-
Notifications
You must be signed in to change notification settings - Fork 224
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(pgw): add updated bastion and allowed ips feature
- Loading branch information
Showing
6 changed files
with
81 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file modified
BIN
-14.1 KB
(49%)
network/public-gateways/how-to/assets/scaleway-activate-ssh-bastion-popup.webp
Binary file not shown.
Binary file not shown.
Binary file modified
BIN
+170 Bytes
(100%)
network/public-gateways/how-to/assets/scaleway-ssh-bastion-activate.webp
Binary file not shown.
Binary file added
BIN
+11 KB
network/public-gateways/how-to/assets/scaleway-ssh-bastion-allowed-ips.webp
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -13,37 +13,73 @@ categories: | |
| - network | ||
| --- | ||
|
|
||
| SSH bastion is a server dedicated to managing connections to the infrastructure behind your Public Gateway. When you activate SSH bastion on your Public Gateway, all [SSH keys held in your Project](https://console.scaleway.com/project/ssh-keys/) are imported to the SSH bastion, providing a single point of entry. You can then connect to resources behind the bastion (connected to the same Private Network as the Public Gateway) via the bastion. This makes management of your infrastructure easier and more secure, as you do not need to expose your other resources to the internet in order to connect to them, neither do you need to upload SSH keys to individual resources. | ||
| SSH bastion is a server dedicated to managing connections to the infrastructure behind your Public Gateway. When you activate SSH bastion on your Public Gateway, all [SSH keys held in your Project](https://console.scaleway.com/project/ssh-keys/) are imported to the SSH bastion, providing a single point of entry. You can then connect to resources connected to the same Private Network as the Public Gateway, via the bastion. This makes management of your infrastructure easier and more secure, as you do not need to expose your other resources to the internet in order to connect to them, neither do you need to upload SSH keys to individual resources. | ||
|
|
||
| The [Allowed IPs](#how-to-configure-allowed-ips) feature lets you control which public IPs can access resources behind the bastion. | ||
|
|
||
| <Macro id="requirements" /> | ||
|
|
||
| - A Scaleway account logged into the [console](https://console.scaleway.com) | ||
| - [Owner](/identity-and-access-management/iam/concepts/#owner) status or [IAM permissions](/identity-and-access-management/iam/concepts/#permission) allowing you to perform actions in the intended Organization | ||
| - [Created a Public Gateway](/network/public-gateways/how-to/create-a-public-gateway/) | ||
| - [Created a Public Gateway](/network/public-gateways/how-to/create-a-public-gateway/) and given it a [public IP address](/network/public-gateways/concepts/#public-ip-address) | ||
| - [Attached](/network/vpc/how-to/attach-resources-to-pn/) your Public Gateway to a Private Network | ||
|
|
||
| ## How to activate SSH bastion | ||
|
|
||
| 1. Click **Public Gateways** in the **Network** section of the Scaleway console side menu. | ||
| 2. Click the Public Gateway for which you want to activate SSH bastion. You are taken to the **Overview** page for that Public Gateway. | ||
| <Lightbox src="scaleway-ssh-bastion-activate.webp" alt="" /> | ||
| 3. Under **SSH Bastion** click the **Activate** button. A pop-up displays: | ||
| 3. Under **SSH Bastion**, use the toggle <Icon name="toggle"/> to activate the feature. A pop-up displays: | ||
| <Lightbox src="scaleway-activate-ssh-bastion-popup.webp" alt="" /> | ||
| 4. Enter the port that you want your SSH bastion to listen on (or leave the default port in place). | ||
| <Message type="tip"> | ||
| The default port is 61000. When setting your own port, you must choose a port number between 1024 and 59999. The port that the SSH bastion listens on must not be a port already in use by a [NAT rule](/network/public-gateways/concepts/#nat). | ||
| The default port is 61000 (ours), to avoid conflicts. When setting your own port, you must choose a port number between 1024 and 59999. The port that the SSH bastion listens on must not be a port already in use by a [NAT rule](/network/public-gateways/concepts/#nat). | ||
| </Message> | ||
| 5. Copy the command to connect to a resource, and click **Save SSH bastion settings**. | ||
|
|
||
| You are redirected to your Public Gateway's **Overview** page, where SSH bastion is now activated. All the SSH keys in your [Project credentials](/identity-and-access-management/iam/concepts/#api-key) at the time of activation are copied to the SSH bastion. | ||
| You are redirected to your Public Gateway's **Overview** page, where SSH bastion is now activated. All the SSH keys in your [Project](/identity-and-access-management/organizations-and-projects/concepts/#project) at the time of activation are copied to the SSH bastion. | ||
|
|
||
| ## How to configure allowed IPs | ||
|
|
||
| The [Allowed IPs](#how-to-configure-allowed-ips) feature lets you control which public IPs can connect to resources behind the bastion. All IPs are blocked except those specified in your Allowed IPs list. | ||
|
|
||
| When you first activate SSH bastion, the Allowed IPs list has one entry: a default IP range of `0.0.0.0/0` which gives access to **all** public IPs. | ||
|
|
||
| <Lightbox src="scaleway-ssh-bastion-allowed-ips.webp" alt="The Public Gateway's dashboard in the Scaleway console shows that SSH bastion is activated, and the Allowed IPs list contains one entry: 0.0.0.0/0" /> | ||
|
|
||
| ### How to allow all IPs | ||
|
|
||
