{"id":730,"date":"2026-04-15T08:49:13","date_gmt":"2026-04-15T08:49:13","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/oracle-cloud-managed-access-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security-identity-and-compliance\/"},"modified":"2026-04-15T08:49:13","modified_gmt":"2026-04-15T08:49:13","slug":"oracle-cloud-managed-access-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security-identity-and-compliance","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/oracle-cloud-managed-access-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security-identity-and-compliance\/","title":{"rendered":"Oracle Cloud Managed Access Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Security, Identity, and Compliance"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Security, Identity, and Compliance<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<p><strong>What this service is<\/strong><\/p>\n\n\n\n<p>In <strong>Oracle Cloud (Oracle Cloud Infrastructure \/ OCI)<\/strong>, \u201c<strong>Managed Access<\/strong>\u201d commonly refers to Oracle\u2019s managed approach for providing <strong>secure, time-bound administrative access<\/strong> to private cloud resources (for example, SSH access to Compute instances that do not have public IP addresses). In current OCI documentation and the OCI Console, this capability is typically implemented by the <strong>OCI Bastion<\/strong> service. If your service catalog, internal naming, or training plan uses \u201cManaged Access,\u201d verify whether it maps to <strong>Bastion<\/strong> in your tenancy and region.<\/p>\n\n\n\n<p><strong>Simple explanation (one paragraph)<\/strong><\/p>\n\n\n\n<p><strong>Managed Access<\/strong> lets you connect to private resources in Oracle Cloud without deploying and maintaining a traditional jump host. Instead of opening inbound ports to the internet or keeping a permanently reachable bastion VM, you create <strong>just-in-time sessions<\/strong> that expire automatically and are governed by <strong>IAM policies<\/strong> and <strong>audit logs<\/strong>.<\/p>\n\n\n\n<p><strong>Technical explanation (one paragraph)<\/strong><\/p>\n\n\n\n<p>Managed Access (OCI Bastion) is a <strong>regional managed service<\/strong> that provides controlled connectivity from an Oracle-managed bastion endpoint to targets in your VCN using a <strong>dedicated \u201cbastion subnet\u201d<\/strong>. Users create <strong>Bastion sessions<\/strong> (for example, <em>managed SSH<\/em> or <em>SSH port forwarding<\/em>) that are authorized by OCI IAM, constrained by duration and (optionally) client source IP ranges, and recorded in OCI Audit. Network access from the bastion subnet to target subnets is governed by <strong>NSGs\/Security Lists<\/strong>.<\/p>\n\n\n\n<p><strong>What problem it solves<\/strong><\/p>\n\n\n\n<p>Managed Access solves the classic \u201csecure admin access\u201d problem:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You need SSH (or access to private ports) to instances or services on private subnets.<\/li>\n<li>You do <strong>not<\/strong> want public IPs, broad inbound rules, or a long-lived jump host.<\/li>\n<li>You need <strong>least privilege<\/strong>, <strong>time-bound<\/strong> access, <strong>governance<\/strong>, and <strong>auditability<\/strong>.<\/li>\n<\/ul>\n\n\n\n<blockquote>\n<p>Renaming\/Scope note: If you don\u2019t see a service literally named \u201cManaged Access\u201d in the OCI Console, look for <strong>Bastion<\/strong> under <strong>Security, Identity, and Compliance<\/strong>. Verify in official docs whether \u201cManaged Access\u201d is a legacy label or an internal service catalog name in your organization.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is Managed Access?<\/h2>\n\n\n\n<p><strong>Official purpose<\/strong><\/p>\n\n\n\n<p>Managed Access in Oracle Cloud is the controlled, audited, just-in-time access pattern for reaching private resources\u2014most commonly delivered via <strong>OCI Bastion<\/strong>.<\/p>\n\n\n\n<p>Official OCI Bastion documentation home (use this as the canonical reference for current behavior and terminology):<br\/>\nhttps:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Bastion\/home.htm<\/p>\n\n\n\n<p><strong>Core capabilities<\/strong><\/p>\n\n\n\n<p>Managed Access typically provides:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Just-in-time access<\/strong> via expiring sessions<\/li>\n<li><strong>No public IP requirement<\/strong> on targets<\/li>\n<li><strong>Centralized governance<\/strong> through IAM policies, compartments, and tags<\/li>\n<li><strong>Auditability<\/strong> (session creation and lifecycle events via OCI Audit)<\/li>\n<li><strong>Two common session modes<\/strong> (verify names in your region\/tenancy):<\/li>\n<li>Managed SSH sessions to connect to port 22 on a target<\/li>\n<li>SSH port forwarding sessions to reach other private ports through an SSH tunnel<\/li>\n<\/ul>\n\n\n\n<p><strong>Major components<\/strong><\/p>\n\n\n\n<p>When implemented via OCI Bastion, the core components are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Bastion<\/strong>: A managed resource in a compartment, associated with a VCN subnet (\u201cbastion subnet\u201d)<\/li>\n<li><strong>Bastion subnet<\/strong>: A dedicated subnet in your VCN used by the service to reach targets<\/li>\n<li><strong>Session<\/strong>: A time-bound access grant (managed SSH or port forwarding)<\/li>\n<li><strong>Target resource<\/strong>: Usually a private Compute instance (or a private IP\/port reachable from the bastion subnet)<\/li>\n<li><strong>IAM policies<\/strong>: Control who can create bastions and sessions<\/li>\n<li><strong>Network security<\/strong>: NSGs\/Security Lists allow traffic from the bastion subnet to targets<\/li>\n<\/ul>\n\n\n\n<p><strong>Service type<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Managed security access service<\/strong> (part of <strong>Security, Identity, and Compliance<\/strong>) that depends on your <strong>VCN<\/strong> for private reachability.<\/li>\n<\/ul>\n\n\n\n<p><strong>Scope (regional\/global\/etc.)<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Regional<\/strong>: Bastion resources are created in a specific OCI region and attach to a subnet in that region\u2019s VCN.<\/li>\n<li><strong>Compartment-scoped<\/strong> for administration and access control: you create and manage bastions and sessions in compartments (with IAM policies).<\/li>\n<\/ul>\n\n\n\n<p><strong>How it fits into the Oracle Cloud ecosystem<\/strong><\/p>\n\n\n\n<p>Managed Access is usually a foundational control in OCI landing zones and secure architectures:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Works alongside <strong>OCI IAM<\/strong> (users, groups, dynamic groups, policies)<\/li>\n<li>Complements <strong>VCN<\/strong> design (private subnets, NSGs, route tables)<\/li>\n<li>Supports security posture goals typically managed via <strong>Cloud Guard<\/strong>, <strong>Security Zones<\/strong>, and <strong>Audit<\/strong><\/li>\n<li>Often used with <strong>Vault<\/strong> (for key\/secrets management) and OS-level hardening (CIS benchmarks)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use Managed Access?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Lower operational burden<\/strong>: no need to run, patch, monitor, and scale bastion VMs.<\/li>\n<li><strong>Reduced risk<\/strong>: fewer publicly exposed resources and fewer persistent access paths.<\/li>\n<li><strong>Better auditability and governance<\/strong>: supports internal controls and compliance narratives (who requested access, when, for how long).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>No public IP on targets<\/strong>: keep compute instances and internal services private.<\/li>\n<li><strong>Time-bound sessions<\/strong>: reduce the risk of forgotten access paths.<\/li>\n<li><strong>Supports private ports via tunneling<\/strong>: access internal services without opening wide network rules.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Centralized access control<\/strong>: IAM policies define who can create sessions, in which compartments.<\/li>\n<li><strong>Standardized access workflow<\/strong>: a consistent, repeatable pattern for engineers and SREs.<\/li>\n<li><strong>Segmentation-friendly<\/strong>: align bastions to environments (dev\/test\/prod) and network zones.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Least privilege<\/strong>: create sessions only when needed and for limited duration.<\/li>\n<li><strong>Audit trail<\/strong>: session creation and management are logged in <strong>OCI Audit<\/strong>.<\/li>\n<li><strong>Network controls<\/strong>: NSGs and subnet rules can limit access to known paths.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability\/performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Eliminates the need to scale bastion hosts to handle concurrent admins (the managed service handles the control plane; capacity characteristics should be verified in official docs for any concurrency limits).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose it<\/h3>\n\n\n\n<p>Choose Managed Access when:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Your workloads are in <strong>private subnets<\/strong><\/li>\n<li>You require <strong>secure administrative access<\/strong> (SSH and\/or port tunneling)<\/li>\n<li>You want <strong>time-bound<\/strong>, <strong>auditable<\/strong> access without managing jump hosts<\/li>\n<li>You\u2019re implementing a secure OCI landing zone or regulated environment<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When they should not choose it<\/h3>\n\n\n\n<p>Managed Access may not be the best fit when:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You require <strong>full session recording<\/strong> (keystroke capture) for every admin action; OCI Bastion focuses on session management and audit of session lifecycle rather than full command capture (verify in official docs).