{"id":973,"date":"2026-04-17T08:19:27","date_gmt":"2026-04-17T08:19:27","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/oracle-cloud-bastion-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security-identity-and-compliance\/"},"modified":"2026-04-17T08:19:27","modified_gmt":"2026-04-17T08:19:27","slug":"oracle-cloud-bastion-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security-identity-and-compliance","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/oracle-cloud-bastion-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security-identity-and-compliance\/","title":{"rendered":"Oracle Cloud Bastion Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Security, Identity, and Compliance"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Security, Identity, and Compliance<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<p>Oracle Cloud Infrastructure (OCI) <strong>Bastion<\/strong> is a managed service that lets you securely access resources that live in <strong>private subnets<\/strong>\u2014without giving those resources public IP addresses and without running your own jump host.<\/p>\n\n\n\n<p>In simple terms: <strong>Bastion is a secure, temporary \u201cdoor\u201d into your private network<\/strong>. You create a Bastion resource in OCI, then create time-bound sessions that allow SSH access (or SSH port forwarding) to private targets such as compute instances or private endpoints. Access is controlled by OCI Identity and Access Management (IAM) policies and by network allowlists.<\/p>\n\n\n\n<p>Technically, Bastion is an OCI-managed SSH bastion\/jump capability where you:\n&#8211; Create a <strong>Bastion<\/strong> associated with a <strong>VCN subnet<\/strong> (often a dedicated \u201cbastion subnet\u201d).\n&#8211; Create <strong>sessions<\/strong> (managed SSH or port forwarding) with a defined <strong>time-to-live (TTL)<\/strong>.\n&#8211; Use standard SSH tooling from your workstation to connect through OCI\u2019s bastion endpoint to the private target.<\/p>\n\n\n\n<p>The main problem it solves is a classic one in cloud networking: <strong>operations teams need administrative access to private workloads<\/strong>, but security teams don\u2019t want <strong>public IP exposure<\/strong>, permanently open inbound ports, or unmanaged jump servers that become high-risk choke points.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is Bastion?<\/h2>\n\n\n\n<p><strong>Official purpose (OCI scope):<\/strong> OCI Bastion provides <strong>restricted, time-bound, audited access<\/strong> to resources in private networks using <strong>SSH-based sessions<\/strong>\u2014without requiring public IP addresses on target resources and without requiring you to manage a bastion host yourself.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Core capabilities<\/h3>\n\n\n\n<p>OCI Bastion commonly provides:\n&#8211; <strong>Managed SSH access<\/strong> to private compute instances (SSH to a private IP through a Bastion session).\n&#8211; <strong>SSH port forwarding sessions<\/strong> to reach private endpoints (databases, internal web apps, APIs, admin ports) via an SSH tunnel.\n&#8211; <strong>Time-limited sessions (TTL)<\/strong> to reduce standing access.\n&#8211; <strong>Client IP allowlisting<\/strong> so only approved source IP ranges can initiate Bastion sessions.\n&#8211; <strong>IAM-based control<\/strong> for who can create\/delete bastions and sessions.\n&#8211; <strong>Audit visibility<\/strong> through OCI logging\/governance features (not a full keystroke recorder; see limitations).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Major components<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Bastion (resource):<\/strong> The OCI object you create that represents the bastion capability for a network location. It is associated with:<\/li>\n<li>A <strong>compartment<\/strong><\/li>\n<li>A <strong>region<\/strong><\/li>\n<li>A <strong>target subnet<\/strong> in a VCN<\/li>\n<li>A <strong>client CIDR allowlist<\/strong><\/li>\n<li>A <strong>maximum session TTL<\/strong><\/li>\n<li><strong>Bastion session:<\/strong> A short-lived access grant. Common session types include:<\/li>\n<li><strong>Managed SSH session<\/strong> (for SSH to a target compute instance)<\/li>\n<li><strong>Port forwarding session<\/strong> (for tunneling traffic to a private IP:port)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Service type<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Managed cloud service<\/strong> under Oracle Cloud\u2019s <strong>Security, Identity, and Compliance<\/strong> portfolio.<\/li>\n<li>You operate it through the OCI Console, CLI, SDKs, and APIs, but you do not manage the underlying bastion hosts.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scope: regional, tenancy, compartment<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Regional:<\/strong> Bastion is created in a specific OCI region and associated with network resources in that region.<\/li>\n<li><strong>Tenancy + compartment scoped:<\/strong> You create bastions and sessions in compartments, controlled by IAM policies.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How it fits into the Oracle Cloud ecosystem<\/h3>\n\n\n\n<p>Bastion is designed to work with:\n&#8211; <strong>Networking:<\/strong> VCN, subnets, route tables, security lists, Network Security Groups (NSGs), DRG\/VCN peering.\n&#8211; <strong>Compute:<\/strong> Instances in private subnets (Linux\/Unix commonly for SSH; Windows can be reached via port forwarding for RDP if you run an SSH tunnel, with appropriate security controls).\n&#8211; <strong>Identity &amp; governance:<\/strong> IAM policies, compartments, tagging, and <strong>Audit<\/strong> events.\n&#8211; <strong>Operations:<\/strong> Monitoring and logging around session creation and access events (verify exact telemetry options in official docs for your region and tenant configuration).<\/p>\n\n\n\n<p>If you are unsure about any feature availability or session types in your region, <strong>verify in official docs<\/strong>:\n&#8211; https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Bastion\/home.htm<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use Bastion?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reduce breach risk<\/strong> by eliminating public IPs on admin targets and minimizing open inbound ports.<\/li>\n<li><strong>Lower operational burden<\/strong> vs. building and patching your own jump hosts.<\/li>\n<li><strong>Better governance<\/strong> with centralized access control via IAM policies and compartment boundaries.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Private-only architecture:<\/strong> Keep workloads in private subnets and still retain operational access.<\/li>\n<li><strong>Standard SSH tooling:<\/strong> No proprietary agent required on targets for basic SSH scenarios; most teams can use existing SSH clients and automation patterns.<\/li>\n<li><strong>Controlled ingress:<\/strong> Client CIDR allowlisting prevents session use from unknown networks.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Temporary access by design:<\/strong> Session TTL and lifecycle encourage \u201cjust-in-time\u201d administrative access.<\/li>\n<li><strong>Repeatable workflows:<\/strong> Teams can standardize \u201cbreak-glass\u201d and normal access procedures using Bastion sessions.<\/li>\n<li><strong>Fewer moving parts:<\/strong> No need for a self-managed bastion VM, autoscaling, patching, hardening, HA design, or SSH daemon tuning.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Least privilege:<\/strong> Use fine-grained IAM policies so only specific groups can create sessions for specific compartments.<\/li>\n<li><strong>Auditability:<\/strong> Session creation\/management events are recorded via OCI governance capabilities (review in your tenancy).<\/li>\n<li><strong>Reduced attack surface:<\/strong> Targets remain private; no direct inbound exposure to the public internet.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability\/performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Bastion offloads the \u201cjump host\u201d function to Oracle-managed infrastructure.<\/li>\n<li>Session model scales better than distributing static SSH access across many public endpoints.