Jump toUpdate content

How to use SSH bastion

Reviewed on 24 May 2023Published on 31 March 2022

SSH bastion is a server dedicated to managing connections to the infrastructure behind your Public Gateway. When you activate SSH bastion on your Public Gateway, all SSH keys held in your Project credentials are imported to the SSH bastion, providing a single point of entry. This makes management of your infrastructure easier and more secure.

Security & Identity (IAM):

You may need certain IAM permissions to carry out some actions described on this page. This means:

  • you are the Owner of the Scaleway Organization in which the actions will be carried out, or
  • you are an IAM user of the Organization, with a policy granting you the necessary permission sets
Requirements:

How to activate SSH bastion

  1. Click Public Gateways in the Network section of the Scaleway console side menu.

  2. Click the Public Gateway for which you want to activate SSH bastion. You are taken to the Overview page for that Public Gateway.

  3. Under SSH Bastion click the Activate button. A pop-up displays:

  4. Enter the port that you want your SSH bastion to listen on (or leave the default port in place).

    Tip:

    The default port is 61000. When setting your own port, you must choose a port number between 1024 and 59999. The port that the SSH bastion listens on must not be a port already in use by a NAT rule.

  5. Copy the command to connect to a resource, and click Save SSH bastion settings.

    You are redirected to your Public Gateway’s Overview page, where SSH bastion is now activated. All the SSH keys in your Project credentials at the time of activation are copied to the SSH bastion.

How to reimport SSH keys

If you add new SSH keys to your Project credentials after activating SSH bastion, you will need to perform a reimport to update the bastion with the new keys.

  1. Click Public Gateways in the Network section of the Scaleway console side menu.

  2. Click the Public Gateway for which you want to update the SSH bastion. You are taken to the Overview page for that Public Gateway.

  3. Under SSH Bastion click the Reimport SSH keys button.

    Your SSH bastion is updated with the new SSH keys.

How to connect to a resource behind your SSH bastion

In this section, we use the example of a Public Gateway attached to a Private Network, with different resources (Instances, Elastic Metal servers etc) attached to the Private Network. SSH bastion has been activated on the Public Gateway, listening on port 61000.

How to connect using the resource’s fully-qualified domain name (FQDN)

The domain to use is set when the Public Gateway is attached to the Private Network. Therefore, the FQDN to use depends on how you made this attachment:

  • Via the Scaleway console: The FQDN takes the form resource-name.priv
  • Via Terraform: The FQDN takes the form resource-name.dns_local_name where dns_local_name is this Terraform option.
  • Via the Scaleway CLI or API: The FQDN takes the form resource-name.dns_local_name where dns_local_name follows the specification here, defaulting to .priv.

Carry out the following command on your terminal to connect to a resource inside your Private Network. Remember to replace FQDN with the FQDN in the format specified above.

ssh -J bastion@PUBLIC_IP_OF_PUBLIC_GATEWAY:61000 user@FQDN

How to edit your SSH configuration files for connection

The following steps must be repeated on all local machines that want to connect to a resource behind the SSH bastion.

  1. To configure at user/local level, open your user SSH configuration file on your local machine with a text-editor such as nano:

    nano ~/.ssh/config

    Paste the following code into the file, then save and exit. Ensure that you make the following replacements:

    • .priv: If you attached the Public Gateway to the Private Network via the console, this is the correct value. However, if you used another method such as Terraform, API, or CLI you may need to replace this value - see above.
    • PUBLIC_IP_OF_PUBLIC_GATEWAY: The public IP address of your gateway
    • SSH_BASTION_PORT: The port you set when activating SSH bastion on your gateway
    Host *.priv
    ProxyJump bastion@PUBLIC_IP_OF_PUBLIC_GATEWAY:SSH_BASTION_PORT
  2. Alternatively, to configure at system-wide level, open your system-wide configuration file on your local machine with a text-editor such as nano:

    nano /etc/ssh/ssh_config

    Paste the code into the file, then save and exit.

  3. Carry out the following command on your terminal to connect to a resource inside your Private Network using its FQDN. Check the information above to identify the FQDN of your resource.

    ssh FQDN

How to edit or deactivate SSH bastion

  1. Click Public Gateways in the Network section of the Scaleway console side menu.

  2. Click the Public Gateway for which you want to edit or deactivate SSH bastion. You are taken to the Overview page for that Public Gateway.

  3. Under SSH Bastion click the «Edit Icon» Edit button. A pop-up displays.

  4. Edit your SSH bastion as required. You can make the following edits:

    • Use the «Toogle Icon» toggle to disable SSH bastion.
    • Change the port on which your SSH bastion listens.
  5. Click Save settings.

    Your edits are saved, and you are redirected to your Public Gateway’s Overview page.

See Also