How does OCI Bastion differ from a traditional bastion host?

A traditional bastion host is a Compute instance in a public subnet that you manage, patch, and secure. OCI Bastion is a fully managed service that creates temporary, time-limited sessions — no instance to manage, no persistent public endpoint, and no long-lived SSH keys. Sessions are automatically terminated after the TTL expires, and all sessions are logged to OCI Audit for compliance. This eliminates the operational burden and security risk of maintaining a dedicated jump host.

What session types does OCI Bastion support?

OCI Bastion supports three session types: Managed SSH sessions that provide interactive SSH access using your SSH key, Port Forwarding sessions that tunnel TCP traffic to a private resource (databases, internal web servers), and Dynamic Port Forwarding (SOCKS5 proxy) sessions that provide browser-based access to multiple private resources through a single session. Each type has a configurable TTL up to 3 hours.

OCI Bastion Session Builder

IAM & SecurityOCI

Build Bastion service session configs for managed SSH and port forwarding access.

OCI Bastion Configuration

Build Bastion service session configurations for managed SSH and port forwarding access.

Required Fields

compartmentIdbastionIdsessionTypetargetResourceDetailskeyDetails

{
  "compartmentId": "ocid1.compartment.oc1..aaaaaaaexample",
  "bastionId": "ocid1.bastion.oc1.iad.aaaaaaaexample",
  "displayName": "prod-ssh-session",
  "sessionType": "MANAGED_SSH",
  "targetResourceDetails": {
    "sessionType": "MANAGED_SSH",
    "targetResourceId": "ocid1.instance.oc1.iad.aaaaaaaexample",
    "targetResourceOperatingSystemUserName": "opc",
    "targetResourcePort": 22
  },
  "keyDetails": {
    "publicKeyContent": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC...example user@host"
  },
  "sessionTtlInSeconds": 10800,
  "portForwardingSession": {
    "sessionType": "PORT_FORWARDING",
    "targetResourceId": "ocid1.instance.oc1.iad.aaaaaaaexample",
    "targetResourcePort": 3306,
    "targetResourcePrivateIpAddress": "10.0.1.15"
  },
  "dynamicPortForwardingSession": {
    "sessionType": "DYNAMIC_PORT_FORWARDING",
    "targetResourceId": null,
    "targetResourcePort": null
  },
  "maxSessionTtlOptions": {
    "min": 1800,
    "max": 10800,
    "default": 10800
  },
  "freeformTags": {
    "purpose": "database-maintenance",
    "requestedBy": "dba-team"
  }
}

Generated Output

Output will appear here...

About This Tool

OCI Bastion provides managed, time-limited SSH and port-forwarding sessions to resources in private subnets without requiring a public-facing jump host. Bastions create temporary, auditable connections with configurable TTLs, reducing the attack surface compared to persistent bastion hosts. This builder helps you configure bastion sessions including session type (managed SSH or port forwarding), target resource selection, SSH key configuration, maximum session duration, and network validation.

When to Use This Tool

•Creating a managed SSH session to a Compute instance in a private subnet for emergency troubleshooting with a 30-minute TTL
•Setting up a port-forwarding session to access an Autonomous Database or MySQL HeatWave instance's private endpoint from a local SQL client
•Configuring bastion sessions for a fleet of private instances with specific SSH key restrictions and session duration limits
•Building OCI CLI commands for automated bastion session creation in CI/CD pipelines that need temporary database access for migrations

Frequently Asked Questions

How does OCI Bastion differ from a traditional bastion host?: A traditional bastion host is a Compute instance in a public subnet that you manage, patch, and secure. OCI Bastion is a fully managed service that creates temporary, time-limited sessions — no instance to manage, no persistent public endpoint, and no long-lived SSH keys. Sessions are automatically terminated after the TTL expires, and all sessions are logged to OCI Audit for compliance. This eliminates the operational burden and security risk of maintaining a dedicated jump host.
What session types does OCI Bastion support?: OCI Bastion supports three session types: Managed SSH sessions that provide interactive SSH access using your SSH key, Port Forwarding sessions that tunnel TCP traffic to a private resource (databases, internal web servers), and Dynamic Port Forwarding (SOCKS5 proxy) sessions that provide browser-based access to multiple private resources through a single session. Each type has a configurable TTL up to 3 hours.

Related Learning Guides

OCI Security Best Practices24 min read

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.