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose Bastion<\/h3>\n\n\n\n<p>Choose Bastion when you need:\n&#8211; Admin access to <strong>private compute instances<\/strong>\n&#8211; Connectivity to <strong>private services<\/strong> through SSH port forwarding (e.g., DB admin)\n&#8211; A <strong>managed<\/strong> alternative to jump boxes\n&#8211; Clear IAM governance boundaries and short-lived access<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should not choose it<\/h3>\n\n\n\n<p>Bastion may not be the best fit when:\n&#8211; You need <strong>full, always-on site-to-site connectivity<\/strong>: consider <strong>VPN Connect<\/strong> or <strong>FastConnect<\/strong>.\n&#8211; You need <strong>non-SSH-native session recording<\/strong> or advanced privileged access management (PAM) features: consider specialized PAM tools (verify requirements).\n&#8211; Your environment prohibits SSH entirely or requires application-layer gateways only.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is Bastion used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Finance, healthcare, public sector, and regulated industries where private network access and auditability matter.<\/li>\n<li>SaaS and fintech companies enforcing \u201cno public IP\u201d rules for production.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Platform engineering teams standardizing secure access patterns<\/li>\n<li>SRE\/operations teams needing reliable break-glass access<\/li>\n<li>Security teams enforcing network isolation<\/li>\n<li>DevOps engineers managing private compute fleets and CI\/CD runners<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads and architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Private compute instances hosting APIs, microservices, batch jobs<\/li>\n<li>Private database tiers (accessed via SSH port forwarding)<\/li>\n<li>Hub-and-spoke VCN designs with shared services networks<\/li>\n<li>Hybrid architectures where workloads are private and administrative access must be controlled<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Real-world deployment contexts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Production:<\/strong> Strong fit\u2014when paired with strict IAM, short TTL, IP allowlisting, and NSGs.<\/li>\n<li><strong>Dev\/test:<\/strong> Also helpful, but teams sometimes loosen allowlists; avoid turning Bastion into an \u201calways open\u201d backdoor.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic, common Bastion scenarios in Oracle Cloud.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) SSH into a private Linux instance (no public IP)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Admins need SSH access but security forbids public IPs.<\/li>\n<li><strong>Why Bastion fits:<\/strong> Managed SSH sessions let you connect to the instance\u2019s private IP through a controlled session.<\/li>\n<li><strong>Example:<\/strong> An ops engineer connects to <code>10.0.2.10<\/code> in a private subnet to install patches.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Emergency \u201cbreak-glass\u201d access during outage<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A production service is failing and needs immediate instance-level inspection.<\/li>\n<li><strong>Why Bastion fits:<\/strong> You can create a short-lived session with tight TTL and controlled source IP.<\/li>\n<li><strong>Example:<\/strong> On-call SRE creates a 30-minute session to check logs and restart a service.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Port-forward to a private database for administration<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Database endpoints are private; DBAs need SQL*Plus\/GUI access.<\/li>\n<li><strong>Why Bastion fits:<\/strong> Port forwarding sessions provide a secure SSH tunnel to a private IP:port.<\/li>\n<li><strong>Example:<\/strong> DBA forwards local port <code>11521<\/code> to <code>10.0.3.15:1521<\/code> to run maintenance.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Access a private internal web UI (admin console)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Admin UIs should not be internet-exposed but must be reachable occasionally.<\/li>\n<li><strong>Why Bastion fits:<\/strong> Use port forwarding to access the web UI locally.<\/li>\n<li><strong>Example:<\/strong> Engineer forwards <code>localhost:18080<\/code> to <code>10.0.2.50:8080<\/code> to access an internal dashboard.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Vendor or contractor access without opening permanent network paths<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Third parties need temporary access; VPN accounts are heavy and risky.<\/li>\n<li><strong>Why Bastion fits:<\/strong> Create a time-bound session, limit it to vendor IP ranges, and restrict IAM permissions.<\/li>\n<li><strong>Example:<\/strong> Contractor gets a 2-hour session to a single instance for diagnostics.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Reduce reliance on shared SSH keys and long-lived access<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Long-lived SSH keys become unmanaged and hard to rotate.<\/li>\n<li><strong>Why Bastion fits:<\/strong> Sessions are temporary; you can align access to IAM and session TTL policies.<\/li>\n<li><strong>Example:<\/strong> Team moves from permanent jump box access to per-ticket Bastion sessions.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Access private instances in peered VCNs (hub-and-spoke)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Private workloads in spoke VCNs should not have public IPs.<\/li>\n<li><strong>Why Bastion fits:<\/strong> Bastion in a shared services subnet can reach targets through VCN peering\/DRG routing (if configured).<\/li>\n<li><strong>Example:<\/strong> Platform team hosts Bastion in shared VCN; app teams connect to spoke subnets.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Secure access to CI\/CD runners or build agents in private subnets<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Build agents need to stay private but occasionally require manual inspection.<\/li>\n<li><strong>Why Bastion fits:<\/strong> Managed access without changing the network to public.<\/li>\n<li><strong>Example:<\/strong> DevOps engineer SSHs to a private runner to check disk usage.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Controlled access for security scanning tools<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Security team needs to run scans against private hosts.<\/li>\n<li><strong>Why Bastion fits:<\/strong> Port forwarding can enable controlled connectivity to internal ports.<\/li>\n<li><strong>Example:<\/strong> Scanner connects via tunnel to test a private service endpoint.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Migration and cutover phases<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> During migration, teams need frequent access but don\u2019t want to create long-lived public ingress rules.<\/li>\n<li><strong>Why Bastion fits:<\/strong> Bastion provides temporary access while networks stabilize.<\/li>\n<li><strong>Example:<\/strong> During app cutover, engineers connect to multiple private instances via Bastion sessions.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<blockquote>\n<p>Note: Feature names and availability can evolve by region. <strong>Verify in official docs<\/strong> for your tenancy\/region: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Bastion\/home.htm<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Bastion resource associated with a target subnet<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Anchors Bastion to a subnet in your VCN.<\/li>\n<li><strong>Why it matters:<\/strong> Defines the network path Bastion uses to reach private targets.<\/li>\n<li><strong>Practical benefit:<\/strong> Clean separation\u2014use a dedicated \u201cbastion subnet\u201d with strict NSGs.<\/li>\n<li><strong>Caveat:<\/strong> You must correctly allow traffic from the bastion subnet to targets (NSGs\/security lists).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Session-based access with TTL (time-bound)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Sessions expire automatically after a defined TTL.<\/li>\n<li><strong>Why it matters:<\/strong> Reduces standing privileged access.<\/li>\n<li><strong>Practical benefit:<\/strong> Helps enforce just-in-time access policies.<\/li>\n<li><strong>Caveat:<\/strong> Long maintenance tasks may need longer TTL; avoid setting maximum TTL too high.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Client CIDR allowlist<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Restricts which source IP ranges can initiate Bastion sessions.<\/li>\n<li><strong>Why it matters:<\/strong> Stops access from unknown networks.