<\/li>\n<li>You need protocol support beyond SSH\/tunneling and cannot adapt (for example, specialized admin protocols).<\/li>\n<li>Your environment requires an on-prem broker with custom controls not supported by OCI-native managed access patterns.<\/li>\n<li>You already have a standardized enterprise solution (e.g., PAM) and OCI Bastion is redundant\u2014though it can still be used as a transport layer.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is Managed Access used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Financial services<\/strong>: controlled admin access, separation of duties, audit readiness<\/li>\n<li><strong>Healthcare<\/strong>: private network access patterns and minimal public exposure<\/li>\n<li><strong>Public sector<\/strong>: tight control over administrative connectivity<\/li>\n<li><strong>SaaS providers<\/strong>: secure operations access to production clusters<\/li>\n<li><strong>Retail and e-commerce<\/strong>: secure operations access during incident response<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Platform engineering \/ cloud engineering<\/li>\n<li>DevOps and SRE teams<\/li>\n<li>Security engineering and compliance teams<\/li>\n<li>Operations and NOC teams<\/li>\n<li>Developers working on private environments (with guardrails)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Private <strong>Compute<\/strong> instances (Linux)<\/li>\n<li>Internal API services reachable only via private IPs<\/li>\n<li>Databases and admin ports accessed through SSH tunneling (e.g., 1521, 5432, 3306)<\/li>\n<li>Kubernetes worker node access patterns (with strict governance; verify best practice for your cluster)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Hub-and-spoke VCN designs (centralized access controls)<\/li>\n<li>Multi-environment compartments (dev\/test\/prod)<\/li>\n<li>Zero-trust-like segmentation where admin paths are explicit and time-bound<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Real-world deployment contexts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Production<\/strong>: tightly controlled, minimal session duration, strict IAM, NSG restrictions, and mandatory auditing<\/li>\n<li><strong>Dev\/test<\/strong>: similar pattern but typically less restrictive; still recommended to avoid public IPs and ad-hoc SSH exposure<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic scenarios that align well with Managed Access (OCI Bastion). Each use case includes the problem, why this service fits, and an example.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) SSH to a private Linux instance (no public IP)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Engineers need shell access to troubleshoot a private VM.<\/li>\n<li><strong>Why it fits<\/strong>: Managed, time-bound SSH session without exposing port 22 publicly.<\/li>\n<li><strong>Example<\/strong>: A production app server sits in a private subnet; SREs open a 30-minute session for patch validation.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Port forward to a private database for diagnostics<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: DBAs need to run a query tool from their workstation, but the DB is private.<\/li>\n<li><strong>Why it fits<\/strong>: SSH port forwarding session provides temporary connectivity to DB port.<\/li>\n<li><strong>Example<\/strong>: Forward local port 15432 to private PostgreSQL port 5432 for schema inspection during incident triage.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Secure break-glass access during incident response<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Emergency access must be fast, controlled, and auditable.<\/li>\n<li><strong>Why it fits<\/strong>: Create just-in-time sessions with short duration and strict IAM.<\/li>\n<li><strong>Example<\/strong>: On-call engineer creates a 15-minute session to inspect logs on a private VM after an alert.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Replace self-managed jump boxes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Jump hosts require patching, hardening, monitoring, and can become a security liability.<\/li>\n<li><strong>Why it fits<\/strong>: Managed service avoids persistent jump host VMs.<\/li>\n<li><strong>Example<\/strong>: A company decommissions a fleet of bastion VMs and standardizes on managed sessions.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Enforce environment separation (dev vs prod)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Teams accidentally access the wrong environment.<\/li>\n<li><strong>Why it fits<\/strong>: Compartment-scoped bastions and IAM policies enforce boundaries.<\/li>\n<li><strong>Example<\/strong>: Separate bastions in dev and prod compartments; only prod on-call group can create prod sessions.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Vendor or partner access with strict constraints<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Third parties need limited access to specific systems.<\/li>\n<li><strong>Why it fits<\/strong>: Short-lived sessions, scoped to specific targets and ports; optional client IP restrictions (verify).<\/li>\n<li><strong>Example<\/strong>: A vendor gets 1-hour access to a specific VM for troubleshooting, only from the vendor\u2019s office CIDR.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Access internal admin UIs without exposing them publicly<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Internal tools (e.g., admin panels) should not be internet-facing.<\/li>\n<li><strong>Why it fits<\/strong>: Use port forwarding to reach internal HTTP services temporarily.<\/li>\n<li><strong>Example<\/strong>: Forward <code>localhost:8443<\/code> to an internal admin UI on <code>10.0.2.10:8443<\/code>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Support hardened network designs (no inbound from internet)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Security policy forbids inbound internet access to workloads.<\/li>\n<li><strong>Why it fits<\/strong>: Targets remain private; access is brokered by the managed service.<\/li>\n<li><strong>Example<\/strong>: A regulated workload uses only private subnets and denies all inbound from public internet.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Standardize access workflows for compliance audits<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Auditors require evidence of controlled admin access.<\/li>\n<li><strong>Why it fits<\/strong>: IAM policy + Audit logs show who created sessions and when.<\/li>\n<li><strong>Example<\/strong>: Security team pulls Audit records for bastion session events during a SOC2 audit.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Temporary access for migration or cutover tasks<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Migration team needs limited access during a narrow cutover window.<\/li>\n<li><strong>Why it fits<\/strong>: Session duration matches change window; reduces lingering access.<\/li>\n<li><strong>Example<\/strong>: A 2-hour session to validate application configuration post-migration.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">11) Private access to Kubernetes worker nodes (controlled)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Node-level debugging is occasionally required but shouldn\u2019t be always open.<\/li>\n<li><strong>Why it fits<\/strong>: Time-bound SSH access (where allowed by cluster policy).<\/li>\n<li><strong>Example<\/strong>: SREs create sessions only during node drain\/repair events (verify your organization\u2019s Kubernetes hardening stance).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">12) Reduce attack surface in multi-tier apps<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: App tiers should not be reachable from the internet, including admin ports.<\/li>\n<li><strong>Why it fits<\/strong>: Bastion sessions allow admin access without changing the exposure model.<\/li>\n<li><strong>Example<\/strong>: Web tier is public via LB; app and DB tiers are private and only reachable via Managed Access sessions.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<blockquote>\n<p>Feature availability can vary by region and tenancy configuration. Always confirm in the official OCI Bastion documentation: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Bastion\/home.htm<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">1) Managed bastion resource (no bastion VM to maintain)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Provides a managed control plane to broker admin access to private targets.<\/li>\n<li><strong>Why it matters<\/strong>: Eliminates patching\/hardening\/monitoring a jump host VM.<\/li>\n<li><strong>Practical benefit<\/strong>: Fewer moving parts and fewer persistent internet-facing assets.<\/li>\n<li><strong>Caveat<\/strong>: You still must design VCN subnets and NSGs correctly; the service doesn\u2019t replace network security hygiene.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Just-in-time, time-bound sessions<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Sessions are created for a defined duration and expire automatically.<\/li>\n<li><strong>Why it matters<\/strong>: Reduces standing privileges and long-lived access paths.<\/li>\n<li><strong>Practical benefit<\/strong>: Cleaner compliance posture and reduced risk from forgotten access.