X

Best Practices from Oracle Development's A‑Team

Using SSH Remote Forwarding for Private Access

Validated November 30, 2020

Introduction

This post describes a solution to a case where a control / management service hosted in Oracle Cloud Infrastructure (OCI) needs to send commands to an agent instance on-premise behind a firewall prohibiting ingress. It is a step-by-step guide for deploying the components and validating the connectivity between them thus enabling the commands to be sent. 

Validations

November 30, 2020 with OAC 5.8

Topics

Before You Begin

Desired Flow

Deploying Components

Final Flow

 Before You Begin

The following are assumed to be in place

Privileges

A user account in an OCI tenancy granted compartment privileges for Compute instances

Components

All names and addresses used in this post are for examples only.

VCNs

LOCATION NAME CIDR DNS
OCI VCN 10.10.10.0/23 Yes
On-Premise OPN 10.20.10.0/23 Yes

 

Subnets

LOCATION VCN NAME CIDR DNS DHCP Option Route Table  
OCI VCN VCN-PRV-SN 10.10.10.0/27 delete>      
On-Premise OPN OPN-PRV-SN 10.20.10.32/27 delete>      

 

Security Rules

LOCATION NAME VCN SOURCE CIDR PROTOCOL PORT NOTE
OCI VCN-PRV-SL VCN 10.20.10.0/23 TCP 22 From OPN
On-Premise OPN-PRV-SL OPN 192.168.30.2/32 TCP 22

From OPN Bastion Admin Server Only

No Other Ingress

 

Gateways

LOCATION TYPE NAME
OCI DRG VCN-DRG
On-Premise DRG OPN-DRG

 

Route Tables

LOCATION NAME VCN DESTINATION CIDR TARGET NOTE
OCI VCN-RT VCN 10.20.10.0/23 VCN-DRG To OPN
On-Premise OPN-RT OPN 10.10.10.0/23 OPN-DRG To VCN 

 

Resources

LOCATION VCN SUBNET TYPE IP
OCI VCN VCN-PRV-SN

Control Instance

10.10.10.2

On-Premise OPN OPN-PRV-SN Agent003 Instance 10.20.10.4
On-Premise OPN OPN-PRV-SN DB 10.20.10.2

 

SSH

Each instance contains an SSH configuration (config) file in the default location ~/.ssh/config where "~" means the accounts home directory. They also contain the private key to other's instance in the home directory.

Example Control Instance (CONTROL) config file:

# Start of SSH config
 User <Your Account> e.g. opc for the OCI instance
 IdentityFile ~/privateKey
 Host CONTROL
        HostName 10.10.10.2
 Host AGENT003
        HostName 10.20.10.4

SSH Components

LOCATION TYPE NOTES
On-Premise Private Key For Control instance
OCI Private Key For Agent003 instance
OCI SSH Config File Hostname, IP Address, Private Key Location for Agent003 instance
On-Premise SSH Config File Hostname, IP Address, Private Key Location for Control instance

 

Initial State

 Desired Flow

The control instance desires to send the agent a command via SSH to detect if the on-premise database is listening on port 1521.

ssh AGENT003 "nc -v -i 2 dbpv.opnprvsn.opn.onprem.com 1521"

The command fails due to the firewall's security rules disallowing ingress.

 Deploying Components

Connect to the agent's instance and perform the following:

Enable an RPF tunnel until the agent instance shuts down. The nohup places the tunnel in the background and ensures it stays open if the user's session ends.
The "0" parameter tells the control instance to identify an open port on it's host.

nohup ssh -N -R 0:localhost:22 CONTROL >RPF.out &

Display the output of the above command  and make a note of the remote port assigned. 

tail RPF.out
Allocated port 38295 for remote forward to localhost:22

Create an agent config file with RPF enabled to be sent to the control instance.

vi ~/.ssh/agent003config

Sample contents are below.

User < Agent SSH User >
  IdentityFile ~/privateKey             
  Host AGENT003                          
     HostName localhost                     
     NoHostAuthenticationForLocalhost yes   
     Port < Port copied from RPF.out >

Due to copy paste issues the contents are also here

Copy the RPF Agent Config File to the Control Instance    

scp ~/.ssh/agent003config CONTROL:~/.ssh
agent003config                                                                                                100%  320     5.4KB/s   00:00

 Final Flow

The control instance can now send commands to the agent via the SSH tunnel using the agent003config file settings. Connect to it and send the desired command again.

ssh -F ~/.ssh/agent003config AGENT003 "nc -v -i 2 10.20.10.2 1521"
Ncat: Connected to 10.20.10.2:1521

 

 Summary

This post described enabling a control / management service hosted in Oracle Cloud Infrastructure (OCI) to send commands to an agent instance on-premise behind a firewall prohibiting ingress.

For other posts relating to analytics and data integration visit http://www.ateam-oracle.com/dayne-carley

 

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha