The default port is 61000. When setting your own port, you must choose a port number between 1024 and 59999. The port that the SSH bastion listens on must not be a port already in use by a NAT rule.
How to use SSH bastion
SSH bastion is a server dedicated to managing connections to the infrastructure behind your Public Gateway. When you activate SSH bastion on your Public Gateway, all SSH keys held in your Project are imported to the SSH bastion, providing a single point of entry. You can then connect to resources behind the bastion (connected to the same Private Network as the Public Gateway) via the bastion. This makes management of your infrastructure easier and more secure, as you do not need to expose your other resources to the internet in order to connect to them, neither do you need to upload SSH keys to individual resources.
Before you start
To complete the actions presented below, you must have:
- A Scaleway account logged into the console
- Owner status or IAM permissions allowing you to perform actions in the intended Organization
- Created a Public Gateway
- Attached your Public Gateway to a Private Network
How to activate SSH bastion
-
Click Public Gateways in the Network section of the Scaleway console side menu.
-
Click the Public Gateway for which you want to activate SSH bastion. You are taken to the Overview page for that Public Gateway.
-
Under SSH Bastion click the Activate button. A pop-up displays:
-
Enter the port that you want your SSH bastion to listen on (or leave the default port in place).
Tip -
Copy the command to connect to a resource, and click Save SSH bastion settings.
You are redirected to your Public Gateway’s Overview page, where SSH bastion is now activated. All the SSH keys in your Project credentials at the time of activation are copied to the SSH bastion.
How to reimport SSH keys
If you add new SSH keys to your Project credentials after activating SSH bastion, you will need to perform a reimport to update the bastion with the new keys.
-
Click Public Gateways in the Network section of the Scaleway console side menu.
-
Click the Public Gateway for which you want to update the SSH bastion. You are taken to the Overview page for that Public Gateway.
-
Under SSH Bastion click the Reimport SSH keys button.
Your SSH bastion is updated with the new SSH keys.
How to connect to a resource behind your SSH bastion
In this section, we use the example of a Public Gateway attached to a Private Network, with different resources (Instances, Elastic Metal servers etc) attached to the Private Network. SSH bastion has been activated on the Public Gateway, listening on port 61000.
How to connect using the resource’s private IP address
You can connect to a resource behind the bastion using its private IP address on the Private Network. The command to use is shown in the Scaleway console at the time of activating the bastion, e.g.
ssh -J bastion@<public-IP-of-gateway>:61000 root@<private-IP-of-resource>
How to connect using the resource’s fully-qualified domain name (FQDN)
The domain to use is set when the Public Gateway is attached to the Private Network. Therefore, the FQDN to use depends on how you made this attachment:
- Via the Scaleway console: The FQDN takes the form
resource-name.priv
- Via Terraform: The FQDN takes the form
resource-name.dns_local_name
wheredns_local_name
is this Terraform option. - Via the Scaleway CLI or API: The FQDN takes the form
resource-name.dns_local_name
wheredns_local_name
follows the specification here, defaulting to.priv
.
Carry out the following command on your terminal to connect to a resource inside your Private Network. Remember to replace FQDN
with the FQDN in the format specified above.
ssh -J bastion@PUBLIC_IP_OF_PUBLIC_GATEWAY:61000 user@FQDN
How to edit your SSH configuration files for connection
Carry out the following steps to avoid the need to repeat -J bastion@<public-IP-of-gateway>:61000
in your SSH connection commands. The following steps must be repeated on all local machines that want to connect to a resource behind the SSH bastion in this way.
-
To configure at user/local level, open your user SSH configuration file on your local machine with a text-editor such as
nano
:nano ~/.ssh/configPaste the following code into the file, then save and exit. Ensure that you make the following replacements:
.priv
: If you attached the Public Gateway to the Private Network via the console, this is the correct value. However, if you used another method such as Terraform, API, or CLI you may need to replace this value - see above.PUBLIC_IP_OF_PUBLIC_GATEWAY
: The public IP address of your gatewaySSH_BASTION_PORT
: The port you set when activating SSH bastion on your gateway
Host *.privProxyJump bastion@PUBLIC_IP_OF_PUBLIC_GATEWAY:SSH_BASTION_PORT -
Alternatively, to configure at system-wide level, open your system-wide configuration file on your local machine with a text-editor such as
nano
:nano /etc/ssh/ssh_configPaste the code into the file, then save and exit.
-
Carry out the following command on your terminal to connect to a resource inside your Private Network using its FQDN. Check the information above to identify the FQDN of your resource.
ssh FQDN
How to edit or deactivate SSH bastion
-
Click Public Gateways in the Network section of the Scaleway console side menu.
-
Click the Public Gateway for which you want to edit or deactivate SSH bastion. You are taken to the Overview page for that Public Gateway.
-
Under SSH Bastion click the “edit” icon («Edit Icon») Edit button. A pop-up displays.
-
Edit your SSH bastion as required. You can make the following edits:
- Use the «Toogle Icon» toggle to disable SSH bastion.
- Change the port on which your SSH bastion listens.
-
Click Save settings.
Your edits are saved, and you are redirected to your Public Gateway’s Overview page.