Thursday, June 04, 2020

Oracle OCI Cloud - Connecting a Private VM from a Public Bastion Host

Introduction


The following outlines the configuration for connecting a backend private instance though a public instance in the same VCN but different subnets. 

 This post talks about the necessary configurations of Router, Firewall, and builds a complete end-end example. 

High-Level Steps

  • Create VCN and two subnets (one public, one private)
  • Create VMs - one in each subnet
  • Configure Router
  • Configure Firewall
  • Test and Verify
  • Access to OCI Instance

Note this is part one of the multi-part series wherein we extend this example and do necessary configuration on OCI and try to establish Hybrid Connectivity to a private instance on Google Cloud (GCP) using VPN.

Pre-requisites

  • User with necessary privileges to create VCN, VM and configure networking
  • SSH key (public and private key pair) - Basic knowledge of networking - CIDR, Routers, Firewall, etc..

Start by creating a Compartment or Select an existing one

Step 1 - Create a VCN Network and a Subnets














Step 2 - Create VMs

Create a Bastion Host in Public Subnet
Make sure to select the VCN created above. After provisioning note down the Public IP Address: 158.101.x.xx 
Upload public SSH key. Click Create to start instance provisioning Note down the Private IP Address: 10.0.2.2























Create a Private Host in Private Subnet

Instance Name: instance-1

Select VCN created earlier and private_subnet1 and Do Not Assign a Public IP Address option.















Step 3 - Configure Router


For Public Subnet Create Internet Gateway

Go to Networking -> Virtual Cloud Networks -> oci-gcp-vpn-demo

Go to Internet Gateways 

Click on Create Internet Gateway, provide a name (IGW). Notice this is configured with default route table which we will associate with Public Subnet in the next step. 














Purpose: To define the path for sending packets from private subnet destined for the public subnet
Since routing rules are different for private hosts, we cannot use the default route table (that allows public internet access) and will create a new one

On the Route Tables page click on the Create Route Table button. Give a name for route table, say Private RT

After creation, you should have two Route Tables





Edit private_subnet1 and select Private RT from the dropdown for Route Table and Save Changes






Step 4 - Configure Firewall


Here we will define security rules for ingress and egress. By default, no ingress or egress of traffic out of VM is allowed even after configuring the Route Table. 
You need to explicitly configure the firewall associated with each subnet and that is done by configuring Security Lists. 
These are a common set of firewall rules associated with subnet applied to all instances inside the subnet

Go to Networking -> Virtual Cloud Networks -> oci-gcp-vpn-demo
Note that by default when you create a VCN a default Security list is created and pre-configured with:

Ingress Rule - to allow all TCP and ICMP traffic inbound and for all hosts (0.0.0.0/0) and 
Egress Rule - to allow all outbound traffic to all destinations (0.0.0.0/0). 

Note that you can edit and/or delete any of the default rules above and also allow additional ports such as port 80 if you are hosting a web server. 

We will associate this default security list

Here's a screenshot of Default Ingress and Egress Rules

Security List for Public Subnet

Click on Subnets on the left menu and select

Click on Add Security List button and select the

Security List for Private Subnet

Essentially this will allow SSH from VM in the public subnet to reach the VM on this private subnet.



For



Finally, edit private_subnet1 and add the Private SL

 


Step 5. Test and Verify


Public IP Address: 158.XXX.X.XX
Private IP Address: 10.0.1.2


SSH to bastion host and try to ping to the private host

$
Last login: Fri Jun  5 17:05:28 2020 from 47.145.202.26

[opc@bastion-host ~]$
PING 10.0.1.2 (10.0.1.2) 56(84) bytes of data.
64 bytes from 10.0.1.2: icmp_seq=1 ttl=64 time=0.178 ms
64 bytes from 10.0.1.2: icmp_seq=2 ttl=64 time=0.169 ms
64 bytes from 10.0.1.2: icmp_seq=3 ttl=64 time=0.171 ms
--- 10.0.1.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss
rtt min/avg/max/mdev = 0.169/0.172/0.178/0.015 ms


You can also SSH directly to the private VM (Using

Note that unable to ping outside since no egress allowed - as expected.

$
The authenticity of host '10.0.1.2 (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is SHA256:GjAcfABZ9....
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.1.2' (ECDSA) to the list of known hosts.
Last login: Fri Jun
[opc@instance-1 ~]$
PING e2581.dscx.akamaiedge.net (104.106.41.204) 56(84) bytes of data.

--- e2581.dscx.akamaiedge.net ping statistics ---
3 packets transmitted, 0 received,


at
Labels: , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Understanding JavaScript Prototypal Inheritance for Java developers

Inheritance is a fundamental concept in programming languages. However, it is implemented differently in Object-Oriented Languages such as J...