Oracle Cloud [Part 1]: Ssh access to instance
Howto guide on how to access a VM instance on Oracle Cloud over ssh
protocol. This guide is for access to instance with a public IP address, so no bastion instance is needed.
Personal notes: My personal notes on how to setup stuff to make it easier to repeat next time.
Oracle Cloud web console and naming differs from AWS, so some simple tasks may not be so simple if you do not know where to look. This is a simple, step by step guide how to enable ssh access to the VM instance.
To access a VM instance from the internet over ssh protocol there are 3 main requirements:
- Public IP - instance needs to have a public IP. This seems like an obvious requirement and it is but it is a details you need to remember during instance creating time.
- Public ssh key on the instance. Another obious requirement and Oracle Cloud even is helpful here as it warns if instance is being created without configuring ssh key.
- Security groups allowing ssh access to the instance from the internet.
In many cases there is no need to assign public IP to an instance and it is safer not to expose machine to the internet. Therefore, it always bet ter to have instances with private IPs only, if access from the internet is not necessary.
On the picture below we have a few instances running without a public IP address.
Let’s create a new instance which can be accessed from the internet and configure it for access over ssh.
Step 1: Create a VM instance with public IP
After clicking on Create instance
button a page is opened with the new instance details:
All the settings on this page can be left with default values.
It is worth checking and ensuring that the Image is correct for our needs and at the most recent version, as well as the shape of the VM instance.
More interesting settings show when we scroll down to Networking section:
The most important field here is subnet selection as shown on the screenshot. It must be one of Public subnets. Onces this is set correclty there is one more field is Public IP address set to Assign a public IPv4 address which most likely is set correctly by default.
In the next section Add SSH keys, you have to make sure you configure ssh key, otherwise the machine, even with public IP is not accessible over ssh protocol. There are few possible options to add ssh key. I prefer to upload a file with my public ssh key as it is shown on the screenshot.
Once this is all set, click Create and wait for the instance creation and after a while we are presented with a page with details of the instance up and running and ready to use. For the remote ssh access there are a few details here important to look at:
- Public IP address of the instance. We use this IP to connect to instance.
- Usename is the user name we have to use when we connect over ssh to the instance
-
Network security groups which is set to
none
yet, so no security groups configured. We have to fix it in the next step. - Virtual cloud network VNC in which the instance is running. This is important because this is the VNC for which we have to create security group.
If we run ssh
to the instance right now, this would be unsuccssful:
~$ ssh -v opc@129.146.98.118
OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022
debug1: Connecting to 129.146.98.118 [129.146.98.118] port 22.
debug1: connect to address 129.146.98.118 port 22: Connection timed out
ssh: connect to host 129.146.98.118 port 22: Connection timed out
We get “connection time out” because of firewall is blocking access to the instance. We need to set correct security groups to enable access to ssh port.
Step 2: Configuring security groups
The simplest way to add/configure security group for the instance is to click on “Edit” link, next to the Network security groups as shown on screenshot. However, in this case there is no security groups available yet. In such a case, the easiest way to create/configure available security groups is to click on the instance’s VNC link next to the Virtual cloud network.
After clicking on the VNC link, select Network Security Groups on the left list and you get a page with a list of security groups for the VNC. This list might be empty:
After clicking on the “Create Network Security Group” you get a new page with the group basic settings:
Add a descripting group name and click “Next”. We then get a page which allows to define security rules for the group. We are only interested in ssh access, therefore we need just 1 rule to open ssh port. There are a few fields to set for the rule:
-
“Direction” -
Ingress
is an incoming direction to the instance which is what we need to allow ssh access to the instance. -
“Source Type” -
CIDR
is the option which allows us to set either a single IP or network allowed to make ssh connections to the instance. -
“Source CIDR” -
0.0.0.0/0
means any IP address is allowed to connect to the instance. This is convenient but insecure as anybody might attempt to connect via ssh. Safer option would be to provide only your own IP address or IP range of your network. -
“IP Protocol” - Normally we select TCP from the drop down list and then provide
22
port number. However, we have a convenient item on the selection list just for ssh connections. - “Source Port Range” - best left empty
-
“Destination Port Range” -
22
for the ssh access. As the label suggest can be also a port numbers range to allow access to other ports. - “Description” - whatever meaningful description of the rule.
After clicking “Create” we have our new security group with all (single) rules added:
And the VNC lists a new security group:
If we now click on “Edit” next to the “Network security group: none” we get a window wihch allows us to select our new ssh-access
group. Select, “Save changes” and after a few seconds ‘none’ is replacesd with our ssh group ‘ssh-access’.
Instance details:
Step Final: Connect to the instance
Let’s now check if we can connect to the instance using ssh:
~$ ssh opc@129.146.98.118
The authenticity of host '129.146.98.118 (129.146.98.118)' can't be established.
ED25519 key fingerprint is SHA256:uYh3DZTYbxBzN1C3CIhPWb5y+XdIT3k4f0kuL5H+MCQ.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '129.146.98.118' (ED25519) to the list of known hosts.
Activate the web console with: systemctl enable --now cockpit.socket
[opc@my-test-instance ~]$
Success! All done.