Discovering MySQL Database Service – Episode 7 – Use a Bastion SSH port forwarding session

September 14, 2021
Tags: , ,

MySQL, the world’s most popular open source database, is available as a managed cloud service in Oracle Cloud Infrastructure (OCI) under the name of MySQL Database Service (MDS).

MySQL Database Service is a fully managed cloud service, 100% Developed, Managed and Supported by the MySQL Team.

This is the seventh episode of “Discovering MySQL Database Service“, a series of tutorials where I will show you, step by step, how to use MySQL Database Service and some other Oracle Cloud Infrastructure services.

Please also note that you can run this tutorial and thus try MySQL Database Service & the other Oracle Cloud Infrastructure services for free by starting your 30-day trial.

MySQL Database Service

Episode 7 – Use a Bastion SSH port forwarding session

In the previous episode we’ve seen how to allow traffic from the VCN to the MySQL Database Service instance on ports 3306 & 33060.
One more step to our Discovering MySQL Database Service journey.

In this episode, we’ll discover and use the OCI Bastion service to provide a restricted and time-limited access to administer our MySQL instance.

Bastion

Oracle Cloud Infrastructure Bastion provides restricted and time-limited access to target resources that don’t have public endpoints.

Bastions let authorized users connect from specific IP addresses to target resources using Secure Shell (SSH) sessions. When connected, users can interact with the target resource by using any software or protocol supported by SSH. 

So, Bastions are logical entities that provide secured, public access to target resources in the cloud that you cannot otherwise reach from the internet.
Bastions reside in a public subnet and establish the network infrastructure needed to connect a user to a target resource in a private subnet

Another important concept is Bastion sessions.
Bastion sessions let authorized users in possession of the private key in an SSH key pair connect to a target resource for a predetermined amount of time.
You provide the public key in the SSH key pair at the time you create the session, and then supply the private key when you connect.
In addition to presenting the private key, an authorized user must also attempt the SSH connection to the target resource from an IP address within the range allowed by the bastion’s client CIDR block allowlist.

There are 2 kind of session types, managed ssh session and ssh port forwarding session. In this article, we’re going to use only the ssh port forwarding session.
Port forwarding (also known as SSH tunneling) creates a secure connection between a specific port on the client machine and a specific port on the target resource.
Using this connection you can relay other protocols.

Note
Your OCI user must be part of a group that has the right privileges in order to use all Bastion features.
At least the following rules:
Allow group SecurityAdmins to manage bastion-family in tenancy
Allow group SecurityAdmins to manage virtual-network-family in tenancy
Allow group SecurityAdmins to read instance-family in tenancy
Allow group SecurityAdmins to read instance-agent-plugins in tenancy
Allow group SecurityAdmins to inspect work-requests in tenancy
Please see: Bastion IAM Policies and Required IAM policy to managing Bastions

Create a bastion

Go to the OCI console, in the menu, go to: Identity & Security / Bastion

Check that you are in the right compartment and click Create Bastion

You should provide:

  • a bastion name – BastionMDS
  • the target VCN, in the right compartment – Demo_VCN
  • the target subnet, the private one – Private Subnet-Demo_VCN
  • the CIDR block allowlist ie the IP from where you want to provide the secure access (e.g. 11.0.0.0/24, <your IP>/32, …). You can have multiple CIDR blocks.
  • You can also choose the maximum session ttl (max 3 hours, and you can redefine it per session later) if you click on Show Advanced Options
  • Then click on Create Bastion

Create a session

Now it is the time to create a Bastion SSH port forwarding session.

Click on your brand new Bastion (or go to the OCI console and in the menu, go to: Identity & Security / Bastion and click on your Bastion).

Click on Create Session, a new form will show up.

You should provide:

Like we mentioned earlier, Bastion sessions let authorized users in possession of the private key in an SSH key pair connect to a target resource. You provide the public key in the SSH key pair at the time you create the session, and then supply the private key when you connect.

If you do not already have a SSH key pair (or want to use another one) select Generate SSH Key pair.
Download the private key so that you can connect to the instance using SSH.

Be careful because,

It will not be shown again!

You can also download the public key if needed.
Please note that you will need to modify the private key file permissions.

Example:

ex: chmod 600 ssh-key-YYYY-MM-DD.key

If you want to setup the session time-to-live click on Show Advanced Options

Then click Create Session:

Our Bastion session is now created and active.

Well, that’s all for today!
In this episode, we have seen how to use an OCI Bastion session in order to provide a restricted and time-limited access to administer our MySQL instance.

Next episode is:

Connect to MySQL Database Service Using MySQL Shell

Resources

Follow me on Linkedin

Watch my videos on my YouTube channel and subscribe.

My Slideshare account.

My Speaker Deck account.

Thanks for using HeatWave & MySQL!