Managing Bastions

This topic describes how to create and manage bastions.

For information about creating and managing sessions, see Managing Sessions.

Bastion management tasks include the following:

  • Creating a bastion
  • Viewing bastion configuration details
  • Updating a bastion
  • Terminating a bastion
  • Moving a bastion to a different compartment

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be granted security access in a policy  by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment  to work in.

To use all Bastion features, you must have the following permissions:

  • Manage bastions, sessions, and networks
  • Read compute instances
  • Read compute instance agent (Oracle Cloud Agent) plugins
  • Inspect work requests
Example policy:
Allow group SecurityAdmins to manage bastion-family in tenancy
Allow group SecurityAdmins to manage virtual-network-family in tenancy
Allow group SecurityAdmins to read instance-family in tenancy
Allow group SecurityAdmins to read instance-agent-plugins in tenancy
Allow group SecurityAdmins to inspect work-requests in tenancy
See Bastion IAM Policies for detailed policy information and more examples.

If you're new to policies, see Getting Started with Policies and Common Policies.

Tagging Resources

Tags are key/value pairs that you can attach to resources to help you track your resources across compartments. You can apply tags to your bastions to help you organize them according to your business needs. You can apply tags at the time you create a resource, or you can update the resource later with the desired tags. For general information about applying tags, see Resource Tags.

Moving Resources to a Different Compartment

You can move bastions from one compartment  to another. After you move a bastion to a new compartment, inherent policies apply immediately and affect access to the bastion. Moving a bastion doesn't affect access to any sessions that the bastion hosts. You cannot move a session from one compartment to another independently of moving the bastion it's associated with. For more information, see Managing Compartments.

Using the Console

To create a bastion

Before you begin, ensure you have the following information about the target resource (instance, database, and so on) that you intend to use this bastion to host sessions for:

  • The VCN (virtual cloud network)  that the target was created in
  • A private subnet  in the VCN
    • The subnet that the target resource was created in
    • Another subnet that has access to the target resource's subnet (in other words, the target's subnet allows ingress network traffic from the selected subnet)
  • The IPv4 address or addresses from which you plan to connect to sessions hosted by the bastion

The VCN must include a service gateway  and a route rule for the service gateway. See Access to Oracle Services: Service Gateway.

Note

A bastion is associated with a single VCN. You cannot create a bastion in one VCN and then use it to access target resources in a different VCN.

  1. Open the navigation menu and click Identity & Security. Click Bastion.
  2. Under List Scope, in the Compartment list, click the name of the compartment where you want to create a bastion.
  3. Click Create bastion.
  4. Enter a name for the bastion.

    Avoid entering any confidential information in this field. Only alphanumeric characters are supported.

  5. Under Configure networking, select the Target virtual cloud network of the target resource that you intend to connect to by using sessions hosted on this bastion.

    If needed, change the compartment to find the VCN.

  6. Select the Target subnet. The subnet must either be the same as the target resource's subnet or it must be a subnet from which the target resource's subnet accepts network traffic.

    If needed, change the compartment to find the subnet.

  7. In CIDR block allowlist, add one or more address ranges in CIDR notation that you want to allow to connect to sessions hosted by this bastion.

    For example, 203.0.113.0/24.

    Enter a CIDR block into the input field, and then either click the value or press Enter to add the value to the list. The maximum allowed number of CIDR blocks is 20.

    A more limited address range offers better security.

  8. (Optional) Change the maximum amount of time that any session on this bastion can remain active.
    1. Click Show Advanced Options.
    2. Click the Management tab.
    3. Enter a value for Maximum session time-to-live.

      Provide a value that is at least 30 minutes, but does not exceed 180 minutes (3 hours).

  9. (Optional) Assign tags to the bastion.
    1. Click Show Advanced Options.
    2. Click Tagging.

      If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags.

      You can also assign tags to a resource after creating it.

  10. When you are finished, click Create bastion.

After creating a bastion, you can create a session.

To view a bastion's details
  1. Open the navigation menu and click Identity & Security. Click Bastion.
  2. Under List Scope, in the Compartment list, click the name of the compartment where the bastion was created.
  3. Click the name of the bastion.
To edit a bastion

You can modify certain settings for an existing bastion.

Changes to a bastion's settings do not affect existing sessions on the bastion. Your changes apply only to new sessions.

You cannot move a bastion to a different VCN (virtual cloud network)  or subnet .

  1. Open the navigation menu and click Identity & Security. Click Bastion.
  2. Under List Scope, in the Compartment list, click the name of the compartment where the bastion was created.
  3. Click the name of the bastion.
  4. Click Edit.
  5. Modify the settings for the bastion as needed.
    • CIDR block allowlist - Update the address ranges in CIDR notation that you want to allow to connect to sessions hosted by this bastion. You can use CIDR notation to provide address ranges, bearing in mind that a more limited range offers better security.

  6. Click Show Advanced Options and modify the advanced settings for the bastion as needed.
    • Maximum session time-to-live - Change the maximum amount of time that any session on this bastion can remain active. Provide a value that is at least 30 minutes, but does not exceed 180 minutes (3 hours).