<\/li>\n<li><strong>Caveat<\/strong>: During outages, ensure your break-glass process and IAM policies allow rapid session creation (without being overly permissive).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Managed SSH sessions (typical primary workflow)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Enables SSH to a private target, typically on port 22.<\/li>\n<li><strong>Why it matters<\/strong>: SSH is the default admin protocol for Linux and many appliances.<\/li>\n<li><strong>Practical benefit<\/strong>: Access private instances without public IPs.<\/li>\n<li><strong>Caveat<\/strong>: Still requires OS-level user access and SSH configuration; the service doesn\u2019t replace OS hardening.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) SSH port forwarding sessions<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Creates an SSH tunnel so you can reach private ports (DB ports, internal APIs, admin endpoints).<\/li>\n<li><strong>Why it matters<\/strong>: Lets you debug and administer private services securely.<\/li>\n<li><strong>Practical benefit<\/strong>: Avoids exposing internal services via public load balancers or temporary firewall changes.<\/li>\n<li><strong>Caveat<\/strong>: Tunneling can be misused. Keep session durations short and restrict to specific targets\/ports where possible.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) IAM-based authorization and compartment governance<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Uses OCI IAM to define who can create\/manage bastions and sessions.<\/li>\n<li><strong>Why it matters<\/strong>: Central control, consistent across OCI services.<\/li>\n<li><strong>Practical benefit<\/strong>: You can separate duties (admins who manage bastions vs users who create sessions).<\/li>\n<li><strong>Caveat<\/strong>: Mis-scoped IAM policies can allow overly broad access. Prefer compartment-level scoping and least privilege.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Network security via VCN, subnets, NSGs, and route tables<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Requires explicit network connectivity from bastion subnet to target subnet\/NSG.<\/li>\n<li><strong>Why it matters<\/strong>: Keeps access paths explicit and reviewable.<\/li>\n<li><strong>Practical benefit<\/strong>: You can tightly constrain traffic: only from bastion subnet CIDR to target port(s).<\/li>\n<li><strong>Caveat<\/strong>: Most connectivity failures are network-rule related. Plan NSGs early and test.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Auditability via OCI Audit (session lifecycle)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Records API events such as bastion and session creation\/deletion in OCI Audit.<\/li>\n<li><strong>Why it matters<\/strong>: Central audit trail for access grants.<\/li>\n<li><strong>Practical benefit<\/strong>: You can answer \u201cwho created access, when, and to what target.\u201d<\/li>\n<li><strong>Caveat<\/strong>: Audit logs typically record <strong>metadata and API events<\/strong>, not necessarily full keystroke logs of what happened inside the OS. Verify what is and isn\u2019t captured in your environment.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Tagging and compartment organization<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Supports OCI tagging and compartment placement (typical OCI resource governance).<\/li>\n<li><strong>Why it matters<\/strong>: Enables cost allocation, ownership tracking, and policy boundaries.<\/li>\n<li><strong>Practical benefit<\/strong>: Standardize naming and tags for security review and operational clarity.<\/li>\n<li><strong>Caveat<\/strong>: Tag enforcement depends on your governance processes and (optionally) tag defaults.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">High-level service architecture<\/h3>\n\n\n\n<p>At a high level, Managed Access (OCI Bastion) works like this:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>You create a <strong>Bastion<\/strong> resource in a compartment and attach it to a <strong>bastion subnet<\/strong> in your VCN.<\/li>\n<li>An authorized user creates a <strong>session<\/strong> that targets a private resource (typically a private IP\/port).<\/li>\n<li>The user connects using SSH (or SSH tunnel) to an Oracle-managed endpoint for that session.<\/li>\n<li>The service bridges the connection into your VCN via the bastion subnet to reach the target.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Request\/data\/control flow<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Control plane<\/strong>:<\/li>\n<li>Create bastion, create session, manage lifecycle via OCI Console\/CLI\/API.<\/li>\n<li>All control plane actions are subject to IAM authorization and recorded in Audit.<\/li>\n<li><strong>Data plane<\/strong>:<\/li>\n<li>The SSH stream (and port-forwarded traffic) is tunneled through the bastion session to the private target.<\/li>\n<li>Your VCN security rules govern whether the bastion subnet can reach the target.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Integrations with related services<\/h3>\n\n\n\n<p>Common integrations\/patterns:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>OCI IAM<\/strong>: users, groups, policies, compartments<\/li>\n<li><strong>VCN<\/strong>: subnets, NSGs, route tables<\/li>\n<li><strong>OCI Audit<\/strong>: API event logging<\/li>\n<li><strong>Logging\/Monitoring<\/strong>:<\/li>\n<li>Bastion\/session lifecycle events: primarily via Audit<\/li>\n<li>OS-level logs: via your host logging agents or OCI Logging (if configured)<\/li>\n<li><strong>Vault<\/strong>:<\/li>\n<li>Not required for Bastion itself, but often used to manage secrets\/keys used by your operational tooling<\/li>\n<li><strong>Cloud Guard \/ Security Zones<\/strong>:<\/li>\n<li>Use for governance and posture management (ensure your architecture is compatible with the constraints you enable)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Dependency services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>VCN networking: subnets, routing, and security rules<\/li>\n<li>Compute (for the most common target type)<\/li>\n<li>IAM and Audit<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/authentication model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Authentication to OCI<\/strong>: Users authenticate to OCI Console\/CLI via IAM (or federation).<\/li>\n<li><strong>Authorization<\/strong>: IAM policies control ability to create\/manage bastions and sessions.<\/li>\n<li><strong>Authentication to target<\/strong>:<\/li>\n<li>Commonly via SSH keys and OS users on the target VM.<\/li>\n<li>The bastion service facilitates connectivity; OS-level access is still governed by sshd configuration and OS accounts.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Networking model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The bastion is associated with a subnet in your VCN (\u201cbastion subnet\u201d).<\/li>\n<li>The target must be reachable from the bastion subnet by routing and allowed by NSGs\/Security Lists.<\/li>\n<li>The user does not need direct network reachability to the target; they only need to reach the service endpoint for the session.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Audit<\/strong>: Your primary source for bastion\/session administrative events.<\/li>\n<li><strong>Operational monitoring<\/strong>: Most failures show up as \u201cconnection failed\u201d in the client; correlate with:<\/li>\n<li>Session status in Console<\/li>\n<li>NSG\/Security List rules<\/li>\n<li>Target instance OS logs (<code>\/var\/log\/auth.log<\/code> or <code>\/var\/log\/secure<\/code> depending on distro)<\/li>\n<li><strong>Governance<\/strong>:<\/li>\n<li>Use compartments to separate environments.<\/li>\n<li>Use tags for ownership, environment, and cost tracking.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Simple architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  U[Engineer Workstation] --&gt;|Create session (IAM)| OCI[OCI Control Plane]\n  U --&gt;|SSH to session endpoint| BE[Bastion Endpoint (Oracle-managed)]\n  BE --&gt;|Private connectivity| BS[Bastion Subnet in VCN]\n  BS --&gt;|Allowed by NSG\/SecList| T[Private Compute Instance (no public IP)]\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Production-style architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  subgraph Org[\"Enterprise \/ Team\"]\n    IdP[Enterprise IdP\\n(SAML\/OIDC Federation)]\n    Users[Admins \/ SREs \/ DBAs]\n  end\n\n  subgraph OCI[\"Oracle Cloud (OCI) - Region\"]\n    IAM[OCI IAM\\nUsers\/Groups\/Policies]\n    Audit[OCI Audit]\n    subgraph Net[\"VCN (Hub\/Spoke or Single VCN)\"]\n      subgraph Access[\"Access Zone\"]\n        Bastion[Managed Access (OCI Bastion)\\nBastion Resource]\n        BastionSubnet[Bastion Subnet\\n(Private)]\n      end\n\n      subgraph App[\"Workload Zone\"]\n        NSG1[NSG: App]\n        VM1[Compute: App VM\\nPrivate IP only]\n        NSG2[NSG: DB]\n        DB[(Database Service or DB VM)\\nPrivate Endpoint]\n      end\n    end\n  end\n\n  Users --&gt; IdP --&gt; IAM\n  IAM --&gt;|Authorize| Bastion\n  Bastion --&gt; Audit\n\n  Users --&gt;|SSH \/ Tunnel| Bastion\n  Bastion --&gt; BastionSubnet\n  BastionSubnet --&gt;|NSG rules| VM1\n  BastionSubnet --&gt;|Port forward| DB\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Tenancy and account requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An <strong>Oracle Cloud<\/strong> tenancy with access to OCI Console.<\/li>\n<li>Ability to create or use:<\/li>\n<li>VCN and subnets<\/li>\n<li>Compute instance (for the lab target)<\/li>\n<li>Bastion (Managed Access) resources<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions \/ IAM roles<\/h3>\n\n\n\n<p>You need IAM permissions to manage:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Networking resources (VCN, subnets, NSGs) <strong>or<\/strong> access to an existing network.<\/li>\n<li>Compute instances <strong>or<\/strong> access to an existing target instance.<\/li>\n<li>Bastion\/Managed Access resources and sessions.<\/li>\n<\/ul>\n\n\n\n<p>OCI IAM policies are explicit and tenancy-specific. Use the official Bastion IAM\/policy documentation to assign correct permissions (recommended):<br\/>\nhttps:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Bastion\/Reference\/bastionpolicyreference.htm (Verify this exact URL\/path in official docs; if it changes, navigate from the Bastion docs home.)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Billing requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Most networking primitives have no direct hourly fee, but compute instances do.<\/li>\n<li>Managed Access (OCI Bastion) pricing may be <strong>no additional charge<\/strong> or usage-based depending on current Oracle pricing policies\u2014<strong>verify in the official pricing pages<\/strong> before production rollout.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Tools needed<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>OCI Console<\/strong> (web)<\/li>\n<li><strong>SSH client<\/strong>:<\/li>\n<li>macOS\/Linux: <code>ssh<\/code> (OpenSSH)<\/li>\n<li>Windows: OpenSSH (built-in) or PuTTY<\/li>\n<li>Optional:<\/li>\n<li><strong>OCI Cloud Shell<\/strong> (convenient for SSH without local setup)<\/li>\n<li>OCI CLI (only if you want automation; not required for this tutorial)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Service availability can differ by region. Confirm your region supports Bastion\/Managed Access by checking the OCI Console \u201cCreate\u201d menus or the service documentation.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas\/limits<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Bastion\/session limits exist (number of bastions per compartment, sessions per bastion, session duration caps, etc.). These can vary.<\/li>\n<li>Check \u201cService Limits\u201d in OCI for Bastion and validate maximums for your target concurrency.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>VCN<\/strong> with:<\/li>\n<li>A bastion subnet<\/li>\n<li>A target subnet for private resources<\/li>\n<li>A <strong>target resource<\/strong> (for this lab: a private Linux VM)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<blockquote>\n<p>Oracle pricing changes over time and can be region- and contract-dependent. Do not rely on third-party numbers. Verify in official sources.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Current pricing model (how to validate)<\/h3>\n\n\n\n<p>Use Oracle\u2019s official pricing and cost tools:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OCI Pricing page (entry point): https:\/\/www.oracle.com\/cloud\/price-list\/<\/li>\n<li>OCI Cost Estimator: https:\/\/www.oracle.com\/cloud\/costestimator.html<\/li>\n<\/ul>\n\n\n\n<p>Then search for <strong>Bastion<\/strong> or the relevant service name used by Oracle for \u201cManaged Access.\u201d<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing dimensions (typical considerations)<\/h3>\n\n\n\n<p>Depending on Oracle\u2019s current pricing for Bastion\/Managed Access, cost may be:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>No additional charge<\/strong> for the Bastion service itself (common for some managed security control planes), <em>or<\/em><\/li>\n<li>Charged by <strong>session-hours<\/strong>, <strong>bastion-hours<\/strong>, or another usage metric (verify).<\/li>\n<\/ul>\n\n\n\n<p>Even if the service itself is free, <strong>your architecture still incurs costs<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Compute<\/strong>: instances you access (lab and production)<\/li>\n<li><strong>Network egress<\/strong>: data transfer out of OCI to the internet (for large port-forwarded transfers)<\/li>\n<li><strong>Logging<\/strong>: if you export\/retain Audit logs or host logs beyond free allocations<\/li>\n<li><strong>Security tooling<\/strong>: Cloud Guard or third-party SIEM ingestion (if applicable)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Free tier<\/h3>\n\n\n\n<p>OCI Free Tier eligibility often applies to certain Compute shapes and networking usage, but <strong>does not automatically guarantee<\/strong> that every security service is free. Confirm:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Always Free resources: https:\/\/www.oracle.com\/cloud\/free\/<\/li>\n<li>Bastion\/Managed Access pricing in the price list<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost drivers<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Session usage patterns<\/strong>: long-lived tunnels or many concurrent sessions can increase costs (if session-based billing applies).<\/li>\n<li><strong>Data volume through tunnels<\/strong>: port forwarding large datasets can cause egress charges if data leaves OCI.<\/li>\n<li><strong>Operational tooling<\/strong>: log retention, SIEM ingestion, and monitoring.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Hidden or indirect costs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Engineer time<\/strong>: misconfigured NSGs and IAM can cause productivity loss. Standardize patterns.<\/li>\n<li><strong>Key management overhead<\/strong>: managing SSH keys and OS users still matters; consider automation and centralized identity patterns.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network\/data transfer implications<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SSH itself is low bandwidth, but port forwarding to services (especially downloading logs\/dumps) can generate meaningful data transfer.<\/li>\n<li>If traffic goes from OCI to the public internet (to your laptop), it may count as outbound data transfer.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How to optimize cost<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Prefer <strong>short session durations<\/strong> and require re-authorization for extensions.<\/li>\n<li>Use <strong>Cloud Shell<\/strong> where appropriate to reduce local setup friction (cost-wise it doesn\u2019t remove egress, but can simplify operations).<\/li>\n<li>Avoid moving large datasets over SSH tunnels; use object storage or internal transfer mechanisms when possible.<\/li>\n<li>Separate dev\/test from prod to prevent accidental high-volume transfers from prod.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example low-cost starter estimate (conceptual)<\/h3>\n\n\n\n<p>A low-cost lab typically includes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>1 Always Free eligible compute instance (if available in your region)<\/li>\n<li>1 VCN with private subnets (no direct cost)<\/li>\n<li>Bastion\/Managed Access sessions (verify if billed; may be no charge)<\/li>\n<\/ul>\n\n\n\n<p>Your main variable is compute and any data egress during testing.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example production cost considerations (conceptual)<\/h3>\n\n\n\n<p>In production, cost planning should include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Expected number of engineers and average session duration<\/li>\n<li>Peak incident-response concurrency<\/li>\n<li>Port forwarding volume (especially if exporting data outside OCI)<\/li>\n<li>Centralized logging retention and SIEM costs<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<p>This lab shows a practical and safe baseline: <strong>SSH into a private VM (no public IP) using Managed Access (OCI Bastion)<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<p>Create a private compute instance and access it securely using <strong>Managed Access<\/strong> sessions without exposing the instance to the internet.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Create a VCN with two private subnets:\n   &#8211; <strong>Bastion subnet<\/strong> (used by Managed Access)\n   &#8211; <strong>Target subnet<\/strong> (where the VM lives)<\/li>\n<li>Create a private Linux VM (no public IP)<\/li>\n<li>Create a Managed Access (Bastion) resource<\/li>\n<li>Create a managed SSH session<\/li>\n<li>Connect to the private VM through the session<\/li>\n<li>Validate that direct public SSH is not possible<\/li>\n<li>Clean up<\/li>\n<\/ol>\n\n\n\n<blockquote>\n<p>Notes:\n&#8211; Exact console labels can change. If you see \u201cBastion\u201d rather than \u201cManaged Access,\u201d use \u201cBastion\u201d\u2014that is the official OCI service name in most tenancies.\n&#8211; Choose \u201cAlways Free Eligible\u201d options where available to keep costs low.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Create (or choose) a compartment<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In the OCI Console, open the navigation menu.<\/li>\n<li>Go to <strong>Identity &amp; Security \u2192 Compartments<\/strong>.<\/li>\n<li>Create a new compartment, for example: <code>lab-managed-access<\/code>.<\/li>\n<li>Record the compartment name.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>: A dedicated compartment for the lab resources.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Create a VCN with two private subnets<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>Networking \u2192 Virtual Cloud Networks<\/strong>.<\/li>\n<li>Click <strong>Create VCN<\/strong>.<\/li>\n<li>Choose <strong>VCN with Internet Connectivity<\/strong> <em>only if you want NAT\/IGW created automatically<\/em>.<br\/>\n   For a strict-private lab, you can still use the wizard and later ensure the instance has <strong>no public IP<\/strong>.