Discovering MySQL Database Service – Episode 7 – Use a Bastion SSH port forwarding session
MySQL, the world’s most popular open source database, is available as a managed cloud service in Oracle Cloud Infrastructure (OCI) under the name of MySQL Database Service (MDS).
MySQL Database Service is a fully managed cloud service, 100% Developed, Managed and Supported by the MySQL Team.
This is the seventh episode of “Discovering MySQL Database Service“, a series of tutorials where I will show you, step by step, how to use MySQL Database Service and some other Oracle Cloud Infrastructure services.
Please also note that you can run this tutorial and thus try MySQL Database Service & the other Oracle Cloud Infrastructure services for free by starting your 30-day trial.
Planning episodes
- Introduction to the series Discovering MySQL Database Service
- Create a compartment
- Create a Virtual Cloud Network
- Dump your MySQL data into an Object Storage bucket
- Create a MySQL DB system from a MySQL Shell dump
- Update the Private Subnet Security List
- Use a Bastion SSH port forwarding session
- Connect to MySQL Database Service Using MySQL Shell
- Connect to MySQL Database Service Using MySQL Workbench
- Connect to MySQL Database Service Using OCI Cloud Shell
- MySQL Database Service Features Overview
Episode 7 – Use a Bastion SSH port forwarding session
In the previous episode we’ve seen how to allow traffic from the VCN to the MySQL Database Service instance on ports 3306 & 33060.
One more step to our Discovering MySQL Database Service journey.
In this episode, we’ll discover and use the OCI Bastion service to provide a restricted and time-limited access to administer our MySQL instance.
Bastion
Oracle Cloud Infrastructure Bastion provides restricted and time-limited access to target resources that don’t have public endpoints.
Bastions let authorized users connect from specific IP addresses to target resources using Secure Shell (SSH) sessions. When connected, users can interact with the target resource by using any software or protocol supported by SSH.
So, Bastions are logical entities that provide secured, public access to target resources in the cloud that you cannot otherwise reach from the internet.
Bastions reside in a public subnet and establish the network infrastructure needed to connect a user to a target resource in a private subnet.
Another important concept is Bastion sessions.
Bastion sessions let authorized users in possession of the private key in an SSH key pair connect to a target resource for a predetermined amount of time.
You provide the public key in the SSH key pair at the time you create the session, and then supply the private key when you connect.
In addition to presenting the private key, an authorized user must also attempt the SSH connection to the target resource from an IP address within the range allowed by the bastion’s client CIDR block allowlist.
There are 2 kind of session types, managed ssh session and ssh port forwarding session. In this article, we’re going to use only the ssh port forwarding session.
Port forwarding (also known as SSH tunneling) creates a secure connection between a specific port on the client machine and a specific port on the target resource.
Using this connection you can relay other protocols.
Note
Your OCI user must be part of a group that has the right privileges in order to use all Bastion features.
At least the following rules:
Allow group SecurityAdmins to manage bastion-family in tenancy
Allow group SecurityAdmins to manage virtual-network-family in tenancy
Allow group SecurityAdmins to read instance-family in tenancy
Allow group SecurityAdmins to read instance-agent-plugins in tenancy
Allow group SecurityAdmins to inspect work-requests in tenancy
Please see: Bastion IAM Policies and Required IAM policy to managing Bastions
Create a bastion
Go to the OCI console, in the menu, go to: Identity & Security / Bastion
Check that you are in the right compartment and click Create Bastion
You should provide:
- a bastion name – BastionMDS
- the target VCN, in the right compartment – Demo_VCN
- the target subnet, the private one – Private Subnet-Demo_VCN
- the CIDR block allowlist ie the IP from where you want to provide the secure access (e.g. 11.0.0.0/24, <your IP>/32, …). You can have multiple CIDR blocks.
- You can also choose the maximum session ttl (max 3 hours, and you can redefine it per session later) if you click on Show Advanced Options
- Then click on Create Bastion
Create a session
Now it is the time to create a Bastion SSH port forwarding session.
Click on your brand new Bastion (or go to the OCI console and in the menu, go to: Identity & Security / Bastion and click on your Bastion).
Click on Create Session, a new form will show up.
You should provide:
- the Session Type: SSH port forwarding session
- a session name: a meaningful one 🙂
- how to connect to the target host : we’ll use IP Address.
- the MySQL Database Service instance IP Address: the IP address that we got in Discovering MySQL Database Service – Episode 5 – Create a MySQL DB system from a MySQL Shell dump
- the MySQL Database Service instance port: one of the port that we got in Discovering MySQL Database Service – Episode 5 – Create a MySQL DB system from a MySQL Shell dump. I choose 3306 but you could have chosen 33060.
Like we mentioned earlier, Bastion sessions let authorized users in possession of the private key in an SSH key pair connect to a target resource. You provide the public key in the SSH key pair at the time you create the session, and then supply the private key when you connect.
If you do not already have a SSH key pair (or want to use another one) select Generate SSH Key pair.
Download the private key so that you can connect to the instance using SSH.
Be careful because,
It will not be shown again!
You can also download the public key if needed.
Please note that you will need to modify the private key file permissions.
Example:
|
1 |
ex: chmod 600 ssh-key-YYYY-MM-DD.key |
If you want to setup the session time-to-live click on Show Advanced Options
Then click Create Session:
Our Bastion session is now created and active.
Well, that’s all for today!
In this episode, we have seen how to use an OCI Bastion session in order to provide a restricted and time-limited access to administer our MySQL instance.
Next episode is:
Connect to MySQL Database Service Using MySQL Shell
Resources
- MySQL Database Service (MDS)
- Documentation of MySQL Database Service
- Oracle Cloud Infrastructure (OCI)
- Oracle Cloud Infrastructure Glossary
- Oracle Cloud Free Tier
- Bastion
- Skip the Jump Host with OCI Bastion
- MySQL Shell
- MySQL Shell Utilities
- MySQL — The world’s most popular open source database
Planning episodes
- Introduction to the series Discovering MySQL Database Service
- Create a compartment
- Create a Virtual Cloud Network
- Dump your MySQL data into an Object Storage bucket
- Create a MySQL DB system from a MySQL Shell dump
- Update the Private Subnet Security List
- Use a Bastion SSH port forwarding session
- Connect to MySQL Database Service Using MySQL Shell
- Connect to MySQL Database Service Using MySQL Workbench
- Connect to MySQL Database Service Using OCI Cloud Shell
- MySQL Database Service Features Overview
Watch my videos on my YouTube channel and subscribe.
Thanks for using MySQL!
MySQL Geek, author, blogger and speaker
I’m an insatiable hunger of learning.
—–
Blog: www.dasini.net/blog/en/
Twitter: https://twitter.com/freshdaz
SlideShare: www.slideshare.net/freshdaz
Youtube: https://www.youtube.com/channel/UC12TulyJsJZHoCmby3Nm3WQ
—–
[…] Use a Bastion SSH port forwarding session […]
[…] Use a Bastion SSH port forwarding session […]
[…] Use a Bastion SSH port forwarding session […]