<\/li>\n<li><strong>Practical benefit:<\/strong> Aligns with corporate egress IPs or secure admin networks.<\/li>\n<li><strong>Caveat:<\/strong> Remote users behind changing IPs can be blocked; plan a secure egress strategy (corporate VPN, ZTNA, fixed egress NAT).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Managed SSH session (private instance access)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Provides a managed path to SSH into a private compute instance.<\/li>\n<li><strong>Why it matters:<\/strong> Removes need for public IPs and self-managed jump hosts.<\/li>\n<li><strong>Practical benefit:<\/strong> Use normal SSH clients; access is governed by IAM and short TTL.<\/li>\n<li><strong>Caveat:<\/strong> You still need OS-level access (user account, authorized keys) on the instance.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">SSH port forwarding session (private endpoint access)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Creates an SSH tunnel to forward a local port to a private IP:port.<\/li>\n<li><strong>Why it matters:<\/strong> Enables access to private services (DB, web UI, admin ports) without exposing them publicly.<\/li>\n<li><strong>Practical benefit:<\/strong> Works with many TCP services; you keep services private.<\/li>\n<li><strong>Caveat:<\/strong> You must manage local port collisions and ensure NSGs allow traffic from the bastion subnet.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM integration (who can manage bastions\/sessions)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Uses OCI IAM policies to authorize actions (create bastion, create session, list sessions, delete).<\/li>\n<li><strong>Why it matters:<\/strong> Central security control with compartment scoping.<\/li>\n<li><strong>Practical benefit:<\/strong> Separate duties: network admins create bastions; app teams create sessions.<\/li>\n<li><strong>Caveat:<\/strong> Mis-scoped policies can unintentionally grant broad access.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Auditing via OCI governance tooling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Session creation and management operations are visible as OCI control-plane events.<\/li>\n<li><strong>Why it matters:<\/strong> Supports investigations and compliance needs.<\/li>\n<li><strong>Practical benefit:<\/strong> Helps answer \u201cwho created a session, when, and to what target.\u201d<\/li>\n<li><strong>Caveat:<\/strong> This is not the same as recording every command executed on the target host.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">High-level service architecture<\/h3>\n\n\n\n<p>At a high level:\n1. An admin user (or automation) authenticates to OCI and is authorized via IAM to create a Bastion session.\n2. The user creates a <strong>Bastion session<\/strong> specifying target details (managed SSH to an instance, or port forwarding to a private IP:port).\n3. The user\u2019s SSH client connects to the Bastion service endpoint using the session identifier and SSH key.\n4. The Bastion service connects to the target inside the VCN using the network path defined by the associated subnet.\n5. Traffic is proxied\/tunneled through the session until TTL expires or the session is terminated.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Control flow vs data flow<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Control plane:<\/strong> Creating bastions and sessions via OCI Console\/CLI\/API. These actions are governed by IAM and audited.<\/li>\n<li><strong>Data plane:<\/strong> The actual SSH traffic (or port-forwarded TCP traffic) flows through the Bastion session between your client and the private target.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Integrations with related services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>VCN\/Subnets\/NSGs:<\/strong> Define reachability between bastion subnet and private targets.<\/li>\n<li><strong>IAM\/Compartments:<\/strong> Control who can create and manage sessions.<\/li>\n<li><strong>Audit:<\/strong> Track bastion\/session operations (control plane).<\/li>\n<li><strong>Vault (optional):<\/strong> Centralize sensitive material management (for example, where you store SSH keys); exact integration patterns are customer-managed.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Dependency services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OCI Networking (VCN, subnet routing)<\/li>\n<li>OCI IAM<\/li>\n<li>Target resources (Compute instances, private endpoints)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/authentication model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>OCI IAM<\/strong> controls who can create sessions.<\/li>\n<li><strong>SSH keys<\/strong> authenticate the user to the Bastion session endpoint.<\/li>\n<li><strong>OS-level authentication<\/strong> still applies when you SSH into a compute instance (user account permissions, authorized keys, sudo rules).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Networking model (what you must configure)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Bastion is associated with a <strong>subnet<\/strong>. Your target resources must allow inbound traffic from that subnet (or from an NSG associated with the Bastion path, depending on your design).<\/li>\n<li>Targets typically live in <strong>private subnets<\/strong> with no public IP.<\/li>\n<li>You do not open inbound internet access to the target; you open only VCN-internal paths (e.g., bastion subnet \u2192 target subnet on port 22).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>Audit<\/strong> for bastion\/session lifecycle events.<\/li>\n<li>Use <strong>instance OS logs<\/strong> (syslog, auth logs) to track actual SSH logins and commands (command tracking typically requires OS-level tooling; Bastion itself is not a full PAM recorder).<\/li>\n<li>Consider standard OCI governance practices:<\/li>\n<li>compartments<\/li>\n<li>tagging<\/li>\n<li>least privilege IAM<\/li>\n<li>standardized TTL<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Simple architecture diagram<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  U[Admin workstation\\nSSH client] --&gt;|Create session (IAM)| OCI[OCI Bastion Control Plane]\n  U --&gt;|SSH to session endpoint| B[OCI Bastion Session]\n  B --&gt;|VCN internal traffic| T[Private Compute Instance\\n10.x.x.x]\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Production-style architecture diagram<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  subgraph Internet[\"Admin Networks\"]\n    A1[Corp Admin Laptop]\n    A2[Corp VPN \/ Fixed Egress NAT]\n  end\n\n  subgraph OCI[\"Oracle Cloud (OCI) Region\"]\n    subgraph IAM[\"Identity &amp; Governance\"]\n      I1[OCI IAM Policies]\n      I2[OCI Audit]\n      I3[Compartments &amp; Tags]\n    end\n\n    subgraph VCN[\"VCN 10.0.0.0\/16\"]\n      subgraph SubB[\"Bastion Subnet (private)\\n10.0.0.0\/24\"]\n        NSGB[NSG: bastion-subnet rules]\n      end\n      subgraph SubApp[\"App Subnet (private)\\n10.0.2.0\/24\"]\n        NSGAPP[NSG: app instances]\n        C1[Compute Instance\\n(no public IP)]\n        S1[Private Service\\nDB\/Web\/Admin Port]\n      end\n    end\n\n    BAST[OCI Bastion Resource]\n    SESS[OCI Bastion Sessions\\n(Managed SSH \/ Port Forward)]\n  end\n\n  A1 --&gt; A2 --&gt;|Allowed source CIDR| SESS\n  I1 --&gt; BAST\n  I1 --&gt; SESS\n  SESS --&gt;|VCN routing + NSGs| C1\n  SESS --&gt;|TCP forward| S1\n  SESS --&gt; I2\n  BAST --&gt; I2\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Tenancy and account requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An active <strong>Oracle Cloud<\/strong> tenancy with permissions to use OCI Networking and Bastion.<\/li>\n<li>A compartment where you can create networking and Bastion resources.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions \/ IAM roles<\/h3>\n\n\n\n<p>At minimum, you need IAM policies that allow you to:\n&#8211; manage bastions\n&#8211; manage bastion sessions\n&#8211; read networking resources\n&#8211; (for the lab) manage compute instances and VCN resources<\/p>\n\n\n\n<p>Example (conceptual) policy statements (adapt to your compartment structure and least privilege model; <strong>verify exact policy verbs\/resources in docs<\/strong>):\n&#8211; Allow a group to manage bastions in a compartment\n&#8211; Allow a group to manage bastion sessions in a compartment\n&#8211; Allow a group to use subnets in a compartment\n&#8211; Allow a group to manage instances in a compartment<\/p>\n\n\n\n<p>Policy syntax can be tenancy-specific; verify here:\n&#8211; https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Identity\/Reference\/policyreference.htm<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Billing requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Bastion may incur charges depending on your usage and region. See pricing section.