NavigationContentFooter
Jump toSuggest an edit

How to use SSH bastion

Reviewed on 10 December 2024Published on 31 March 2022

SSH bastion is a server dedicated to managing connections to the infrastructure behind your Public Gateway. When you activate SSH bastion on your Public Gateway, all SSH keys held in your Project are imported to the SSH bastion, providing a single point of entry. You can then connect to resources behind the bastion (connected to the same Private Network as the Public Gateway) via the bastion. This makes management of your infrastructure easier and more secure, as you do not need to expose your other resources to the internet in order to connect to them, neither do you need to upload SSH keys to individual resources.

Before you start

To complete the actions presented below, you must have:

  • A Scaleway account logged into the console
  • Owner status or IAM permissions allowing you to perform actions in the intended Organization
  • Created a Public Gateway
  • Attached your Public Gateway to a Private Network

How to activate SSH bastion

  1. Click Public Gateways in the Network section of the Scaleway console side menu.

  2. Click the Public Gateway for which you want to activate SSH bastion. You are taken to the Overview page for that Public Gateway.

  3. Under SSH Bastion click the Activate button. A pop-up displays:

  4. Enter the port that you want your SSH bastion to listen on (or leave the default port in place).

    Tip

    The default port is 61000. When setting your own port, you must choose a port number between 1024 and 59999. The port that the SSH bastion listens on must not be a port already in use by a NAT rule.

  5. Copy the command to connect to a resource, and click Save SSH bastion settings.

    You are redirected to your Public Gateway’s Overview page, where SSH bastion is now activated. All the SSH keys in your Project credentials at the time of activation are copied to the SSH bastion.

How to reimport SSH keys

If you add new SSH keys to your Project credentials after activating SSH bastion, you will need to perform a reimport to update the bastion with the new keys.

  1. Click Public Gateways in the Network section of the Scaleway console side menu.

  2. Click the Public Gateway for which you want to update the SSH bastion. You are taken to the Overview page for that Public Gateway.

  3. Under SSH Bastion click the Reimport SSH keys button.

    Your SSH bastion is updated with the new SSH keys.

How to connect to a resource behind your SSH bastion

In this section, we use the example of a Public Gateway attached to a Private Network, with different resources (Instances, Elastic Metal servers etc) attached to the Private Network. SSH bastion has been activated on the Public Gateway, listening on port 61000.

How to connect using the resource’s private IP address

You can connect to a resource behind the bastion using its private IP address on the Private Network. The command to use is shown in the Scaleway console at the time of activating the bastion, e.g.

ssh -J bastion@<public-IP-of-gateway>:61000 root@<private-IP-of-resource>

How to connect using the resource’s fully-qualified domain name (FQDN)

The domain to use is set when the Public Gateway is attached to the Private Network. Therefore, the FQDN to use depends on how you made this attachment:

  • Via the Scaleway console: The FQDN takes the form resource-name.priv
  • Via Terraform: The FQDN takes the form resource-name.dns_local_name where dns_local_name is this Terraform option.
  • Via the Scaleway CLI or API: The FQDN takes the form resource-name.dns_local_name where dns_local_name follows the specification here, defaulting to .priv.

Carry out the following command on your terminal to connect to a resource inside your Private Network. Remember to replace FQDN with the FQDN in the format specified above.

ssh -J bastion@PUBLIC_IP_OF_PUBLIC_GATEWAY:61000 user@FQDN

How to edit your SSH configuration files for connection

Carry out the following steps to avoid the need to repeat -J bastion@<public-IP-of-gateway>:61000 in your SSH connection commands. The following steps must be repeated on all local machines that want to connect to a resource behind the SSH bastion in this way.

  1. To configure at user/local level, open your user SSH configuration file on your local machine with a text-editor such as nano:

    nano ~/.ssh/config

    Paste the following code into the file, then save and exit. Ensure that you make the following replacements:

    • .priv: If you attached the Public Gateway to the Private Network via the console, this is the correct value. However, if you used another method such as Terraform, API, or CLI you may need to replace this value - see above.
    • PUBLIC_IP_OF_PUBLIC_GATEWAY: The public IP address of your gateway
    • SSH_BASTION_PORT: The port you set when activating SSH bastion on your gateway
    Host *.priv
    ProxyJump bastion@PUBLIC_IP_OF_PUBLIC_GATEWAY:SSH_BASTION_PORT
  2. Alternatively, to configure at system-wide level, open your system-wide configuration file on your local machine with a text-editor such as nano:

    nano /etc/ssh/ssh_config

    Paste the code into the file, then save and exit.

  3. Carry out the following command on your terminal to connect to a resource inside your Private Network using its FQDN. Check the information above to identify the FQDN of your resource.

    ssh FQDN

How to edit or deactivate SSH bastion

  1. Click Public Gateways in the Network section of the Scaleway console side menu.

  2. Click the Public Gateway for which you want to edit or deactivate SSH bastion. You are taken to the Overview page for that Public Gateway.

  3. Under SSH Bastion click the “edit” icon («Edit Icon») Edit button. A pop-up displays.

  4. Edit your SSH bastion as required. You can make the following edits:

    • Use the «Toogle Icon» toggle to disable SSH bastion.
    • Change the port on which your SSH bastion listens.
  5. Click Save settings.

    Your edits are saved, and you are redirected to your Public Gateway’s Overview page.

See also
How to upgrade a Public GatewayHow to use flexible IPs
Was this page helpful?
API DocsScaleway consoleDedibox consoleScaleway LearningScaleway.comPricingBlogCareers
© 2023-2024 – Scaleway