OCI Bastion Service: Complete End-to-End Guide for Secure Access to Private Instances

Introduction

Accessing private compute instances securely is a common challenge in cloud environments. Exposing SSH ports publicly increases the attack surface and violates security best practices.

In Oracle Cloud Infrastructure, Bastion Service provides a secure way to connect to private instances without assigning public IP addresses.

This guide provides a complete end-to-end implementation of OCI Bastion Service.

Architecture Overview

Your Laptop
│
▼
OCI Bastion Service
│
▼
Private Subnet
│
▼
Compute Instance (No Public IP)

Prerequisites

• OCI account
• VCN with:
  • Public subnet
  • Private subnet
• Compute instance in private subnet
• SSH key pair

Step 1: Create VCN (Quick Setup)

• Go to Networking → VCN
• Create VCN with:
• CIDR: 10.0.0.0/16
• Public subnet : 10.0.64.0/24
• Private subnet : 10.0.128.0/17

Step 2: Create Private Compute Instance

• Go to Compute → Instances
• Launch instance
• Instance_Name : Demo_Bastion_service
• Private subnet
• No public IP

You can get an instance with private IP

Step 3: Create Bastion

• Navigate → Identity & Security → Bastion
• Click Create Bastion

Configuration

• Name: my-bastion
• VCN: Demo_VCN
• Subnet: public subnet
• CIDR: 0.0.0.0/0 (for testing)

Step 4: Create Bastion Session

Click Bastion → Create Session

Select:
Session type: SSH_Port_Forwarding
Target instance: your private instance
Upload public key

Step 5: Connect to Instance

OCI gives command like: Copy the SSH command

ssh -i -N -L :10.0.171.0:22 -p 22 ocid1.bastionsession.oc1.ap-mumbai-1.amaaaaaa7gqo7aaalvsyyzpplvcrg5ixiyevbeuwfl2xycuchc3j5k6ughga@host.bastion.ap-mumbai-1.oci.oraclecloud.com

• Change the permission of the .pem file in your computer location specific user who want to access.

-> Go to the file properties and go to the security and change the permissions over there.

• Add your file location over there and local port change it to 22.

FYR

ssh -i C:\Test.key -N -L 22:10.0.171.0:22 -p 22 ocid1.bastionsession.oc1.ap-mumbai-1.amaaaaaa7gqo7aaalvsyyzpplvcrg5ixiyevbeuwfl2xycuchc3j5k6ughga@host.bastion.ap-mumbai-1.oci.oraclecloud.com

• Tunneling will be established between your computer and the private server.

• Open putty Go to auth and Go for tunneling and add the details as below.

-> Now the tunneling will be created between your system and the private server.

-> You can able to connect the private server without public IP with the bastion service.

Verify Connection

-> You can verify the connection by using below command.

• whoami
• hostname -i

Security Best Practices

• Do NOT allow 0.0.0.0/0 in production
• Use restricted CIDR
• Use short session duration
• Use IAM policies

Conclusion

OCI Bastion Service enables secure and controlled access to private instances without exposing them to the internet. By using Bastion, organizations can implement a secure access architecture aligned with best practices.