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Tools<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OCI Console access (web browser)<\/li>\n<li>An SSH client:<\/li>\n<li>macOS\/Linux: <code>ssh<\/code> (OpenSSH)<\/li>\n<li>Windows: Windows Terminal + OpenSSH (or PuTTY with SSH tunneling support)<\/li>\n<li>Optional: OCI CLI (helpful but not required for this lab)<\/li>\n<li>https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/API\/SDKDocs\/cliinstall.htm<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OCI services vary by region. Confirm Bastion availability in your target region:<\/li>\n<li>Verify in official docs and your Console service list.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas\/limits<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Bastion and session limits apply (per tenancy\/region\/compartment). Check service limits:<\/li>\n<li>https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/General\/Concepts\/servicelimits.htm<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>VCN and subnets<\/li>\n<li>A private compute instance to access (for the lab)<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<p>OCI pricing changes over time and can be region-dependent. Do not rely on informal blogs for pricing. Use official sources:\n&#8211; OCI pricing list (Security category): https:\/\/www.oracle.com\/cloud\/price-list\/\n&#8211; OCI Cost Estimator: https:\/\/www.oracle.com\/cloud\/costestimator.html<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing dimensions (typical model)<\/h3>\n\n\n\n<p>OCI Bastion costs are generally driven by:\n&#8211; <strong>Bastion session usage<\/strong> (for example, number of sessions and session duration in hours)\n&#8211; Potentially other dimensions depending on current OCI pricing structure for Bastion (SKU definitions can change)<\/p>\n\n\n\n<p>Because exact SKUs and rates can vary, <strong>verify the Bastion line items in the official price list for your region<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Free tier<\/h3>\n\n\n\n<p>Oracle Cloud Free Tier offerings evolve and may differ by region. If Bastion is included in a free allowance, it will be stated in the official free tier documentation or pricing pages. <strong>Verify in official docs<\/strong>:\n&#8211; https:\/\/www.oracle.com\/cloud\/free\/<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Direct cost drivers<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Long session durations:<\/strong> Keeping sessions open for hours increases cost if billing is session-hour based.<\/li>\n<li><strong>High session count:<\/strong> Many parallel sessions or frequent sessions can increase usage.<\/li>\n<li><strong>Operational habits:<\/strong> \u201cAlways-on\u201d tunnels (port forwarding) can become a hidden cost if left running.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Indirect\/hidden costs<\/h3>\n\n\n\n<p>Even if Bastion itself is relatively low cost, the architecture around it can add cost:\n&#8211; <strong>Compute instances<\/strong> you manage (targets)\n&#8211; <strong>NAT Gateway<\/strong> (if you add it for outbound patching from private instances)\n&#8211; <strong>Logging<\/strong> costs if you enable extensive log ingestion\/retention (varies by service)\n&#8211; <strong>Data transfer<\/strong>: Consider network egress charges if your session traffic results in cross-region or internet egress (typical bastion-to-target traffic stays within a region\/VCN, but confirm your routing and endpoints)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Network\/data transfer implications<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Bastion is about access, not bulk transfer. If you use Bastion to move large files repeatedly (e.g., SCP over the tunnel), you may:<\/li>\n<li>Increase session time (higher cost)<\/li>\n<li>Increase network utilization<\/li>\n<li>Encounter operational limits\nConsider object storage pre-authenticated requests or artifact repositories for large transfers instead.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How to optimize cost<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Prefer <strong>short TTL<\/strong> aligned to actual tasks (e.g., 30\u2013120 minutes).<\/li>\n<li>Avoid leaving port-forwarding tunnels running unattended.<\/li>\n<li>Use <strong>automation<\/strong> to create sessions only when needed (CI\/CD, ticket-based workflows).<\/li>\n<li>Consolidate bastion design sensibly (don\u2019t proliferate bastions per app unless required by network segmentation).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example low-cost starter estimate (no fabricated prices)<\/h3>\n\n\n\n<p>A minimal lab typically uses:\n&#8211; 1 Bastion resource\n&#8211; 1 short managed SSH session (e.g., 30\u201360 minutes)\n&#8211; 1 always-free compute instance (if eligible)\nYour cost depends on the current Bastion session-hour price and any paid compute\/networking. Use:\n&#8211; https:\/\/www.oracle.com\/cloud\/costestimator.html<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example production cost considerations<\/h3>\n\n\n\n<p>In production, cost typically grows with:\n&#8211; Number of admin users and parallel sessions\n&#8211; TTL defaults and operational discipline\n&#8211; Frequency of access (daily maintenance vs occasional break-glass)\nA common cost-control approach is to implement:\n&#8211; strict TTL defaults\n&#8211; privileged access workflows (approval-based)\n&#8211; periodic reporting from Audit + IAM<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<p>This lab builds a private compute instance (no public IP) and uses <strong>OCI Bastion<\/strong> to SSH into it safely.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create a private Linux compute instance in Oracle Cloud (no public IP).<\/li>\n<li>Create an OCI <strong>Bastion<\/strong> associated with a dedicated subnet.<\/li>\n<li>Create a <strong>Managed SSH session<\/strong> and connect to the instance using standard SSH.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will create:\n1. A VCN with two private subnets:\n   &#8211; <code>bastion-subnet<\/code> (for Bastion association)\n   &#8211; <code>app-subnet<\/code> (for the private compute instance)\n2. NSGs (recommended) to control traffic:\n   &#8211; Allow <code>bastion-subnet -&gt; app-subnet<\/code> on TCP\/22\n3. A compute instance in <code>app-subnet<\/code> without a public IP\n4. A Bastion resource in the compartment, associated with <code>bastion-subnet<\/code>\n5. A managed SSH session and an SSH connection from your workstation<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> You can run <code>uname -a<\/code> on a private instance that has no public IP.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Prepare an SSH key pair (local workstation)<\/h3>\n\n\n\n<p>You will use this key for:\n&#8211; the compute instance (so your user can log in)\n&#8211; the Bastion session (so you can authenticate to Bastion)<\/p>\n\n\n\n<p>On macOS\/Linux:<\/p>\n\n\n\n<pre><code class=\"language-bash\">ssh-keygen -t ed25519 -f ~\/.ssh\/oci_bastion_lab -C \"oci-bastion-lab\"\n<\/code><\/pre>\n\n\n\n<p>This creates:\n&#8211; Private key: <code>~\/.ssh\/oci_bastion_lab<\/code>\n&#8211; Public key: <code>~\/.ssh\/oci_bastion_lab.pub<\/code><\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> Key files exist locally.<\/p>\n\n\n\n<p><strong>Verification:<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">ls -l ~\/.ssh\/oci_bastion_lab ~\/.ssh\/oci_bastion_lab.pub\n<\/code><\/pre>\n\n\n\n<p>On Windows (PowerShell):<\/p>\n\n\n\n<pre><code class=\"language-powershell\">ssh-keygen -t ed25519 -f $env:USERPROFILE\\.ssh\\oci_bastion_lab -C \"oci-bastion-lab\"\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Create network foundations (VCN + subnets)<\/h3>\n\n\n\n<p>In the <strong>OCI Console<\/strong>:\n1. Go to <strong>Networking<\/strong> \u2192 <strong>Virtual Cloud Networks<\/strong>\n2. Click <strong>Create VCN<\/strong>\n3. Choose <strong>VCN with Internet Connectivity<\/strong> <em>only if you need outbound internet later<\/em>. For this lab, you can also use <strong>VCN with custom CIDR<\/strong> and keep everything private.