HomeNetworkVPCHow to
Use SSH bastion

Jump toUpdate content

How to use SSH bastion

Reviewed on 17 November 2022Published on 31 March 2022

SSH bastion is a server dedicated to managing connections to the infrastructure behind your Public Gateway. When you activate SSH bastion on your Public Gateway, all the SSH keys held in your Project credentials are imported to the SSH bastion, providing a single point of entry. This makes management of your infrastructure easier and more secure.

Requirements:

How to activate SSH bastion

  1. Click Public Gateways in the VPC section of the Scaleway console side menu.

  2. Click the Public Gateway for which you want to activate SSH bastion. You are taken to the Overview page for that Public Gateway.

  3. Under SSH Bastion click the Activate button. A pop-up displays:

  4. Enter the port that you want your SSH bastion to listen on (or leave the default port in place).

    Tip:

    The default port is 61000. When setting your own port, you must choose a port number between 1024 and 59999. The port that the SSH bastion listens on must not be a port already in use by a NAT rule.

  5. Copy the SSH configuration displayed at the bottom of the screen, and click Save settings.

    You are redirected to your Public Gateway’s Overview page, where SSH bastion is now activated. All the SSH keys in your Project credentials at the time of activation are copied to the SSH bastion.

How to reimport SSH keys

If you add new SSH keys to your Project credentials after activating SSH bastion, you will need to perform a reimport to update the bastion with the new keys.

  1. Click Public Gateways in the VPC section of the Scaleway console side menu.

  2. Click the Public Gateway for which you want to update the SSH bastion. You are taken to the Overview page for that Public Gateway.

  3. Under SSH Bastion click the Reimport SSH keys button.

    Your SSH bastion is updated with the new SSH keys.

How to connect to a resource behind your SSH bastion

In this section, we use the example of a Public Gateway attached to a Private Network named my-private-network. Different resources (Instances, Elastic Metal servers etc) are attached to the Private Network. SSH bastion has been activated on the Public Gateway, listening on port 61000.

How to connect using the resource’s fully-qualified domain name (FQDN)

Carry out the following command on your terminal to connect to a resource inside my-private-network:

ssh -J bastion@PUBLIC_IP_OF_PUBLIC_GATEWAY:61000 user@fqdn-of-resource.my-private-network

How to edit your SSH configuration files for connection

The following steps must be repeated on all local machines that want to connect to a resource behind the SSH bastion.

  1. Copy the SSH configuration code for your SSH bastion to your clipboard. If you did not copy it when activating your SSH bastion, return to the Public Gateway’s Overview tab and click Copy code under the SSH configuration section of the SSH bastion panel:

  2. Open your user SSH configuration file on your local machine with a text-editor such as nano:

    nano ~/.ssh/config
  3. Paste the code into the file, then save and exit. Code for our example may look as follows:

    Host *.my-private-network
    ProxyJump bastion@PUBLIC_IP_OF_PUBLIC_GATEWAY:61000
  4. Open your system-wide configuration file on your local machine with a text-editor such as nano:

    nano /etc/ssh/ssh_config
  5. Paste the code into the file, then save and exit.

  6. Carry out the following command on your terminal to connect to a resource inside my-private-network:

    ssh fqdn-of-resource.my-private-network

How to edit or deactivate SSH bastion

  1. Click Public Gateways in the VPC section of the Scaleway console side menu.

  2. Click the Public Gateway for which you want to edit or deactivate SSH bastion. You are taken to the Overview page for that Public Gateway.

  3. Under SSH Bastion click the «Edit Icon» Edit button. A pop-up displays.

  4. Edit your SSH bastion as required. You can make the following edits:

    • Use the «Toogle Icon» toggle to disable SSH bastion.
    • Change the port on which your SSH bastion listens.
  5. Click Save settings.

    Your edits are saved and you are redirected to your Public Gateway’s Overview page.

See Also