Search barSidebar navigationMain contentFooter
HomeNetworkPublic GatewaysHow to
Use SSH bastion
Jump toUpdate content

How to use SSH bastion

Published on 31 March 2022

SSH bastion is a server dedicated to managing connections to the infrastructure behind your Public Gateway. When you activate SSH bastion on your Public Gateway, all the SSH keys held in your Project credentials are imported to the SSH bastion, providing a single point of entry. This makes management of your infrastructure easier and more secure.

Security & Identity (IAM):

You may need certain IAM permissions to carry out some actions described on this page. This means:

  • you are the Owner of the Scaleway Organization in which the actions will be carried out, or
  • you are an IAM user of the Organization, with a policy granting you the necessary permission sets
Requirements:

How to activate SSH bastion

  1. Click Public Gateways in the Network section of the Scaleway console side menu.

  2. Click the Public Gateway for which you want to activate SSH bastion. You are taken to the Overview page for that Public Gateway.

  3. Under SSH Bastion click the Activate button. A pop-up displays:

  4. Enter the port that you want your SSH bastion to listen on (or leave the default port in place).

    Tip:

    The default port is 61000. When setting your own port, you must choose a port number between 1024 and 59999. The port that the SSH bastion listens on must not be a port already in use by a NAT rule.

  5. Copy the SSH configuration displayed at the bottom of the screen, and click Save settings.

    You are redirected to your Public Gateway’s Overview page, where SSH bastion is now activated. All the SSH keys in your Project credentials at the time of activation are copied to the SSH bastion.

How to reimport SSH keys

If you add new SSH keys to your Project credentials after activating SSH bastion, you will need to perform a reimport to update the bastion with the new keys.

  1. Click Public Gateways in the Network section of the Scaleway console side menu.

  2. Click the Public Gateway for which you want to update the SSH bastion. You are taken to the Overview page for that Public Gateway.

  3. Under SSH Bastion click the Reimport SSH keys button.

    Your SSH bastion is updated with the new SSH keys.

How to connect to a resource behind your SSH bastion

In this section, we use the example of a Public Gateway attached to a Private Network, with different resources (Instances, Elastic Metal servers etc) attached to the Private Network. SSH bastion has been activated on the Public Gateway, listening on port 61000.

How to connect using the resource’s fully-qualified domain name (FQDN)

Your FQDN takes the form instance-name.private-network-name/

Carry out the following command on your terminal to connect to a resource inside your Private Network. In this case, we want to connect to an Instance:

ssh -J bastion@PUBLIC_IP_OF_PUBLIC_GATEWAY:61000 user@instance-name.private-network-name

How to edit your SSH configuration files for connection

The following steps must be repeated on all local machines that want to connect to a resource behind the SSH bastion.

  1. Copy the SSH configuration code for your SSH bastion to your clipboard. If you did not copy it when activating your SSH bastion, return to the Public Gateway’s Overview tab and click Copy code under the SSH configuration section of the SSH bastion panel:
  2. To configure at user/local level, open your user SSH configuration file on your local machine with a text-editor such as nano: 
    nano ~/.ssh/config

Paste the code into the file, then save and exit. Code for our example may look as follows:

Host *.my-private-network
  ProxyJump bastion@PUBLIC_IP_OF_PUBLIC_GATEWAY:61000
  1. Alternatively, to configure at system-wide level, open your system-wide configuration file on your local machine with a text-editor such as nano: 
    nano /etc/ssh/ssh_config

Paste the code into the file, then save and exit. 4. Carry out the following command on your terminal to connect to a resource inside your Private Network using your FQDN. In this case we want to connect to an Instance, so the FQDN is instance-name.private-network-name:

ssh instance-name.private-network-name

How to edit or deactivate SSH bastion

  1. Click Public Gateways in the Network section of the Scaleway console side menu.

  2. Click the Public Gateway for which you want to edit or deactivate SSH bastion. You are taken to the Overview page for that Public Gateway.

  3. Under SSH Bastion click the «Edit Icon» Edit button. A pop-up displays.

  4. Edit your SSH bastion as required. You can make the following edits:

    • Use the «Toogle Icon» toggle to disable SSH bastion.
    • Change the port on which your SSH bastion listens.

  5. Click Save settings.

    Your edits are saved and you are redirected to your Public Gateway’s Overview page.

See Also
How to configure Instances attached to a Public GatewayHow to use flexible IP addresses with your Public Gateways