\n4. Use a simple CIDR like <code>10.0.0.0\/16<\/code><\/p>\n\n\n\n<p>Create two <strong>private subnets<\/strong>:\n&#8211; <code>bastion-subnet<\/code>: <code>10.0.0.0\/24<\/code> (Private subnet, no public IP assignment)\n&#8211; <code>app-subnet<\/code>: <code>10.0.2.0\/24<\/code> (Private subnet, no public IP assignment)<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> VCN exists with two private subnets.<\/p>\n\n\n\n<p><strong>Verification:<\/strong>\n&#8211; In the VCN details, confirm both subnets exist and show <strong>Private<\/strong>.<\/p>\n\n\n\n<p><strong>Notes (important):<\/strong>\n&#8211; You do not need an Internet Gateway for Bastion to work with private targets.\n&#8211; Your instance does not need outbound access for the SSH connectivity itself.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Create NSGs and security rules (recommended)<\/h3>\n\n\n\n<p>You want the private instance to accept SSH <em>only<\/em> from the bastion network path.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>Networking<\/strong> \u2192 <strong>Network Security Groups<\/strong><\/li>\n<li>Create NSG: <code>nsg-app-ssh<\/code><\/li>\n<li>Add an <strong>ingress<\/strong> rule to <code>nsg-app-ssh<\/code>:\n   &#8211; Source type: <strong>CIDR<\/strong>\n   &#8211; Source CIDR: <code>10.0.0.0\/24<\/code> (the <code>bastion-subnet<\/code> CIDR)\n   &#8211; IP protocol: TCP\n   &#8211; Destination port: 22<\/li>\n<\/ol>\n\n\n\n<p>Attach <code>nsg-app-ssh<\/code> to your compute instance in a later step.<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> An NSG exists that allows SSH from the bastion subnet to app instances.<\/p>\n\n\n\n<p><strong>Verification:<\/strong>\n&#8211; Review NSG rules and confirm TCP\/22 ingress from <code>10.0.0.0\/24<\/code>.<\/p>\n\n\n\n<p><strong>Common mistake:<\/strong> Allowing SSH from <code>0.0.0.0\/0<\/code>. That defeats the point of private access.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Create a private compute instance (no public IP)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>Compute<\/strong> \u2192 <strong>Instances<\/strong> \u2192 <strong>Create instance<\/strong><\/li>\n<li>Choose:\n   &#8211; Image: Oracle Linux (or another Linux you prefer)\n   &#8211; Shape: pick an eligible low-cost\/always-free shape if available in your region (varies)<\/li>\n<li>Networking:\n   &#8211; VCN: your lab VCN\n   &#8211; Subnet: <code>app-subnet<\/code>\n   &#8211; <strong>Do not assign a public IPv4 address<\/strong><\/li>\n<li>Add your <strong>SSH public key<\/strong> from <code>~\/.ssh\/oci_bastion_lab.pub<\/code><\/li>\n<li>Add NSG:\n   &#8211; Attach <code>nsg-app-ssh<\/code><\/li>\n<\/ol>\n\n\n\n<p>After provisioning, note:\n&#8211; The instance <strong>private IP<\/strong> (e.g., <code>10.0.2.10<\/code>)\n&#8211; The default OS user (commonly <code>opc<\/code> on Oracle Linux images; verify in the instance details)<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> A running instance with only a private IP.<\/p>\n\n\n\n<p><strong>Verification:<\/strong>\n&#8211; Instance details show <strong>Public IP: None<\/strong>\n&#8211; Private IP is present\n&#8211; Instance state is <strong>Running<\/strong><\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Create a Bastion resource<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>Security<\/strong> (or <strong>Identity &amp; Security<\/strong>) \u2192 <strong>Bastion<\/strong><\/li>\n<li>Click <strong>Create bastion<\/strong><\/li>\n<li>Configure:\n   &#8211; Name: <code>bastion-lab<\/code>\n   &#8211; Compartment: your lab compartment\n   &#8211; Target VCN: choose your VCN\n   &#8211; Target subnet: <code>bastion-subnet<\/code>\n   &#8211; <strong>Client CIDR allowlist:<\/strong> add your current public IP as <code>\/32<\/code><ul>\n<li>Example: <code>203.0.113.10\/32<\/code><\/li>\n<li>Find your IP using an external \u201cwhat is my IP\u201d tool, or your corporate egress IP documentation.<\/li>\n<li>Maximum session TTL: choose a lab-friendly limit (e.g., 1\u20133 hours)<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome:<\/strong> Bastion resource becomes <strong>Active<\/strong>.<\/p>\n\n\n\n<p><strong>Verification:<\/strong>\n&#8211; Bastion state shows <strong>Active<\/strong>\n&#8211; Client CIDR allowlist contains your IP range<\/p>\n\n\n\n<p><strong>Common mistakes:<\/strong>\n&#8211; Using the wrong client IP (especially if you are behind a corporate proxy\/VPN that changes egress).\n&#8211; Setting a very wide allowlist for convenience.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Create a Managed SSH session to the private instance<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Open your Bastion resource<\/li>\n<li>Go to <strong>Sessions<\/strong> \u2192 <strong>Create session<\/strong><\/li>\n<li>Choose session type: <strong>Managed SSH session<\/strong><\/li>\n<li>Provide:\n   &#8211; Target resource: select your compute instance (or specify its private IP, depending on UI)\n   &#8211; Target private IP: your instance private IP (if prompted)\n   &#8211; SSH username: e.g., <code>opc<\/code> (depends on your image; verify)\n   &#8211; SSH public key: paste contents of <code>~\/.ssh\/oci_bastion_lab.pub<\/code>\n   &#8211; Session TTL: e.g., 30\u201360 minutes for the lab<\/li>\n<\/ol>\n\n\n\n<p>Create the session and wait until it is <strong>Active<\/strong>.<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> Session is active and shows connection instructions (host name, session OCID, port).<\/p>\n\n\n\n<p><strong>Verification:<\/strong>\n&#8211; Session lifecycle state is <strong>Active<\/strong>\n&#8211; You can see:\n  &#8211; Bastion service host (e.g., <code>host.bastion.&lt;region&gt;.oci.oraclecloud.com<\/code>)\n  &#8211; Session identifier (often the session OCID)\n  &#8211; Port 22<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 7: Connect to the private instance using SSH (ProxyCommand)<\/h3>\n\n\n\n<p>From your workstation terminal, use the pattern recommended by OCI Bastion for managed SSH sessions.<\/p>\n\n\n\n<p>Replace:\n&#8211; <code>&lt;region&gt;<\/code> with your region identifier (as shown in the session details)\n&#8211; <code>&lt;session_ocid&gt;<\/code> with the Bastion session OCID\n&#8211; <code>&lt;private_ip&gt;<\/code> with your instance private IP (e.g., <code>10.0.2.10<\/code>)\n&#8211; <code>&lt;os_user&gt;<\/code> with the instance OS user (e.g., <code>opc<\/code>)<\/p>\n\n\n\n<pre><code class=\"language-bash\">ssh -i ~\/.ssh\/oci_bastion_lab \\\n  -o ProxyCommand=\"ssh -i ~\/.ssh\/oci_bastion_lab -W %h:%p -p 22 &lt;session_ocid&gt;@host.bastion.&lt;region&gt;.oci.oraclecloud.com\" \\\n  &lt;os_user&gt;@&lt;private_ip&gt;\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> You get an interactive shell on the private instance.<\/p>\n\n\n\n<p><strong>Verification commands on the instance:<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">hostname\nuname -a\nip a | head\n<\/code><\/pre>\n\n\n\n<p>If you can run these commands, you have successfully accessed a private instance without a public IP using Bastion.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>Use this checklist:\n&#8211; [ ] Compute instance has <strong>no public IP<\/strong>\n&#8211; [ ] Bastion is <strong>Active<\/strong>\n&#8211; [ ] Session is <strong>Active<\/strong>\n&#8211; [ ] NSG rule allows TCP\/22 from bastion-subnet CIDR to app instance\n&#8211; [ ] SSH connection succeeds and you can run <code>uname -a<\/code><\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<p>Common errors and fixes:<\/p>\n\n\n\n<p>1) <strong><code>Permission denied (publickey)<\/code><\/strong>\n&#8211; Causes:\n  &#8211; Wrong SSH private key used locally\n  &#8211; Public key not installed on instance (instance metadata)\n  &#8211; Wrong OS username (e.g., <code>opc<\/code> vs <code>ubuntu<\/code>)\n&#8211; Fix:\n  &#8211; Confirm you used the same keypair for the instance and Bastion session.\n  &#8211; Verify the correct default username for your chosen image in instance docs.<\/p>\n\n\n\n<p>2) <strong>Session won\u2019t become Active \/ connection times out<\/strong>\n&#8211; Causes:\n  &#8211; Client CIDR allowlist does not include your real egress IP\n  &#8211; Corporate VPN changed your public IP after session creation\n&#8211; Fix:\n  &#8211; Update Bastion client CIDR allowlist to include the correct egress IP range.\n  &#8211; Prefer fixed egress via corporate NAT or VPN.<\/p>\n\n\n\n<p>3) <strong>SSH hangs after connecting to Bastion<\/strong>\n&#8211; Causes:\n  &#8211; Network rules block Bastion subnet \u2192 app instance on port 22\n  &#8211; Target instance firewall blocks SSH\n&#8211; Fix:\n  &#8211; Ensure NSG\/security list allows inbound TCP\/22 from the bastion-subnet CIDR.