Keep your Cloud operation Cost lower with Oracle Bastion Service

Organization Challenges

We all know that customer infrastructure should not be publicly accessible to the Internet… But at the same time, Any operator who is an authenticated operator are regulated operator, should be able to access that infrastructure.

Today. The customers who have their target resources in Cloud, There are certain the customers are forced to use certain access networking patterns because of the absence of a native accessors !!! So either customers go for in a private subnet or they launched a jump box in the public subnet…

Then they have to muck with the security rules, routing rules, and stuff like that. And also they have to add the public SSH keys onto that jump box for the operators to jump to that Jump Box into their target resources.

The disadvantages of these excess networking patterns is that,

  1. The connections that are established are persistent, which definitely decrease your security posture because back surface is open for a long period of time.
  2. The operational overhead to harden these jump boxes, patching them periodically, and also at the same time, taking care of availability for your operators to get into your mission critical workloads. All of that overhead is on the customers.
  3. Also, such architectures work if you have a couple of resources here and there. But as your organization scales up, these architectures become very difficult to maintain. And there is always a risk of a security loophole. Security should be easy.
  4. This jump boxes, they are running 24×7 so definitely customers have to pay a cost for, for running these jump boxes.
  5. There is no auditability. So you don’t know as a customer who got into which target resource.
  6. Even with the best efforts that the customers put in, this whole architecture is not controlled through IAM. So whoever has, whichever operator has that, SSH keys onto the Jump Box, again forever access your target resources. So the overall story of the life-cycle management of who can access your target resources. It’s very difficult to maintain.

Oracle Cloud Infrastructure Bastion Service

So to solve these issues, Oracle have created the fully managed service which is the OCI Bastion service, which will help you in improving the security posture of your resources in OCI by providing secure as well as an ephemeral access to your private target resources. But then you will receive the services free of cost. This is a very core infrastructure security blood. You don’t have to choose between cost and security.

The access to the target resources via OCI Bastions is time-bound which definitely helps in increasing your overall security posture. And also the access is governed by the OCI IAM policies so only the users who have the right IAM policies can access your target resources. And once they leave the organization, all you have to do is you have to just remove those users from your groups in from your IAM groups and you’re done. You don’t have to do anything beyond that.

You can also restrict the incoming SSH connections to certain IPv4 address ranges, the administrative actions, like who/when created/deleted/updated/fetched bastion and session are recorded in OCI event and audit service and also in the Cloud Guard.

The end-users on their on-premises laptops or desktops or workstations can basically use any open SSH client, they can access the Bastion Service as a pass through to get into their target resources.

Use Cases

OCI Bastion product is built on top of OpenSSH/SSH so whatever is possible to OpenSSH is possible to this service.

Types of target resources which are going to be supported by OCI Bastion would be:

Private target compute host running either native OCI images or customer Linux Images and Windows OS.

Autonomous transaction processing, Autonomous data warehouse, MySQL DB, OKE instances. We also support communities.

You can manage the bastion and sessions that are created via the service. So basically what that means is, at any point of time, if you feel if you see that assertion has gone malicious, or let’s say you see that you are under attack. You can simply delete the sessions. You can pick out those malicious users. You can delete the whole bastion and to protect your particular target resources. So you have all of those capabilities.

Once the session is created, customers can use the session metadata to tunnel into the target resources via bastion from their on-premises terminals.

You can use OCI bastion to access your private target resources in OCI irrespective of whether the target resources has the Oracle Cloud Agent installed or not.

The session type depends on the target host.

Managed SSH sessions can only be created for a target host that is a Compute instance configured to run both the Oracle Cloud Agent and an OpenSSH server.

SSH port forwarding sessions do not require a running Oracle Cloud Agent or OpenSSH server on the target host, and can be used with resources like Autonomous Transaction Processing databases.

High Level Architecture

HOW TO USE OCI BASTION?

Go to the Identity & Security and choose the Bastion

Create Compute Resource

Create Bastion Resource

Create Managed SSH Session

Create Session Port Forwarding

Access Window Server using Session Port Frwd

Reference architecture

OCI Documentation

Thank you for visiting this blog.

Disclaimer : The views expressed on this blog are my own and do not reflect the views of the companies I work, The opinions give by visitors on this site are there own opinions.

OTNYathra2017 @Mumbai

 

I have provided enough information about the OTN Yathra, In my previous artical “about-otnyatha”

In this artical I have decided to sharing my experiences about the sessions which i have been attended.

I have choose the Mumbai location because it is near to Ahmedabad.

I had attended below sessions at OTN Yathra 2017 @Mumbai organized by AIOUG / OUAG

1.)  “High Performance Database in Oracle Bare Metal Cloud Services” by Vivek Sharma

This session was mainly focus on Oracle Bare Metal Cloud Services offering and options by Oracle.

2.)   “Oracle and Docker – Everything you want to know to run your workload in docker container” by Umesh Tanna

I was really impress by Umesh, the way he is explaining the docker and oracle offering was quite good.

3.)  Oracle GoldenGate – IRCTC by Veeratteshwaran

This session has change my perception about the replication technology.

4.)  Building Private Cloud with Open Infrastructure by Nitin Gupta

This is the best session that actually I’m interested to know what is offering and differce option of oracle in Open Infrastructure.

5.)  12 things DBA’s will love about 12.2 by Connor McDonald

I’m feeling lucky that i choose this session because Connor is great presentation skills and sharing his experience with different examples

These all sessions were really helpful and it’s help me lots to to fill with new angle of thinking amount the upcoming technologies

I’m really greatfull to all the volunteers of AIOUG and specific to Mumbai Local Chepter volunteers who had nicely organized this event.

I’m also thankful to all the sponsors.

If you have any quesions or queries please comment here, I’m happy to share my own views and experiences about these new technologies.

Happy Learning …