<\/li>\n<li>Name the VCN: <code>vcn-managed-access-lab<\/code>.<\/li>\n<li>Create or confirm these subnets (names are examples):\n   &#8211; <code>subnet-bastion-private<\/code> (private)\n   &#8211; <code>subnet-target-private<\/code> (private)<\/li>\n<\/ol>\n\n\n\n<p>If the wizard creates public subnets by default, you can still proceed but ensure:\n&#8211; Your <strong>target instance<\/strong> is in a private subnet and has <strong>no public IP<\/strong>\n&#8211; Your NSG rules are explicit<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>: A VCN exists with a private subnet for the bastion and a private subnet for the target.<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; In the VCN details, confirm both subnets exist and note their CIDR blocks.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Create a Network Security Group (NSG) for the target VM<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In the OCI Console, go to <strong>Networking \u2192 Network Security Groups<\/strong>.<\/li>\n<li>Create NSG: <code>nsg-target-ssh<\/code>.<\/li>\n<li>Add an <strong>Ingress rule<\/strong> allowing SSH <strong>from the bastion subnet CIDR<\/strong>:\n   &#8211; Source type: CIDR\n   &#8211; Source CIDR: <em>CIDR of <code>subnet-bastion-private<\/code><\/em>\n   &#8211; Protocol: TCP\n   &#8211; Destination port: 22<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>: The target VM will only allow SSH from the bastion subnet path, not from the internet.<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; Review NSG security rules and confirm only bastion subnet CIDR is allowed to port 22.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Create a private Linux compute instance (no public IP)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>Compute \u2192 Instances \u2192 Create instance<\/strong>.<\/li>\n<li>Name: <code>vm-private-1<\/code>.<\/li>\n<li>Image: Choose an Oracle Linux image (or Ubuntu if preferred).<\/li>\n<li>Shape: pick an <strong>Always Free Eligible<\/strong> shape if available.<\/li>\n<li>Networking:\n   &#8211; VCN: <code>vcn-managed-access-lab<\/code>\n   &#8211; Subnet: <code>subnet-target-private<\/code>\n   &#8211; Public IP: <strong>Do NOT assign<\/strong><\/li>\n<li>Add SSH keys:\n   &#8211; Generate an SSH key pair locally (recommended), then paste the public key.\n   &#8211; Example local generation:\n     <code>bash\n     ssh-keygen -t ed25519 -f ~\/.ssh\/oci_managed_access_lab -C \"managed-access-lab\"<\/code><\/li>\n<li>Attach NSG:\n   &#8211; Add <code>nsg-target-ssh<\/code> to the instance VNIC.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>: A running VM with <strong>only a private IP<\/strong> and no inbound access from the public internet.<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; On the instance details page:\n  &#8211; Confirm <strong>Public IP address<\/strong> is empty\/not present.\n  &#8211; Note the <strong>Private IP address<\/strong> (you will use it as the target).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Create the Managed Access (Bastion) resource<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>Security, Identity, &amp; Compliance \u2192 Bastion<\/strong> (or your console\u2019s equivalent for Managed Access).<\/li>\n<li>Click <strong>Create bastion<\/strong>.<\/li>\n<li>Name: <code>bastion-managed-access-lab<\/code>.<\/li>\n<li>Select VCN: <code>vcn-managed-access-lab<\/code>.<\/li>\n<li>Select subnet: <code>subnet-bastion-private<\/code>.<\/li>\n<li>Create the bastion.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>: A bastion resource is created and becomes <strong>Active<\/strong>.<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; Check bastion lifecycle state is Active\/Available.\n&#8211; Note the bastion OCID (useful for troubleshooting).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Create a managed SSH session to the private VM<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Open your bastion resource.<\/li>\n<li>Click <strong>Create session<\/strong>.<\/li>\n<li>Session type: <strong>Managed SSH session<\/strong> (wording may vary).<\/li>\n<li>Target:\n   &#8211; Target type: usually <strong>Compute instance<\/strong> or <strong>Private IP<\/strong>\n   &#8211; Choose the instance <code>vm-private-1<\/code> (if selectable) or input its private IP.\n   &#8211; Port: 22<\/li>\n<li>SSH public key:\n   &#8211; Use the same public key you used (or a separate one) depending on the workflow your console supports.<\/li>\n<li>Session duration:\n   &#8211; Choose a short value (e.g., 30 minutes) for the lab.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>: A session is created and becomes Active. The console typically provides an <strong>SSH command<\/strong> to copy.<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; The session shows Active (or similar).\n&#8211; The console offers connection instructions (SSH command, hostname, username, etc.).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 7: Connect to the private VM through Managed Access<\/h3>\n\n\n\n<p>Use the connection command provided by the OCI Console for the session (recommended, because it is guaranteed to match current OCI endpoint formats).<\/p>\n\n\n\n<p>On your local machine (macOS\/Linux), it will look similar to:<\/p>\n\n\n\n<pre><code class=\"language-bash\">ssh -i ~\/.ssh\/oci_managed_access_lab &lt;session-username&gt;@&lt;bastion-endpoint-hostname&gt;\n<\/code><\/pre>\n\n\n\n<p>Or it may include a ProxyCommand \/ additional SSH options depending on session type and OCI\u2019s current guidance.<\/p>\n\n\n\n<p>Once connected, run:<\/p>\n\n\n\n<pre><code class=\"language-bash\">hostname\nwhoami\nip addr | head\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>: You get a shell on <code>vm-private-1<\/code> even though it has no public IP.<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; <code>hostname<\/code> returns your instance hostname.\n&#8211; <code>whoami<\/code> matches the OS user you used (for example, <code>opc<\/code> on Oracle Linux images, or <code>ubuntu<\/code> on Ubuntu images\u2014verify your image defaults in the instance details).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 8: Validate that the instance is not directly reachable from the internet<\/h3>\n\n\n\n<p>From your laptop, attempt to SSH directly to the instance:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If the instance has <strong>no public IP<\/strong>, direct SSH is not possible.<\/li>\n<li>Confirm in the instance details page that there is no public IP.<\/li>\n<\/ul>\n\n\n\n<p><strong>Expected outcome<\/strong>: There is no direct path from the internet to the private VM; access requires Managed Access.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>Use this checklist:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Bastion resource state is Active.<\/li>\n<li>Session state is Active.<\/li>\n<li>You can connect using the console-provided SSH command.<\/li>\n<li>Instance has no public IP.<\/li>\n<li>NSG allows port 22 only from bastion subnet CIDR.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<p>Common issues and fixes:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Session is Active, but SSH times out<\/strong>\n   &#8211; Check NSG\/security list rules on the target subnet\/instance VNIC:<\/p>\n<ul>\n<li>Ingress TCP\/22 must allow <strong>source = bastion subnet CIDR<\/strong><\/li>\n<li>Ensure route tables allow reachability between bastion subnet and target subnet (same VCN typically works without extra routing).<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Permission denied (publickey)<\/strong>\n   &#8211; Ensure you used the correct private key (<code>-i ~\/.ssh\/...<\/code>).\n   &#8211; Ensure the OS username is correct (<code>opc<\/code>, <code>ubuntu<\/code>, etc.).\n   &#8211; Ensure the target instance has the corresponding public key in <code>~\/.ssh\/authorized_keys<\/code>.<\/p>\n<\/li>\n<li>\n<p><strong>You can\u2019t create bastion\/session due to authorization<\/strong>\n   &#8211; Your IAM policy may not allow bastion\/session management in the compartment.\n   &#8211; Ask your tenancy admin to apply the least-privilege policies from the official Bastion policy reference.<\/p>\n<\/li>\n<li>\n<p><strong>Bastion subnet selection issues<\/strong>\n   &#8211; Ensure the subnet you selected belongs to the correct VCN and region.\n   &#8211; Confirm subnet is not blocked by restrictive security lists that prevent the bastion from reaching targets.<\/p>\n<\/li>\n<li>\n<p><strong>Corporate network blocks SSH<\/strong>\n   &#8211; Try using OCI Cloud Shell to run the SSH connection from within OCI\u2019s network environment.\n   &#8211; Confirm your organization allows outbound SSH.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>To avoid ongoing costs:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Delete the <strong>Bastion session(s)<\/strong>.<\/li>\n<li>Delete the <strong>Bastion<\/strong> resource.<\/li>\n<li>Terminate the <strong>Compute instance<\/strong> <code>vm-private-1<\/code>.<\/li>\n<li>Delete NSGs created for the lab.<\/li>\n<li>Delete the <strong>VCN<\/strong> (and its subnets, route tables, gateways) if you created it solely for the lab.<\/li>\n<li>Delete the compartment (only if it\u2019s dedicated and empty).<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>: No billable resources remain.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use a <strong>dedicated bastion subnet<\/strong> per environment (dev\/test\/prod) to simplify NSG rules and audits.<\/li>\n<li>Prefer <strong>private subnets<\/strong> for workloads; keep public exposure limited to load balancers or explicitly required endpoints.