Build Bastion service session configs for managed SSH and port forwarding access.
Last verified: May 2026
Build Bastion service session configurations for managed SSH and port forwarding access.
Required Fields
compartmentIdbastionIdsessionTypetargetResourceDetailskeyDetailsOutput will appear here...OCI Bastion provides managed, time-limited SSH and port-forwarding sessions to resources in private subnets without requiring a public-facing jump host. Bastions create temporary, auditable connections with configurable TTLs, reducing the attack surface compared to persistent bastion hosts. This builder helps you configure bastion sessions including session type (managed SSH or port forwarding), target resource selection, SSH key configuration, maximum session duration, and network validation.
A traditional bastion host is a Compute instance in a public subnet that you manage, patch, and secure. OCI Bastion is a fully managed service that creates temporary, time-limited sessions — no instance to manage, no persistent public endpoint, and no long-lived SSH keys. Sessions are automatically terminated after the TTL expires, and all sessions are logged to OCI Audit for compliance. This eliminates the operational burden and security risk of maintaining a dedicated jump host.
OCI Bastion supports three session types: Managed SSH sessions that provide interactive SSH access using your SSH key, Port Forwarding sessions that tunnel TCP traffic to a private resource (databases, internal web servers), and Dynamic Port Forwarding (SOCKS5 proxy) sessions that provide browser-based access to multiple private resources through a single session. Each type has a configurable TTL up to 3 hours.
Your team's production database is in a private subnet — DBA needs occasional access for query analysis. Without Bastion, options are: (1) public IP on the DB server (security risk), (2) always-on jump host VM (~$30/month + maintenance), (3) IPSec VPN (complex setup). The builder generates a Bastion config: 1 bastion in the database subnet with 60-minute max TTL, port-forwarding session created on-demand to forward localhost:5432 to the DB's private IP. Bastion service cost: $0 when no sessions are active. DBA gets occasional access; the rest of the time, no public attack surface exists.
The builder constructs OCI Bastion session configurations: bastion resource (target subnet, max session TTL, optional client CIDR allow list), session resource (session type: MANAGED_SSH or PORT_FORWARDING or DYNAMIC_PORT_FORWARDING, target resource OCID, target user OCI username, public SSH key, session TTL up to 3 hours). Output is generated as oci bastion commands and Terraform oci_bastion_bastion + oci_bastion_session resources.
OCI Bastion is the right answer for ALL private-resource SSH access in 2026. Self-managed jump hosts are an attack surface (always-on, often unpatched, persistent SSH keys). OCI Bastion eliminates that risk: managed service, time-limited sessions, comprehensive audit logs.
Maximum session TTL is 3 hours (180 minutes). For long-running tasks, you may need to chain sessions or use a different access method. For most operational tasks (debugging, hotfixes), 30-60 minute TTL is appropriate and forces session expiration to prevent forgotten-open access.
Port forwarding sessions are essential for connecting local SQL clients (DBeaver, pgAdmin) to private databases. The naive approach of installing a SQL client on a Compute jump host is far worse — it exposes data plane traffic over SSH and limits tooling to whatever's installed on the jump host.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.