  7. When you are finished, click Save changes.
To manage tags for a bastion

You can apply tags to your bastions to help you organize them according to your business needs.

If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags.

  1. Open the navigation menu and click Identity & Security. Click Bastion.
  2. Under List Scope, in the Compartment list, click the name of the compartment where the bastion was created.
  3. Click the name of the bastion.
  4. Click Tags.
  5. Edit any existing tags for this bastion, or click Add Tags to add new ones
To delete a bastion

When you delete a bastion that has active sessions, the sessions are terminated.

  1. Open the navigation menu and click Identity & Security. Click Bastion.
  2. Under List Scope, in the Compartment list, click the name of the compartment where the bastion was created.
  3. In the Actions menu for the bastion, click Delete bastion.
  4. Enter the name of this bastion.
  5. Click Delete.
To move a bastion to a different compartment
  1. Open the navigation menu and click Identity & Security. Click Bastion.
  2. Under List Scope, in the Compartment list, click the name of the compartment where the bastion was created.
  3. Click the name of the bastion.
  4. Click Move resource.
  5. Chose a different compartment.
  6. Click Move resource.

Using the Command Line Interface (CLI)

For information about using the CLI, see Command Line Interface (CLI). For a complete list of flags and options available for CLI commands, see the Command Line Reference.

To create a bastion

Before you begin, ensure you have the following information about the target resource (instance, database, and so on) that you intend to use this bastion to host sessions for:

  • The VCN (virtual cloud network)  that the target was created in
  • A private subnet  in the VCN
    • The subnet that the target resource was created in
    • Another subnet that has access to the target resource's subnet (in other words, the target's subnet allows ingress network traffic from the selected subnet)
  • The IPv4 address or addresses from which you plan to connect to sessions hosted by the bastion

The VCN must include a service gateway  and a route rule for the service gateway. See Access to Oracle Services: Service Gateway.

To create a new bastion, open a command prompt and run oci bastion bastion create:

oci bastion bastion create --bastion-type Standard --compartment-id <target_compartment_ID> --target-subnet-id <target_resource_subnet_ID> --name <bastion_name> --client-cidr-list <JSON_formatted_list_CIDRs_allowed_to_connect> --max-session-ttl <session_time_to_live_seconds> --defined-tags <JSON_formatted_defined_tag> --freeform-tags <JSON_formatted_freeform_tag>

For example:

oci bastion bastion create --bastion-type Standard --compartment-id ocid1.compartment.oc1..exampleuniqueID --target-subnet-id ocid1.subnet.oc1..exampleuniqueID --name newbastion --client-cidr-list '["203.0.113.0/24","10.0.113.0/24"]' --max-session-ttl 3600 --defined-tags '{"Operations": {"CostCenter":"42"}}' --freeform-tags '{"Department":"Finance"}'

After creating a bastion, you can create a session.

To view a bastion's details

To view a bastion's details, open a command prompt and run oci bastion bastion get:

oci bastion bastion get --bastion-id <target_bastion_ID>

For example:

oci bastion bastion get --bastion-id ocid1.bastion.oc1..exampleuniqueID
To view a list of bastions

To view a list of bastions in a specific compartment, open a command prompt and run oci bastion bastion list:

oci bastion bastion list --compartment-id <target_compartment_ID>

For example:

oci bastion bastion list --compartment-id ocid1.compartment.oc1..exampleuniqueID

To view only active bastions in the compartment:

oci bastion bastion list --lifecycle-state ACTIVE --compartment-id ocid1.compartment.oc1..exampleuniqueID
To update a bastion
To update a bastion's details, open a command prompt and run oci bastion bastion update:
oci bastion bastion update --bastion-id <target_bastion_ID> --client-cidr-list <CIDR_notation_of_IP_addresses_allowed_to_connect> --max-session-ttl <session-time-to-live-seconds> --defined-tags <JSON_formatted_defined_tag> --freeform-tags <JSON_formatted_freeform_tag>

For example:

oci bastion bastion update --bastion-id ocid1.bastion.oc1..exampleuniqueID --client-cidr-list '["203.0.113.0/24","172.16.16.0/24"]' --max-session-ttl 3600 --defined-tags '{"Operations": {"CostCenter":"42"}}' --freeform-tags '{"Department":"Finance"}'
To delete a bastion

To delete a bastion, open a command prompt and run oci bastion bastion delete:

oci bastion bastion delete --bastion-id <target_bastion_id>

For example:

oci bastion bastion delete --bastion-id ocid1.bastion.oc1..exampleuniqueID
To move a bastion to a different compartment

To move a bastion from one compartment to another, open a command prompt and run oci bastion bastion change-compartment:

oci bastion bastion change-compartment --bastion-id <target_bastion_id> --compartment-id <target_compartment_id>

For example:

oci bastion bastion change-compartment --bastion-id ocid1.bastion.oc1..exampleuniqueID --compartment-id ocid1.compartment.oc1..exampleuniqueID