<\/li>\n<li>In hub-and-spoke designs, decide whether bastions live in a <strong>hub VCN<\/strong> (centralized) or per-spoke (segmented). Choose based on blast radius and governance needs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM\/security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enforce <strong>least privilege<\/strong>:<\/li>\n<li>Separate roles:<ul>\n<li>Bastion administrators (manage bastions)<\/li>\n<li>Session users (create\/use sessions)<\/li>\n<\/ul>\n<\/li>\n<li>Require short session durations, with controlled extension workflows.<\/li>\n<li>Prefer <strong>federated identity<\/strong> (SAML\/OIDC) and MFA for admin identities.<\/li>\n<li>Use compartments to isolate:<\/li>\n<li>prod vs non-prod<\/li>\n<li>business units<\/li>\n<li>regulated workloads<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Keep sessions short and discourage \u201calways-on\u201d tunnels.<\/li>\n<li>Avoid transferring large datasets through tunnels; use Object Storage or internal transfer patterns.<\/li>\n<li>Periodically review Audit logs and session usage to right-size processes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>For port forwarding, keep tunnels targeted to necessary ports and services.<\/li>\n<li>Use local tooling responsibly\u2014avoid running heavy queries through tunneled connections that create operational strain.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Document break-glass procedures and keep them tested.<\/li>\n<li>Use infrastructure-as-code (where appropriate) to standardize VCN, NSGs, and bastion deployment patterns.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Standardize naming conventions:<\/li>\n<li><code>bastion-&lt;env&gt;-&lt;region&gt;<\/code><\/li>\n<li><code>session-&lt;user&gt;-&lt;ticket&gt;<\/code><\/li>\n<li>Use tags:<\/li>\n<li><code>Environment<\/code>, <code>Owner<\/code>, <code>CostCenter<\/code>, <code>DataClassification<\/code><\/li>\n<li>Maintain runbooks:<\/li>\n<li>\u201cHow to create a session\u201d<\/li>\n<li>\u201cCommon connection failures\u201d<\/li>\n<li>\u201cIncident access process\u201d<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance\/tagging\/naming best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use tag defaults in compartments when your governance model supports it.<\/li>\n<li>Consider policies that restrict bastion creation to approved compartments.<\/li>\n<li>Periodically review:<\/li>\n<li>bastions that are unused<\/li>\n<li>overly permissive NSG rules<\/li>\n<li>long default session durations<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Access is governed by <strong>OCI IAM<\/strong> policies.<\/li>\n<li>Place bastions and targets in compartments aligned to your org structure.<\/li>\n<li>Use group membership or dynamic groups (where appropriate) to keep access maintainable.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SSH provides in-transit encryption for session data.<\/li>\n<li>For target services reached through port forwarding (DB connections, HTTPS admin UIs), ensure those services also use TLS where appropriate.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The major security win is removing public IPs and inbound exposure from targets.<\/li>\n<li>Restrict NSG ingress on targets to:<\/li>\n<li>Source = bastion subnet CIDR<\/li>\n<li>Ports = only what\u2019s needed (22, or specific tunneled ports)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Avoid storing SSH private keys in shared locations.<\/li>\n<li>Use developer workstations with disk encryption and secure key storage.<\/li>\n<li>Consider enterprise key management workflows (for example, storing encrypted keys in a secrets manager) if your policies require it.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>OCI Audit<\/strong> for:<\/li>\n<li>Who created a session<\/li>\n<li>When a session was created\/ended<\/li>\n<li>Which bastion and target were involved (metadata)<\/li>\n<li>For what happened <strong>inside<\/strong> the instance:<\/li>\n<li>Use OS logs (sshd logs) and\/or host-based logging agents<\/li>\n<li>Consider centralized log aggregation in OCI Logging or a SIEM<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<p>Managed Access supports compliance goals like:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reduced attack surface<\/li>\n<li>Just-in-time privileged access patterns<\/li>\n<li>Auditability of access grants<\/li>\n<\/ul>\n\n\n\n<p>But compliance often requires additional controls:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>MFA and centralized identity<\/li>\n<li>Formal approval workflows (ticketing)<\/li>\n<li>Session recording (if required\u2014OCI Bastion may not provide keystroke capture; verify)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Allowing SSH to targets from <code>0.0.0.0\/0<\/code> \u201ctemporarily\u201d and forgetting to remove it.<\/li>\n<li>Reusing the same bastion for all environments without compartment\/policy boundaries.<\/li>\n<li>Not restricting session duration or not reviewing session usage.<\/li>\n<li>Treating bastion access as a replacement for OS hardening and patching.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use separate bastions per environment and restrict IAM accordingly.<\/li>\n<li>Require short TTL for sessions; enforce re-approval if extensions are needed.<\/li>\n<li>Use NSGs and strict source CIDRs from the bastion subnet only.<\/li>\n<li>Keep targets private; avoid public IPs unless absolutely required.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<blockquote>\n<p>Validate these against your region\u2019s current OCI Bastion documentation and service limits.<\/p>\n<\/blockquote>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Not a full PAM solution<\/strong>: Managed Access manages connectivity and session lifecycle; it may not provide full privileged access management features like keystroke recording, approval workflows, or password vaulting (verify).<\/li>\n<li><strong>Network rules are the #1 failure point<\/strong>: Missing NSG ingress from bastion subnet to target port is common.<\/li>\n<li><strong>OS-level SSH requirements still apply<\/strong>: Users, keys, file permissions, and sshd config must be correct.<\/li>\n<li><strong>Service limits<\/strong>: Maximum sessions, maximum duration, and per-compartment quotas can constrain incident response if not planned.<\/li>\n<li><strong>Regional scope<\/strong>: Bastion is regional; cross-region access requires region-specific bastions or network design that supports it.<\/li>\n<li><strong>Port forwarding risk<\/strong>: It can unintentionally create broad access to internal services if not controlled.<\/li>\n<li><strong>Endpoint\/command formats can change<\/strong>: Always use the OCI Console-provided connection instructions or verify the CLI\/API syntax in the latest docs.<\/li>\n<li><strong>Data egress charges<\/strong>: Large transfers over tunnels to the public internet can incur costs.<\/li>\n<li><strong>Security Zones constraints<\/strong>: If you use Security Zones, verify that Bastion and required network configurations are allowed.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<p>Managed Access (OCI Bastion) sits in a landscape of access patterns and tools.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Alternatives inside Oracle Cloud<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Public IP + SSH<\/strong>: simplest but least secure for private workloads.<\/li>\n<li><strong>Self-managed jump host in OCI<\/strong>: flexible but higher ops and security burden.<\/li>\n<li><strong>VPN\/FastConnect + private access<\/strong>: good for enterprise connectivity, but still needs a controlled admin access pattern on top.<\/li>\n<li><strong>Third-party PAM<\/strong> (integrated with OCI): broader feature set but more complexity and cost.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Alternatives in other clouds<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>AWS Systems Manager Session Manager<\/strong> (agent-based): strong for private access without SSH inbound; different model than bastion.<\/li>\n<li><strong>Azure Bastion<\/strong>: managed bastion-like service for RDP\/SSH.<\/li>\n<li><strong>GCP IAP TCP forwarding<\/strong>: identity-aware access proxy model.