be connecting on as shown below

Now, to connect to OAC as a last step you need to add the loop IP address (127.0.0.1) entry along with OAC host in your system /etc/hosts file.

NOTE: OAC Host can be retrieved from Additional Details tab of OAC Instance page on OCI Console.

hosts file entry for loop IP against OAC Host

Now, we are able to connect to the OAC instance created in Private Network successfully. However, the SSH session terminates in 3Hours and you have to create a new SSH session again.

Note: If you are running into errors while trying to run the SSH command. Then you may have to check few things as mentioned below:

1. Make sure that the IP/CIDR whitelisted on Bastion is your current machine IP.
2. There is an Ingress rule for OAC instance subnet to accept traffic from Public subnet on which Bastion is provisioned.
3. The Private Key being used to run the SSH command is in a valid format.
4. The SSH session created in Bastion is still active and has not exceeded 3 Hours of time since it’s creation.

This blog is part of an OAC series which I am writing please check the remaining here

1. Oracle Analytics Cloud: Architectural patterns blog link here.
2. Oracle Analytics Cloud: Private Access via OCI Load Balancer blog link here.
3. Oracle Analytics Cloud: Private Access via OCI Bastion blog link here.
4. Oracle Analytics Cloud: Connect to Pvt. Autonomous Database blog link here.