Using SSH Remote Forwarding for Private Access
November 30, 2020 | 4 minute readValidated November 30, 2020
Introduction
This post describes a solution to a case where a control / management service hosted in Oracle Cloud Infrastructure (OCI) needs to send commands to an agent instance on-premise behind a firewall prohibiting ingress. It is a step-by-step guide for deploying the components and validating the connectivity between them thus enabling the commands to be sent.
Validations
November 30, 2020 with OAC 5.8
Topics
Before You Begin
Desired Flow
Deploying Components
Final Flow
Before You Begin
The following are assumed to be in place
Privileges
A user account in an OCI tenancy granted compartment privileges for Compute instances
Components
All names and addresses used in this post are for examples only.
| LOCATION | NAME | CIDR | DNS |
|---|---|---|---|
| OCI | VCN | 10.10.10.0/23 | Yes |
| On-Premise | OPN | 10.20.10.0/23 | Yes |
| LOCATION | VCN | NAME | CIDR | DNS | DHCP Option | Route Table | |
|---|---|---|---|---|---|---|---|
| OCI | VCN | VCN-PRV-SN | 10.10.10.0/27 | delete> | |||
| On-Premise | OPN | OPN-PRV-SN | 10.20.10.32/27 | delete> |
| LOCATION | NAME | VCN | SOURCE CIDR | PROTOCOL | PORT | NOTE |
|---|---|---|---|---|---|---|
| OCI | VCN-PRV-SL | VCN | 10.20.10.0/23 | TCP | 22 | From OPN |
| On-Premise | OPN-PRV-SL | OPN | 192.168.30.2/32 | TCP | 22 |
From OPN Bastion Admin Server Only No Other Ingress |
| LOCATION | TYPE | NAME |
|---|---|---|
| OCI | DRG | VCN-DRG |
| On-Premise | DRG | OPN-DRG |
| LOCATION | NAME | VCN | DESTINATION CIDR | TARGET | NOTE |
|---|---|---|---|---|---|
| OCI | VCN-RT | VCN | 10.20.10.0/23 | VCN-DRG | To OPN |
| On-Premise | OPN-RT | OPN | 10.10.10.0/23 | OPN-DRG | To VCN |
| LOCATION | VCN | SUBNET | TYPE | IP |
|---|---|---|---|---|
| OCI | VCN | VCN-PRV-SN |
Control Instance |
10.10.10.2 |
| On-Premise | OPN | OPN-PRV-SN | Agent003 Instance | 10.20.10.4 |
| On-Premise | OPN | OPN-PRV-SN | DB | 10.20.10.2 |
SSH
Each instance contains an SSH configuration (config) file in the default location ~/.ssh/config where "~" means the accounts home directory. They also contain the private key to other's instance in the home directory.
Example Control Instance (CONTROL) config file:
# Start of SSH config
User <Your Account> e.g. opc for the OCI instance
IdentityFile ~/privateKey
Host CONTROL
HostName 10.10.10.2
Host AGENT003
HostName 10.20.10.4
| LOCATION | TYPE | NOTES |
|---|---|---|
| On-Premise | Private Key | For Control instance |
| OCI | Private Key | For Agent003 instance |
| OCI | SSH Config File | Hostname, IP Address, Private Key Location for Agent003 instance |
| On-Premise | SSH Config File | Hostname, IP Address, Private Key Location for Control instance |
Initial State
Desired Flow
The control instance desires to send the agent a command via SSH to detect if the on-premise database is listening on port 1521.
ssh AGENT003 "nc -v -i 2 dbpv.opnprvsn.opn.onprem.com 1521"
The command fails due to the firewall's security rules disallowing ingress.
Deploying Components
Connect to the agent's instance and perform the following:
Enable an RPF tunnel until the agent instance shuts down. The nohup places the tunnel in the background and ensures it stays open if the user's session ends.
The "0" parameter tells the control instance to identify an open port on it's host.
nohup ssh -N -R 0:localhost:22 CONTROL >RPF.out &
Display the output of the above command and make a note of the remote port assigned.
tail RPF.out
Allocated port 38295 for remote forward to localhost:22
Create an agent config file with RPF enabled to be sent to the control instance.
vi ~/.ssh/agent003config
Sample contents are below.
User < Agent SSH User >
IdentityFile ~/privateKey
Host AGENT003
HostName localhost
NoHostAuthenticationForLocalhost yes
Port < Port copied from RPF.out >
Due to copy paste issues the contents are also here
Copy the RPF Agent Config File to the Control Instance
scp ~/.ssh/agent003config CONTROL:~/.ssh
agent003config 100% 320 5.4KB/s 00:00
Final Flow
The control instance can now send commands to the agent via the SSH tunnel using the agent003config file settings. Connect to it and send the desired command again.
ssh -F ~/.ssh/agent003config AGENT003 "nc -v -i 2 10.20.10.2 1521"
Ncat: Connected to 10.20.10.2:1521
Summary
This post described enabling a control / management service hosted in Oracle Cloud Infrastructure (OCI) to send commands to an agent instance on-premise behind a firewall prohibiting ingress.
For other posts relating to analytics and data integration visit http://www.ateam-oracle.com/dayne-carley
Dayne Carley
Previous Post