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Open-source \/ self-managed alternatives<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Teleport<\/strong><\/li>\n<li><strong>HashiCorp Boundary<\/strong><\/li>\n<li><strong>OpenSSH on hardened bastion hosts<\/strong><\/li>\n<li><strong>WireGuard-based admin overlay networks<\/strong><\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Comparison table<\/h4>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Oracle Cloud Managed Access (OCI Bastion)<\/strong><\/td>\n<td>OCI-native private access to VMs\/services<\/td>\n<td>Managed, IAM-governed, time-bound sessions; no jump host VM<\/td>\n<td>May not include full session recording\/approvals; requires careful NSGs<\/td>\n<td>You want OCI-native, low-ops private admin access<\/td>\n<\/tr>\n<tr>\n<td>Self-managed jump host (OCI Compute)<\/td>\n<td>Full control\/custom tooling<\/td>\n<td>Flexible; can add proxying, recording, custom controls<\/td>\n<td>Patch\/harden\/monitor burden; persistent attack surface<\/td>\n<td>You need custom protocol support or tooling not available in managed service<\/td>\n<\/tr>\n<tr>\n<td>VPN \/ FastConnect + private SSH<\/td>\n<td>Enterprise connectivity patterns<\/td>\n<td>Strong private connectivity, integrates with corp network<\/td>\n<td>Doesn\u2019t inherently provide JIT\/session governance<\/td>\n<td>You already have private connectivity and need network-level access; pair with Managed Access or PAM<\/td>\n<\/tr>\n<tr>\n<td>Third-party PAM (e.g., enterprise tool)<\/td>\n<td>Strict compliance and governance<\/td>\n<td>Approvals, recording, credential vaulting<\/td>\n<td>Cost and operational complexity<\/td>\n<td>You must meet stringent audit requirements and need full PAM features<\/td>\n<\/tr>\n<tr>\n<td>AWS SSM Session Manager<\/td>\n<td>AWS workloads<\/td>\n<td>Agent-based, no inbound ports, strong IAM integration<\/td>\n<td>AWS-specific; requires SSM agent and permissions<\/td>\n<td>Your workloads are in AWS and you want agent-based access<\/td>\n<\/tr>\n<tr>\n<td>Azure Bastion<\/td>\n<td>Azure workloads<\/td>\n<td>Managed RDP\/SSH experience<\/td>\n<td>Azure-specific; pricing model differs<\/td>\n<td>Your workloads are in Azure<\/td>\n<\/tr>\n<tr>\n<td>Teleport \/ Boundary<\/td>\n<td>Multi-cloud \/ hybrid<\/td>\n<td>Strong identity integration, auditing, sometimes recording<\/td>\n<td>Must operate and scale platform<\/td>\n<td>You need consistent access across OCI + on-prem + other clouds<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example: regulated bank operations access<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: A bank runs customer-facing services in OCI. Policy forbids public IPs on application servers and requires auditable administrative access with strict separation between dev and prod.<\/li>\n<li><strong>Proposed architecture<\/strong>:<\/li>\n<li>Separate compartments for dev\/test\/prod<\/li>\n<li>Dedicated VCNs (or network zones) per environment<\/li>\n<li>Managed Access (OCI Bastion) per environment with dedicated bastion subnet<\/li>\n<li>NSGs restrict SSH to app instances only from bastion subnet CIDR<\/li>\n<li>IAM policies:<ul>\n<li>Only SRE on-call group can create prod sessions<\/li>\n<\/ul>\n<\/li>\n<li>Central logging strategy:<ul>\n<li>OCI Audit forwarded to SIEM<\/li>\n<li>OS auth logs shipped to centralized logging<\/li>\n<\/ul>\n<\/li>\n<li><strong>Why this service was chosen<\/strong>:<\/li>\n<li>Removes persistent jump hosts<\/li>\n<li>Supports just-in-time access and auditability<\/li>\n<li>Fits OCI native governance model (compartments, IAM)<\/li>\n<li><strong>Expected outcomes<\/strong>:<\/li>\n<li>Reduced attack surface (no public IPs)<\/li>\n<li>Faster audits with clear session creation history<\/li>\n<li>Less ops overhead than managing bastion VMs<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Startup\/small-team example: SaaS on private subnets<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: A startup deploys microservices on private instances and wants a safe, simple way for two engineers to access production during incidents.<\/li>\n<li><strong>Proposed architecture<\/strong>:<\/li>\n<li>Single VCN with private subnets for app and DB<\/li>\n<li>Managed Access (OCI Bastion) in a small \u201cprod\u201d compartment<\/li>\n<li>Session duration defaults to 30 minutes<\/li>\n<li>NSG for instances only allows port 22 from bastion subnet<\/li>\n<li><strong>Why this service was chosen<\/strong>:<\/li>\n<li>Minimal setup and minimal ongoing maintenance<\/li>\n<li>Strong default security posture without building a PAM platform<\/li>\n<li><strong>Expected outcomes<\/strong>:<\/li>\n<li>Secure operational access without public SSH<\/li>\n<li>Quick onboarding of new engineers with standardized access steps<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Is \u201cManaged Access\u201d an official OCI service name?<\/strong><br\/>\n   In many OCI environments, the official service name for managed admin access is <strong>Bastion<\/strong>. Some catalogs\/training material may refer to it as \u201cManaged Access.\u201d Verify in the OCI Console and official docs: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Bastion\/home.htm<\/p>\n<\/li>\n<li>\n<p><strong>Do my target instances need public IP addresses?<\/strong><br\/>\n   No. A primary benefit is accessing <strong>private instances without public IPs<\/strong>.<\/p>\n<\/li>\n<li>\n<p><strong>Do I need to deploy a jump host VM?<\/strong><br\/>\n   Typically no. Managed Access is designed to eliminate self-managed jump hosts for common SSH\/tunneling workflows.<\/p>\n<\/li>\n<li>\n<p><strong>What protocols are supported?<\/strong><br\/>\n   Commonly SSH and SSH port forwarding. If you need other protocols, you may tunnel them through SSH if appropriate. Verify protocol support in current docs.<\/p>\n<\/li>\n<li>\n<p><strong>Does it record everything typed during an SSH session?<\/strong><br\/>\n   Generally, OCI Audit records session lifecycle events, not full keystroke capture. For full session recording, you may need host-based tooling or a PAM product. Verify in official docs.<\/p>\n<\/li>\n<li>\n<p><strong>How is access controlled?<\/strong><br\/>\n   Through <strong>OCI IAM<\/strong> policies, compartments, and network security rules (NSGs\/security lists).<\/p>\n<\/li>\n<li>\n<p><strong>Can I restrict who can create sessions versus who can create bastions?<\/strong><br\/>\n   Yes\u2014this is a recommended practice. Use separate IAM policies and groups.<\/p>\n<\/li>\n<li>\n<p><strong>What is the \u201cbastion subnet\u201d used for?<\/strong><br\/>\n   It provides private network reachability from the managed service into your VCN so it can reach private targets.<\/p>\n<\/li>\n<li>\n<p><strong>Do I need to open port 22 to the internet on my target VM?<\/strong><br\/>\n   No. You should only allow port 22 from the bastion subnet (or its NSG-controlled path).<\/p>\n<\/li>\n<li>\n<p><strong>Can I use Managed Access to reach a database port?<\/strong><br\/>\n   Yes, typically using <strong>SSH port forwarding sessions<\/strong> (for example, tunnel to 5432\/1521\/3306), assuming network rules allow it.<\/p>\n<\/li>\n<li>\n<p><strong>How long should sessions last?<\/strong><br\/>\n   Keep them short (15\u201360 minutes) and extend only with explicit need. Production often uses shorter durations.<\/p>\n<\/li>\n<li>\n<p><strong>What\u2019s the most common reason sessions fail?<\/strong><br\/>\n   NSG\/Security List rules: target port isn\u2019t allowing traffic from the bastion subnet CIDR, or routing is incorrect.<\/p>\n<\/li>\n<li>\n<p><strong>Is Managed Access regional?<\/strong><br\/>\n   Yes, typically bound to a region because it attaches to a VCN subnet in that region.<\/p>\n<\/li>\n<li>\n<p><strong>Can I automate session creation?<\/strong><br\/>\n   Often yes via OCI APIs\/CLI\/SDKs, but exact commands and parameters should be taken from current official docs.<\/p>\n<\/li>\n<li>\n<p><strong>How do I prove compliance to auditors?<\/strong><br\/>\n   Combine:\n   &#8211; OCI Audit logs for session lifecycle events\n   &#8211; OS logs for authentication\/activity\n   &#8211; Change management\/ticketing references to show approvals and purpose<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn Managed Access<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official documentation<\/td>\n<td>OCI Bastion documentation<\/td>\n<td>Canonical reference for Managed Access behavior, concepts, and workflows: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Bastion\/home.htm<\/td>\n<\/tr>\n<tr>\n<td>Official documentation (IAM)<\/td>\n<td>Bastion IAM policy reference<\/td>\n<td>Required for correct permissions design (verify the exact page path from docs home). Start at: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Bastion\/home.htm<\/td>\n<\/tr>\n<tr>\n<td>Official pricing<\/td>\n<td>OCI Price List<\/td>\n<td>Validate whether Bastion\/Managed Access is billed and how: https:\/\/www.oracle.com\/cloud\/price-list\/<\/td>\n<\/tr>\n<tr>\n<td>Official cost tool<\/td>\n<td>OCI Cost Estimator<\/td>\n<td>Build a cost model including compute, network egress, and logging: https:\/\/www.oracle.com\/cloud\/costestimator.html<\/td>\n<\/tr>\n<tr>\n<td>Architecture center<\/td>\n<td>Oracle Architecture Center<\/td>\n<td>Reference architectures and best practices for secure OCI deployments: https:\/\/docs.oracle.com\/en\/solutions\/<\/td>\n<\/tr>\n<tr>\n<td>Official tutorials\/labs<\/td>\n<td>Oracle LiveLabs<\/td>\n<td>Hands-on labs; search for \u201cBastion\u201d or secure access patterns: https:\/\/apexapps.oracle.com\/pls\/apex\/f?p=133:1:0<\/td>\n<\/tr>\n<tr>\n<td>Official videos<\/td>\n<td>Oracle Cloud Infrastructure YouTube<\/td>\n<td>Product walkthroughs and best practices: https:\/\/www.youtube.com\/@OracleCloudInfrastructure<\/td>\n<\/tr>\n<tr>\n<td>CLI documentation<\/td>\n<td>OCI CLI docs<\/td>\n<td>Automation reference for OCI services (use for scripting sessions; verify current syntax): https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/API\/Concepts\/cliconcepts.htm<\/td>\n<\/tr>\n<tr>\n<td>SDK documentation<\/td>\n<td>OCI SDKs<\/td>\n<td>Programmatic control for provisioning and governance: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/API\/Concepts\/sdks.htm<\/td>\n<\/tr>\n<tr>\n<td>Community learning<\/td>\n<td>OCI blogs and community posts<\/td>\n<td>Useful for practical troubleshooting, but always validate against official docs (start from official OCI blog hub): https:\/\/blogs.oracle.com\/cloud-infrastructure\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<p>The following institutes are listed as training providers; verify current course offerings directly on their sites.