\n  &#8211; On the instance, verify <code>sshd<\/code> is running (requires console access if you can\u2019t SSH).<\/p>\n\n\n\n<p>4) <strong>Wrong private IP used<\/strong>\n&#8211; Fix:\n  &#8211; Copy the private IP from the instance details page.<\/p>\n\n\n\n<p>5) <strong>TTL expired<\/strong>\n&#8211; Fix:\n  &#8211; Create a new session with sufficient TTL for your task.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>To avoid ongoing charges:\n1. Delete the Bastion session(s)\n2. Delete the Bastion resource\n3. Terminate the compute instance\n4. Delete NSGs (if created only for the lab)\n5. Delete the VCN (and subnets)<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> All lab resources are removed and billing stops (except any retained logs\/storage you configured elsewhere).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use a <strong>dedicated bastion subnet<\/strong> (private) separate from app subnets.<\/li>\n<li>Use <strong>NSGs<\/strong> for precise control:<\/li>\n<li>Allow SSH to targets only from the bastion subnet CIDR (or a dedicated NSG strategy).<\/li>\n<li>For hub-and-spoke designs, centralize Bastion in a shared services VCN only if routing\/segmentation rules support it cleanly.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM\/security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Apply <strong>least privilege<\/strong>:<\/li>\n<li>Only a small group can create bastions.<\/li>\n<li>A broader ops group may be allowed to create sessions, but only in specific compartments.<\/li>\n<li>Use <strong>separate compartments<\/strong> for prod vs non-prod bastions.<\/li>\n<li>Enforce short TTL defaults and restrict maximum TTL.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use shorter session TTLs.<\/li>\n<li>Avoid leaving tunnels open.<\/li>\n<li>Review Audit events and session usage periodically.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Bastion is not intended for bulk data transfer. Use proper artifact repositories or object storage for large files.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Define a documented \u201cbreak-glass\u201d runbook:<\/li>\n<li>Who can create sessions<\/li>\n<li>TTL limits<\/li>\n<li>How access is reviewed<\/li>\n<li>Ensure bastion subnet has correct routing to all target subnets (especially with peering\/DRG).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Standardize naming:<\/li>\n<li><code>bastion-&lt;env&gt;-&lt;region&gt;-&lt;vcn&gt;<\/code><\/li>\n<li><code>session-&lt;ticket&gt;-&lt;target&gt;<\/code><\/li>\n<li>Tag bastion\/session resources for:<\/li>\n<li>environment, cost center, owner, ticket\/reference<\/li>\n<li>Use OS-level logging (auth logs) on targets and centralize them.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance\/tagging\/naming best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Mandatory tags for production:<\/li>\n<li><code>Owner<\/code>, <code>Environment<\/code>, <code>CostCenter<\/code>, <code>DataSensitivity<\/code><\/li>\n<li>Enforce via organizational standards and policy (where applicable).<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Bastion management is controlled by <strong>OCI IAM policies<\/strong>.<\/li>\n<li>Session usage is controlled by:<\/li>\n<li>IAM authorization to create sessions<\/li>\n<li>Bastion client CIDR allowlist<\/li>\n<li>Session TTL<\/li>\n<li>Target network rules (NSG\/security list)<\/li>\n<\/ul>\n\n\n\n<p><strong>Key principle:<\/strong> Bastion controls <em>path access<\/em>; the target OS still controls <em>login authorization<\/em>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SSH provides encrypted transport between your client and the Bastion endpoint.<\/li>\n<li>Port forwarding over SSH is encrypted end-to-end within the tunnel.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Avoid public IPs on targets.<\/li>\n<li>Keep inbound rules minimal:<\/li>\n<li>targets: allow SSH only from bastion subnet (not from the internet)<\/li>\n<li>Ensure security lists\/NSGs do not accidentally allow broad lateral movement from bastion subnet.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Treat SSH private keys as secrets:<\/li>\n<li>Store securely (OS keychain, enterprise vault, secret manager)<\/li>\n<li>Use passphrases where practical<\/li>\n<li>Rotate keys and remove old keys from instance authorized_keys<\/li>\n<li>Avoid pasting private keys into tickets\/chat.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use OCI <strong>Audit<\/strong> for session and bastion lifecycle events.<\/li>\n<li>Use instance OS logs for:<\/li>\n<li>SSH login events<\/li>\n<li>sudo actions<\/li>\n<li>application logs\nFor stronger compliance, consider additional OS-level telemetry and centralized logging.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<p>Bastion supports common compliance goals:\n&#8211; Reducing public exposure\n&#8211; Time-bound administrative access\n&#8211; IAM-based access control and auditing\nBut compliance requires end-to-end controls:\n&#8211; user identity lifecycle\n&#8211; key management\n&#8211; host hardening\n&#8211; log retention and review<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Allowlisting <code>0.0.0.0\/0<\/code> in Bastion client CIDRs \u201cfor convenience\u201d<\/li>\n<li>Overly broad IAM policies (e.g., letting all developers create sessions in production)<\/li>\n<li>Leaving SSH keys unrotated and widely shared<\/li>\n<li>Allowing bastion subnet broad access to many ports\/subnets unnecessarily<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Restrict Bastion client CIDRs to known admin egress IPs.<\/li>\n<li>Enforce short TTL and ticket-based session creation for production.<\/li>\n<li>Pair Bastion with:<\/li>\n<li>strict NSGs<\/li>\n<li>OS hardening and MFA for IAM users<\/li>\n<li>centralized audit\/log review processes<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<p>Because OCI services evolve, confirm details in official docs. Common limitations\/gotchas include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Session TTL constraints:<\/strong> Maximum TTL is configurable but bounded; long tasks may be interrupted when TTL expires.<\/li>\n<li><strong>Not a full PAM replacement:<\/strong> Bastion controls access paths; it typically does not provide full session recording of commands.<\/li>\n<li><strong>Client IP allowlisting operational friction:<\/strong> Remote admins with changing egress IPs will fail to connect unless you design a stable admin egress.<\/li>\n<li><strong>Target OS access still required:<\/strong> Bastion doesn\u2019t replace Linux user management, sudo policies, or SSH hardening.<\/li>\n<li><strong>Network rules still matter:<\/strong> If NSGs\/security lists don\u2019t allow bastion subnet to reach targets, sessions will fail.<\/li>\n<li><strong>Service limits:<\/strong> Quotas exist for number of bastions\/sessions; check OCI service limits page.<\/li>\n<li><strong>Cross-network reachability:<\/strong> For peered VCNs\/DRG\/hybrid networks, you must ensure routing and security rules permit the bastion subnet to reach targets.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<p>Bastion is one way to access private resources. Alternatives exist depending on security and operational requirements.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>OCI Bastion<\/strong><\/td>\n<td>Controlled SSH\/port-forward access to private resources<\/td>\n<td>Managed service, no jump host to patch, TTL sessions, IAM governance<\/td>\n<td>SSH-centric, not full PAM\/session recording<\/td>\n<td>Default choice for secure admin access to private OCI resources<\/td>\n<\/tr>\n<tr>\n<td><strong>Self-managed jump box (Compute instance with public IP)<\/strong><\/td>\n<td>Simple environments, custom tooling<\/td>\n<td>Full control, can add tooling, can be used for many protocols<\/td>\n<td>You must harden\/patch\/monitor; public exposure risk; HA is your problem<\/td>\n<td>Only when you need custom behavior and accept operational\/security overhead<\/td>\n<\/tr>\n<tr>\n<td><strong>OCI VPN Connect \/ FastConnect<\/strong><\/td>\n<td>Persistent hybrid connectivity<\/td>\n<td>Private connectivity from on-prem; can remove need for bastion for some access<\/td>\n<td>More setup, cost, and networking complexity<\/td>\n<td>When you need enterprise-grade network connectivity, not just admin access<\/td>\n<\/tr>\n<tr>\n<td><strong>OCI Cloud Shell + private access patterns<\/strong><\/td>\n<td>Quick admin from OCI console context<\/td>\n<td>No local setup for CLI\/SSH tooling<\/td>\n<td>Egress IP constraints and governance considerations; may not fit strict allowlisting<\/td>\n<td>For dev\/test or controlled environments\u2014verify policies and IP allowlisting needs<\/td>\n<\/tr>\n<tr>\n<td><strong>AWS Systems Manager Session Manager (other cloud)<\/strong><\/td>\n<td>Agent-based access without inbound ports<\/td>\n<td>Strong governance, no inbound SSH<\/td>\n<td>Different cloud; requires SSM agent and IAM<\/td>\n<td>If you are on AWS and want agent-based access<\/td>\n<\/tr>\n<tr>\n<td><strong>Azure Bastion (other cloud)<\/strong><\/td>\n<td>Browser-based RDP\/SSH via Azure portal<\/td>\n<td>No public IP on VMs, portal access<\/td>\n<td>Different cloud; pricing model differs<\/td>\n<td>If you are on Azure<\/td>\n<\/tr>\n<tr>\n<td><strong>GCP IAP TCP forwarding (other cloud)<\/strong><\/td>\n<td>Access to private VMs via Google identity-aware proxy<\/td>\n<td>Identity-based access<\/td>\n<td>Different cloud; setup constraints<\/td>\n<td>If you are on GCP<\/td>\n<\/tr>\n<tr>\n<td><strong>Teleport \/ HashiCorp Boundary (self-managed or SaaS)<\/strong><\/td>\n<td>Enterprise PAM and access workflows<\/td>\n<td>Rich access policies, session recording options<\/td>\n<td>More complexity, cost, operations<\/td>\n<td>When you need advanced PAM features beyond a basic bastion<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example: regulated financial services production access<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Production workloads must not have public IPs; auditors require controlled admin access and traceability.<\/li>\n<li><strong>Proposed architecture:<\/strong><\/li>\n<li>Hub-and-spoke VCNs<\/li>\n<li>Dedicated bastion subnet in shared services VCN<\/li>\n<li>NSGs allow bastion subnet to reach only TCP\/22 on approved admin hosts, and specific DB ports where needed<\/li>\n<li>IAM policies restrict session creation to SRE group; max TTL enforced<\/li>\n<li>Audit events exported to a central SIEM; OS auth logs centralized<\/li>\n<li><strong>Why Bastion was chosen:<\/strong> Managed access reduces jump-box maintenance and improves governance with time-bound sessions.<\/li>\n<li><strong>Expected outcomes:<\/strong><\/li>\n<li>Reduced public exposure<\/li>\n<li>Short-lived access aligned to change tickets<\/li>\n<li>Clear audit trail for bastion\/session operations<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Startup\/small-team example: private-by-default VCN with occasional admin access<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Small team wants private instances but needs occasional SSH for debugging.<\/li>\n<li><strong>Proposed architecture:<\/strong><\/li>\n<li>One VCN, private app subnet<\/li>\n<li>Bastion subnet + Bastion resource<\/li>\n<li>Strict client allowlist using founders\u2019 fixed IPs (or secure VPN egress)<\/li>\n<li><strong>Why Bastion was chosen:<\/strong> No need to maintain a jump VM; simpler and safer than public IPs.<\/li>\n<li><strong>Expected outcomes:<\/strong><\/li>\n<li>Private instances stay private<\/li>\n<li>On-demand access for debugging<\/li>\n<li>Minimal operational overhead<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1) Is \u201cBastion\u201d the current official Oracle Cloud service name?<\/h3>\n\n\n\n<p>In OCI documentation and console, it is commonly presented as <strong>Bastion<\/strong> (OCI Bastion). If you see \u201cOracle Cloud Infrastructure Bastion,\u201d that is the same service. Verify naming in official docs: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Bastion\/home.htm<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2) Do my private instances need public IPs to use Bastion?<\/h3>\n\n\n\n<p>No. A primary goal of Bastion is to access <strong>private<\/strong> targets without public IPs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3) Do I still need to open port 22 to the internet?<\/h3>\n\n\n\n<p>No. You typically allow SSH only from the bastion subnet (VCN-internal), not from the internet.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4) What protocols does Bastion support?<\/h3>\n\n\n\n<p>Bastion is SSH-based. It supports SSH access and SSH port forwarding (tunneling TCP over SSH). For anything beyond that, verify in official docs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">5) Can I use Bastion to reach a private database?<\/h3>\n\n\n\n<p>Yes, typically via <strong>SSH port forwarding sessions<\/strong>, assuming the database endpoint is reachable from the bastion subnet and NSGs permit it.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">6) Is Bastion a replacement for VPN?<\/h3>\n\n\n\n<p>Not usually. Bastion is for controlled admin access and tunneling, while VPN\/FastConnect provide broader network connectivity.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">7) Does Bastion record my SSH session (keystrokes\/commands)?<\/h3>\n\n\n\n<p>Bastion provides control-plane audit events (session creation, etc.). Command-level recording is typically an OS-level\/PAM solution. Verify your requirements and OCI capabilities in official docs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">8) What determines whether my SSH connection is allowed?<\/h3>\n\n\n\n<p>Three main layers:\n&#8211; IAM permission to create\/use sessions\n&#8211; Bastion client CIDR allowlist\n&#8211; Network rules (NSGs\/security lists) between bastion subnet and the target<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">9) Why does Bastion require a subnet association?<\/h3>\n\n\n\n<p>The subnet defines the network placement\/path Bastion uses to reach private targets inside your VCN.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">10) Should my bastion subnet be public or private?<\/h3>\n\n\n\n<p>A common best practice is <strong>private<\/strong>. Bastion does not require your targets to be in public subnets. Confirm any region-specific recommendations in the docs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">11) How do I restrict access to only my corporate office network?<\/h3>\n\n\n\n<p>Set the <strong>client CIDR allowlist<\/strong> to your corporate egress NAT IP ranges and restrict IAM session creation to approved groups.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">12) Can multiple teams share one Bastion?<\/h3>\n\n\n\n<p>Yes, but governance matters. Use compartments, IAM, and tags to prevent cross-team access issues.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">13) What happens when the session TTL expires?<\/h3>\n\n\n\n<p>The session ends and your connection is terminated. Plan TTL to match maintenance windows.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">14) Can I automate Bastion session creation?<\/h3>\n\n\n\n<p>Yes, via OCI APIs\/CLI\/SDKs, subject to IAM policies. Always enforce TTL and auditing.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">15) Why can\u2019t I connect even though the session is Active?<\/h3>\n\n\n\n<p>Most commonly:\n&#8211; wrong OS username\n&#8211; wrong SSH key\n&#8211; NSG\/security list does not allow bastion subnet to reach target on required port\n&#8211; client IP not in allowlist<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">16) Can Bastion access targets in a different VCN?<\/h3>\n\n\n\n<p>Potentially, if networking is configured (peering\/DRG) and routing\/security rules allow it. Validate architecture and security carefully.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">17) Is Bastion suitable for production?<\/h3>\n\n\n\n<p>Yes, commonly. Use strong IAM, short TTL, strict allowlists, and comprehensive logging.