Back to Blog
Oracle Cloud Bastion Setup: Secure Access to Private Instances

Oracle Cloud Bastion Setup: Secure Access to Private Instances

   Mariusz Antonik    Database    4 min read    8 views

Accessing private instances in Oracle Cloud Infrastructure can quickly become messy if you rely on public IPs or manual jump hosts. It’s one of the most common early mistakes—opening SSH to the internet just to get things working.

But there’s a better way. Oracle Cloud Bastion allows you to securely connect to private resources without exposing them publicly. Once you understand how it fits into your network design, it becomes a core part of a secure OCI setup.

Why Bastion Matters in OCI

In a properly designed OCI environment, most compute instances should sit inside private subnets. That means no public IP and no direct internet access. This is great for security—but it raises a practical question: how do you connect to those servers?

This is where Bastion comes in. It acts as a managed entry point, allowing controlled SSH access using temporary sessions instead of permanent exposure.

How OCI Bastion Works

OCI Bastion creates a secure service endpoint within your Virtual Cloud Network (VCN). Instead of opening inbound ports, you initiate a session from your local machine that tunnels traffic securely into the private subnet.

There are two main session types:

  • Managed SSH session – direct SSH access to a private instance
  • Port forwarding session – tunnel traffic to services like MySQL or web apps

Each session is time-limited and tied to IAM permissions, which significantly reduces risk.

Step-by-Step Oracle Cloud Bastion Setup

1. Prepare Your Network

Before creating a bastion, make sure your VCN is structured correctly:

  • Private subnet for your compute instances
  • Route tables configured (NAT Gateway if outbound access is needed)
  • Security lists or NSGs allowing internal traffic

A common mistake here is forgetting internal SSH rules between bastion and target instances.

2. Create the Bastion Service

In the OCI Console:

  1. Go to Identity & Security → Bastion
  2. Click Create Bastion
  3. Select your VCN and target subnet
  4. Define allowed CIDR ranges (your IP or office range)

This step defines who is allowed to initiate sessions.

3. Configure IAM Policies

You’ll need IAM policies to allow users to create sessions. A basic example:

Allow group BastionUsers to use bastion-session in compartment <compartment-name>

Without this, users won’t be able to initiate connections even if the bastion exists.

4. Create an SSH Session

Inside the bastion resource:

  • Choose Create Session
  • Select session type (SSH or port forwarding)
  • Provide target instance private IP
  • Upload your SSH public key

OCI will generate a connection command for you.

5. Connect to Your Instance

Use the provided SSH command from your terminal. It will look something like this:

ssh -i private_key -o ProxyCommand="..." [email protected]

This command creates a secure tunnel through the bastion without exposing the instance publicly.

Common Mistakes to Avoid

  • Opening port 22 to the internet – defeats the purpose of bastion
  • Missing IAM policies – prevents session creation
  • Incorrect security rules – blocks internal SSH traffic
  • Wrong subnet selection – bastion must reach the target subnet

These issues are easy to fix but can slow you down if you’re troubleshooting blind.

When to Use Port Forwarding

Port forwarding sessions are especially useful when accessing databases or internal services. For example:

  • Connect to a MySQL database in a private subnet
  • Access internal web applications
  • Test APIs without exposing them publicly

This approach keeps your services completely private while still accessible when needed.

Practical Design Tip

Instead of thinking of bastion as a one-off tool, treat it as part of your core security architecture. Combine it with:

  • Private subnets for all backend systems
  • Strict IAM policies
  • Network Security Groups for segmentation

This layered approach gives you both security and operational flexibility.

Summary

Setting up Oracle Cloud Bastion correctly removes the need for public SSH access and significantly improves your OCI security posture. It’s simple once configured, but it needs to be aligned with your network, IAM, and access strategy.

If you’re unsure whether your current setup is secure or properly structured, it’s worth taking a closer look before scaling further. You can Book an OCI architecture review to validate your design and avoid common pitfalls early.

Tags: #oci bastion tutorial #oci security #oracle cloud bastion #private instance access #ssh bastion
Share: Twitter LinkedIn Facebook
Read Next
Oracle Cloud Infrastructure Tutorial (Step-by-Step Setup Guide)
Oracle Cloud Infrastructure Tutorial (Step-by-Step Setup Guide)
Apr 11, 2026
How to Prevent Disk Full Outages on Servers
How to Prevent Disk Full Outages on Servers
Apr 11, 2026
OCI Network Security Lists vs NSGs: Key Differences Explained
Apr 11, 2026
Easy Infrastructure Monitoring That Actually Works
Easy Infrastructure Monitoring That Actually Works
Apr 11, 2026
About the Author
Mariusz Antonik

Oracle Cloud Infrastructure expert and consultant specializing in database management and automation.

Recent Posts
Easy Infrastructure Monitoring That Actually Works
Apr 11, 2026 OCI Network Security Lists vs NSGs: Key Differences Explained
Apr 11, 2026 How to Prevent Disk Full Outages on Servers
Apr 11, 2026 Oracle Cloud Infrastructure Tutorial (Step-by-Step Setup Guide)
Apr 11, 2026 MySQL Trend Monitoring for Early Performance Detection
Apr 11, 2026
All Tags
#Advanced #Bash #bash cpu monitoring script #bash monitoring #bash scripting #Beginner #Best Practices #Capacity Planning #cpu bottleneck #CPU Monitoring #cpu monitoring linux #cpu monitoring script linux #cpu trends #cpu usage trends linux #cron cpu monitoring #cron jobs #database monitoring #database performance #detect slow queries mysql #disk capacity planning server #disk forecasting linux #Disk Monitoring #disk usage #disk usage script linux #disk usage trends #Early Detection #easy infrastructure monitoring #free-tier #Guide #Health Reporting #historical server monitoring #infrastructure #infrastructure health #infrastructure health dashboard #infrastructure health reporting #infrastructure monitoring #infrastructure monitoring report #infrastructure trends monitoring #lightweight monitoring #linux cpu monitoring #linux cpu usage #linux disk capacity planning #linux disk usage #Linux monitoring #linux monitoring tools #linux performance #linux performance monitoring #linux server #linux server monitoring #linux servers #linux storage #linux tools #low maintenance monitoring #monitor cpu usage over time linux #monitor server trends #monitoring without complexity #MySQL #mysql health reporting #MySQL monitoring #mysql optimization #MySQL Performance #mysql performance monitoring #mysql query performance issues #mysql server monitoring #mysql slow query analysis #mysql slow query monitoring #mysql trends #networking #nsg #OCI #oci bastion tutorial #oci networking #oci security #oci setup guide #oci tutorial for beginners #oracle cloud bastion #oracle cloud free tier tutorial #oracle cloud infrastructure step by step #oracle cloud infrastructure tutorial #oracle-cloud #Performance Degradation #performance monitoring #performance trend monitoring #performance trends #plan disk growth server #practical server monitoring #predict disk usage growth #private instance access #query optimization #Security #security lists #server health #server health reporting #server health weekly report #server monitoring #server trend analysis #server-trends #simple monitoring system #simple ops monitoring #slow queries #slow query reporting mysql #small business infrastructure #small business IT #small infrastructure monitoring #small server monitoring #ssh bastion #storage capacity planning linux #storage monitoring #subnets #system health reporting #Trend Monitoring #Tutorial #vcn