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Institute<\/th>\n<th>Suitable Audience<\/th>\n<th>Likely Learning Focus<\/th>\n<th>Mode<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps\/SRE, platform engineers, cloud engineers<\/td>\n<td>OCI DevOps, security operations, infrastructure automation fundamentals<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>ScmGalaxy.com<\/td>\n<td>Beginners to intermediate DevOps practitioners<\/td>\n<td>SCM\/DevOps foundations, automation concepts that support secure access operations<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n<tr>\n<td>CLoudOpsNow.in<\/td>\n<td>Cloud ops and operations teams<\/td>\n<td>Operational practices, monitoring, reliability, secure access patterns<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.cloudopsnow.in\/<\/td>\n<\/tr>\n<tr>\n<td>SreSchool.com<\/td>\n<td>SREs, reliability engineers<\/td>\n<td>SRE practices, incident response workflows, access governance patterns<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.sreschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>AiOpsSchool.com<\/td>\n<td>Ops teams adopting AIOps<\/td>\n<td>Observability, operational analytics, incident workflows where managed access is a control<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<p>These sites are listed as trainer-related resources\/platforms. Confirm specific trainer profiles and OCI coverage on each site.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Platform\/Site<\/th>\n<th>Likely Specialization<\/th>\n<th>Suitable Audience<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>RajeshKumar.xyz<\/td>\n<td>DevOps\/cloud training and guidance (verify exact focus)<\/td>\n<td>Beginners to intermediate engineers seeking mentorship<\/td>\n<td>https:\/\/rajeshkumar.xyz\/<\/td>\n<\/tr>\n<tr>\n<td>devopstrainer.in<\/td>\n<td>DevOps training and coaching<\/td>\n<td>Teams and individuals learning DevOps tooling and practices<\/td>\n<td>https:\/\/www.devopstrainer.in\/<\/td>\n<\/tr>\n<tr>\n<td>devopsfreelancer.com<\/td>\n<td>Freelance DevOps services\/training (verify offerings)<\/td>\n<td>Startups and small teams<\/td>\n<td>https:\/\/www.devopsfreelancer.com\/<\/td>\n<\/tr>\n<tr>\n<td>devopssupport.in<\/td>\n<td>DevOps support and training resources<\/td>\n<td>Operations teams needing practical support<\/td>\n<td>https:\/\/www.devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<p>The following companies are listed as consulting providers. Validate exact service catalogs and OCI specialization directly with them.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Company<\/th>\n<th>Likely Service Area<\/th>\n<th>Where They May Help<\/th>\n<th>Consulting Use Case Examples<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>cotocus.com<\/td>\n<td>Cloud\/DevOps consulting (verify specifics)<\/td>\n<td>Secure cloud architecture, migration planning, operational processes<\/td>\n<td>Designing private network access patterns; standardizing bastion session governance<\/td>\n<td>https:\/\/cotocus.com\/<\/td>\n<\/tr>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps consulting and training services<\/td>\n<td>Platform engineering enablement, DevOps pipelines, cloud operations<\/td>\n<td>Implementing governed access workflows; building runbooks and automation around OCI access<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>DEVOPSCONSULTING.IN<\/td>\n<td>DevOps consulting (verify specifics)<\/td>\n<td>CI\/CD, infrastructure automation, operational maturity<\/td>\n<td>Secure access design reviews; integrating audit trails into operational compliance<\/td>\n<td>https:\/\/www.devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before this service<\/h3>\n\n\n\n<p>To use Managed Access effectively in Oracle Cloud, learn:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OCI fundamentals: regions, compartments, IAM basics<\/li>\n<li>Networking: VCNs, subnets, CIDRs, route tables, NSGs, security lists<\/li>\n<li>Linux administration basics:<\/li>\n<li>SSH keys, users, sudo, sshd troubleshooting<\/li>\n<li>Security fundamentals:<\/li>\n<li>least privilege, zero trust concepts, audit logging<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after this service<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Infrastructure as Code on OCI:<\/li>\n<li>Terraform for OCI (Resource Manager or self-managed Terraform)<\/li>\n<li>Enterprise identity integration:<\/li>\n<li>SAML\/OIDC federation and MFA enforcement<\/li>\n<li>Observability:<\/li>\n<li>OCI Logging, Monitoring, and SIEM integration patterns<\/li>\n<li>Broader security posture:<\/li>\n<li>Cloud Guard, Security Zones, vulnerability scanning<\/li>\n<li>PAM concepts:<\/li>\n<li>approvals, session recording, secrets management (Vault + enterprise tooling)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Engineer \/ Cloud Operations Engineer<\/li>\n<li>DevOps Engineer<\/li>\n<li>Site Reliability Engineer (SRE)<\/li>\n<li>Security Engineer (cloud security)<\/li>\n<li>Platform Engineer<\/li>\n<li>Solutions Architect<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (if available)<\/h3>\n\n\n\n<p>Oracle certifications evolve. Start here and select OCI tracks aligned with security and architecture:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Oracle University (OCI training\/certs): https:\/\/education.oracle.com\/<\/li>\n<\/ul>\n\n\n\n<p>For Bastion\/Managed Access specifically, it\u2019s typically covered inside broader OCI architect\/security curriculum rather than as a standalone certification topic.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Secure admin access baseline<\/strong>: Build a private VCN with managed access and strict NSGs; document runbooks.<\/li>\n<li><strong>Port-forwarding toolkit<\/strong>: Create standardized scripts for DB port forwarding with short TTL sessions (validate against official CLI support).<\/li>\n<li><strong>Multi-environment governance<\/strong>: Separate dev\/test\/prod bastions with compartment policies and tags.<\/li>\n<li><strong>Audit reporting<\/strong>: Export OCI Audit events for session creation into a reporting dashboard or SIEM.<\/li>\n<li><strong>Break-glass design<\/strong>: Implement an emergency access group with strong controls and tested procedures.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>OCI (Oracle Cloud Infrastructure)<\/strong>: Oracle Cloud\u2019s infrastructure platform.<\/li>\n<li><strong>Security, Identity, and Compliance<\/strong>: OCI console category grouping security and governance services.<\/li>\n<li><strong>Managed Access<\/strong>: In this tutorial, the managed pattern\/service for secure, time-bound access to private resources\u2014commonly implemented as <strong>OCI Bastion<\/strong>.<\/li>\n<li><strong>Bastion<\/strong>: OCI managed service that brokers SSH\/tunnel access to private targets.<\/li>\n<li><strong>VCN (Virtual Cloud Network)<\/strong>: Your private network in OCI.<\/li>\n<li><strong>Subnet<\/strong>: A range of IPs within a VCN; can be public or private depending on routing and access rules.<\/li>\n<li><strong>NSG (Network Security Group)<\/strong>: Virtual firewall rules applied to VNICs\/resources to control traffic.<\/li>\n<li><strong>Security List<\/strong>: Subnet-level firewall rules (older model; still widely used).<\/li>\n<li><strong>Compartment<\/strong>: OCI logical container for organizing and controlling access to resources.<\/li>\n<li><strong>IAM Policy<\/strong>: Statements that grant permissions to groups\/dynamic groups in OCI.<\/li>\n<li><strong>Session (Bastion session)<\/strong>: Time-bound access grant for SSH or port forwarding.<\/li>\n<li><strong>Port forwarding<\/strong>: SSH tunneling technique to access private ports through an SSH connection.<\/li>\n<li><strong>Audit (OCI Audit)<\/strong>: Service that records API calls and administrative events in OCI.<\/li>\n<li><strong>Private IP<\/strong>: IP address reachable only within private networks (VCN).<\/li>\n<li><strong>Public IP<\/strong>: Internet-routable IP address.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p><strong>Managed Access<\/strong> in <strong>Oracle Cloud<\/strong> (most commonly implemented through <strong>OCI Bastion<\/strong>) provides a practical way to enable <strong>secure, time-bound, auditable access<\/strong> to private resources without deploying and maintaining jump hosts.<\/p>\n\n\n\n<p>It matters because it reduces attack surface (no public IPs or open inbound SSH), supports IAM-governed access control, and improves compliance posture through auditable session lifecycle events. Architecturally, it fits best in private subnet designs and compartment-based governance models within <strong>Security, Identity, and Compliance<\/strong>.<\/p>\n\n\n\n<p>Cost-wise, validate whether the service itself is billed in your region, and always account for indirect costs like compute, logging retention, and data egress. Security-wise, treat network rules and IAM scoping as first-class design elements, and don\u2019t assume it replaces OS hardening or full PAM controls.<\/p>\n\n\n\n<p>Use Managed Access when you need OCI-native private admin access with low operational overhead. As a next step, standardize your deployment via Infrastructure as Code and integrate Audit + OS logs into a centralized observability and compliance workflow.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security, Identity, and Compliance<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[62,39],"tags":[],"class_list":["post-730","post","type-post","status-publish","format-standard","hentry","category-oracle-cloud","category-security-identity-and-compliance"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/730","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=730"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/730\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=730"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=730"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=730"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}