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn Bastion<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official documentation<\/td>\n<td>OCI Bastion Documentation<\/td>\n<td>Canonical features, concepts, and configuration guidance: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Bastion\/home.htm<\/td>\n<\/tr>\n<tr>\n<td>Official pricing<\/td>\n<td>Oracle Cloud Price List<\/td>\n<td>Verify Bastion SKUs and region pricing: https:\/\/www.oracle.com\/cloud\/price-list\/<\/td>\n<\/tr>\n<tr>\n<td>Pricing calculator<\/td>\n<td>OCI Cost Estimator<\/td>\n<td>Build scenario-based estimates: https:\/\/www.oracle.com\/cloud\/costestimator.html<\/td>\n<\/tr>\n<tr>\n<td>IAM policies reference<\/td>\n<td>OCI Policy Reference<\/td>\n<td>Correct policy syntax and permissions: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Identity\/Reference\/policyreference.htm<\/td>\n<\/tr>\n<tr>\n<td>CLI install guide<\/td>\n<td>OCI CLI Installation<\/td>\n<td>Automate session lifecycle: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/API\/SDKDocs\/cliinstall.htm<\/td>\n<\/tr>\n<tr>\n<td>Service limits<\/td>\n<td>OCI Service Limits<\/td>\n<td>Understand quotas for bastions\/sessions: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/General\/Concepts\/servicelimits.htm<\/td>\n<\/tr>\n<tr>\n<td>Free tier<\/td>\n<td>Oracle Cloud Free Tier<\/td>\n<td>Check if Bastion or related resources are included: https:\/\/www.oracle.com\/cloud\/free\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Institute<\/th>\n<th>Suitable Audience<\/th>\n<th>Likely Learning Focus<\/th>\n<th>Mode<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps engineers, SREs, platform teams<\/td>\n<td>DevOps\/cloud operations foundations, hands-on practices<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>ScmGalaxy.com<\/td>\n<td>Beginners to intermediate engineers<\/td>\n<td>SCM, DevOps tooling, cloud fundamentals<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n<tr>\n<td>CLoudOpsNow.in<\/td>\n<td>Cloud ops practitioners<\/td>\n<td>Operations, monitoring, reliability practices<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.cloudopsnow.in\/<\/td>\n<\/tr>\n<tr>\n<td>SreSchool.com<\/td>\n<td>SREs, operations teams<\/td>\n<td>SRE principles, incident response, reliability<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.sreschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>AiOpsSchool.com<\/td>\n<td>Ops and automation teams<\/td>\n<td>AIOps concepts, automation, observability<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Platform\/Site<\/th>\n<th>Likely Specialization<\/th>\n<th>Suitable Audience<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>RajeshKumar.xyz<\/td>\n<td>DevOps\/cloud training content<\/td>\n<td>Engineers seeking guided training<\/td>\n<td>https:\/\/www.rajeshkumar.xyz\/<\/td>\n<\/tr>\n<tr>\n<td>devopstrainer.in<\/td>\n<td>DevOps tooling and practices<\/td>\n<td>Beginners to intermediate DevOps engineers<\/td>\n<td>https:\/\/www.devopstrainer.in\/<\/td>\n<\/tr>\n<tr>\n<td>devopsfreelancer.com<\/td>\n<td>Freelance DevOps support\/training<\/td>\n<td>Teams needing practical implementation guidance<\/td>\n<td>https:\/\/www.devopsfreelancer.com\/<\/td>\n<\/tr>\n<tr>\n<td>devopssupport.in<\/td>\n<td>Operational support and training resources<\/td>\n<td>Ops teams and engineers<\/td>\n<td>https:\/\/www.devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Company Name<\/th>\n<th>Likely Service Area<\/th>\n<th>Where They May Help<\/th>\n<th>Consulting Use Case Examples<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>cotocus.com<\/td>\n<td>Cloud\/DevOps services<\/td>\n<td>Architecture, implementation, operationalization<\/td>\n<td>Designing private network access with Bastion; securing admin access workflows<\/td>\n<td>https:\/\/cotocus.com\/<\/td>\n<\/tr>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps consulting and enablement<\/td>\n<td>Training + implementation support<\/td>\n<td>Building standardized Bastion access runbooks; IAM policy design reviews<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>DEVOPSCONSULTING.IN<\/td>\n<td>DevOps consulting<\/td>\n<td>Cloud ops and DevOps process help<\/td>\n<td>Bastion adoption planning; CI\/CD operational access patterns<\/td>\n<td>https:\/\/www.devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before Bastion<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OCI fundamentals: compartments, regions, availability domains<\/li>\n<li>OCI Networking basics:<\/li>\n<li>VCNs, subnets, route tables<\/li>\n<li>security lists vs NSGs<\/li>\n<li>private vs public subnets<\/li>\n<li>Linux SSH basics:<\/li>\n<li>key pairs, <code>authorized_keys<\/code>, ssh-agent<\/li>\n<li>troubleshooting SSH connectivity<\/li>\n<li>OCI IAM basics:<\/li>\n<li>groups, dynamic groups (conceptually), policies<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after Bastion<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Hybrid networking: DRG, VPN Connect, FastConnect<\/li>\n<li>Centralized logging\/monitoring and SIEM integration<\/li>\n<li>OS hardening and configuration management<\/li>\n<li>Privileged access management (PAM) patterns (beyond basic bastion)<\/li>\n<li>Zero-trust access patterns and strong identity controls<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud engineer \/ cloud operations engineer<\/li>\n<li>Site Reliability Engineer (SRE)<\/li>\n<li>DevOps engineer<\/li>\n<li>Platform engineer<\/li>\n<li>Security engineer (cloud security)<\/li>\n<li>Solutions architect<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (if available)<\/h3>\n\n\n\n<p>Oracle certifications change frequently. Look for OCI certifications covering networking and security, and verify current tracks on Oracle University:\n&#8211; https:\/\/education.oracle.com\/<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Build a \u201cprivate-only\u201d OCI environment with Bastion-based access and strict NSGs.<\/li>\n<li>Implement short TTL session patterns and tag sessions by ticket ID.<\/li>\n<li>Create a standard runbook for break-glass access and audit review.<\/li>\n<li>Extend to port forwarding for private database administration (in a sandbox).<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Bastion:<\/strong> A controlled entry point used to access private network resources, typically via SSH.<\/li>\n<li><strong>OCI Bastion:<\/strong> Oracle Cloud managed service providing session-based SSH access and port forwarding to private targets.<\/li>\n<li><strong>VCN (Virtual Cloud Network):<\/strong> OCI\u2019s virtual network construct similar to a virtual private cloud.<\/li>\n<li><strong>Subnet:<\/strong> A segmented IP range within a VCN.<\/li>\n<li><strong>Private subnet:<\/strong> Subnet where instances typically do not have public IPs.<\/li>\n<li><strong>NSG (Network Security Group):<\/strong> Stateful virtual firewall rules applied to VNICs\/resources.<\/li>\n<li><strong>Security list:<\/strong> Subnet-level firewall rules (another OCI security control).<\/li>\n<li><strong>CIDR allowlist:<\/strong> IP ranges allowed to initiate Bastion access.<\/li>\n<li><strong>Session TTL:<\/strong> Time-to-live; how long a Bastion session remains valid.<\/li>\n<li><strong>Managed SSH session:<\/strong> Bastion session type used to SSH to a private compute instance.<\/li>\n<li><strong>Port forwarding session:<\/strong> Bastion session type used to tunnel TCP traffic to a private IP:port.<\/li>\n<li><strong>IAM policy:<\/strong> Authorization rules defining who can perform actions on OCI resources.<\/li>\n<li><strong>Compartment:<\/strong> A logical isolation boundary for organizing and securing OCI resources.<\/li>\n<li><strong>Audit:<\/strong> OCI service that captures control-plane API events for governance and investigations.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>Oracle Cloud <strong>Bastion<\/strong> (in the <strong>Security, Identity, and Compliance<\/strong> category) is a managed way to access private OCI resources using <strong>time-bound SSH sessions<\/strong> and <strong>SSH port forwarding<\/strong>, without exposing targets to the public internet or maintaining jump hosts.<\/p>\n\n\n\n<p>It fits best when you want private-by-default networking, strong IAM governance, short-lived admin access, and auditable session lifecycle events. Cost is typically driven by <strong>session usage and duration<\/strong>, so optimize with short TTLs and disciplined operational workflows.<\/p>\n\n\n\n<p>Next step: implement Bastion in a non-production compartment first, standardize IAM + NSG patterns, and validate your audit\/log review process using the official Bastion documentation: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Bastion\/home.htm<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security, Identity, and Compliance<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[62,39],"tags":[],"class_list":["post-973","post","type-post","status-publish","format-standard","hentry","category-oracle-cloud","category-security-identity-and-compliance"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/973","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=973"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/973\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=973"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=973"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=973"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}