| If you do **not** want to restrict connections to the resources behind the bastion to specific public IPs only, ***leave the default entry of `0.0.0.0/0` in place**. This IP range encompasses all possible public IPs, so will allow any public IP address to connect to the bastion (as long as they have a valid SSH key). No further configuration is required. | ||
|
|
||
| If you have deleted the default entry, you can re-add an entry for `0.0.0.0/0` at any time. Click the **Add allowed IPs** button, and add a single entry for `0.0.0.0/0` to restore access to all public IPs. | ||
|
|
||
| ### How to restrict access to certain IPs | ||
|
|
||
| To restrict connections to resources behind the bastion to specific public IPs only, you must delete the default `0.0.0.0/0` entry, and add entries for the specific IP ranges that you want to allow. Follow the steps below | ||
|
|
||
| 1. Ensure you have [activated SSH bastion](#how-to-activate-ssh-bation). | ||
| 2. In the **Allowed IPs** list, delete the default IP range entry `0.0.0.0/0` by clicking the <Icon name="delete"/> button next to it. | ||
| A pop-up displays, asking you to confirm that you want to delete this IP range. | ||
| 3. Type **DELETE** in the box, then click **Delete allowed IP range**. | ||
| The IP range is deleted and you are returned to the Allowed IPs list. | ||
| 4. Click the **+ Add allowed IPs** button. | ||
| A pop-up displays, asking you to enter the IPv4 address ranges to allow. | ||
| <Lightbox src="scaleway-add-allowed-ips.webp" alt="A pop-up screen from the Scaleway console, with a text box to allow the user to enter multiple IPv4 ranges separated by newlines. The instructions say: Add one or more IPv4 address ranges to allow. Always include the subnet mask. Use a tool like ipcalc if you need help calculating the subnet of your IP ranges." /> | ||
| 5. Enter the IPv4 address ranges you to want to allow to connect to your SSH bastion. In each case, include the subnet mask (use `/32` for single addresses). You can add multiple IP ranges in one go by separating them with new lines. | ||
| 6. Click the **Add IPs** button. | ||
| The IPs are added, and you are returned to the Allowed IPs list. | ||
|
|
||
| Repeat steps 4 - 6 to add more IP range entries, if you wish. | ||
|
|
||
| You can delete an entry from the list at any time by clicking the <Icon name="delete" /> button next to it. | ||
|
|
||
| ## How to reimport SSH keys | ||
|
|
||
| If you add new SSH keys to your [Project credentials](/identity-and-access-management/iam/concepts/#api-key) after activating SSH bastion, you will need to perform a reimport to update the bastion with the new keys. | ||
| If you add new SSH keys to your [Project](/identity-and-access-management/organizations-and-projects/concepts/#project) after activating SSH bastion, you will need to perform a reimport to update the bastion with the new keys. | ||
|
|
||
| 1. Click **Public Gateways** in the **Network** section of the Scaleway console side menu. | ||
| 2. Click the Public Gateway for which you want to update the SSH bastion. You are taken to the **Overview** page for that Public Gateway. | ||
| 3. Under **SSH Bastion** click the **Reimport SSH keys** button. | ||
| 3. Under **SSH Bastion** click the **Reimport list** button. | ||
| <Lightbox src="scaleway-ssh-bastion-reimport.webp" alt="" /> | ||
|
|
||
| Your SSH bastion is updated with the new SSH keys. | ||
|
|
@@ -60,18 +96,30 @@ You can connect to a resource behind the bastion using its private IP address on | |
|
|
||
| ### How to connect using the resource's fully-qualified domain name (FQDN) | ||
|
|
||
| The domain to use is set when the Public Gateway is attached to the Private Network. Therefore, the FQDN to use depends on how you made this attachment: | ||
| The command to use is: | ||
|
|
||
| - **Via the Scaleway console**: The FQDN takes the form `resource-name.priv` | ||
| - **Via Terraform**: The FQDN takes the form `resource-name.dns_local_name` where `dns_local_name` is [this](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/vpc_public_gateway_dhcp#dns_local_name) Terraform option. | ||
| - **Via the Scaleway CLI or API**: The FQDN takes the form `resource-name.dns_local_name` where `dns_local_name` follows the specification [here](https://www.scaleway.com/en/developers/api/public-gateway/#path-dhcp-create-a-dhcp-configuration), defaulting to `.priv`. | ||
| ```bash | ||
| ssh -J bastion@PUBLIC_IP_OF_PUBLIC_GATEWAY:61000 user@FQDN | ||
| ``` | ||
|
|
||
| The FQDN is `<resource-name>.<private-network-name>.internal`. | ||
|
|
||
| Carry out the following command on your terminal to connect to a resource inside your Private Network. Remember to replace `FQDN` with the FQDN in the format specified above. | ||
| When connecting as the user `alex` on an Instance named `scw-frosty-cannon` on a Private Network named `pvn-silly-goodall`, where the Public Gateway has an IP `51.158.125.88` and SSH bastion is configured on port 6100, the full connection command would therefore be: | ||
|
|
||
| ```bash | ||
| ssh -J bastion@PUBLIC_IP_OF_PUBLIC_GATEWAY:61000 user@FQDN | ||
| ssh -J bastion@51.158.125:61000 [email protected] | ||
| ``` | ||
|
|
||
| <Message type="note"> | ||
|
|
||
| For [Legacy Private Networks](/network/public-gateways/concepts/#ipam) not in IPAM mode and still using DHCP configuration objects, the FQDN may be different. The domain to use was set when the Public Gateway was attached to the Private Network. Therefore, the FQDN to use depends on how you made this attachment: | ||
|
|
||
| - **Via the Scaleway console**: The FQDN takes the form `resource-name.priv` | ||
| - **Via Terraform**: The FQDN takes the form `resource-name.dns_local_name` where `dns_local_name` is [this](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/vpc_public_gateway_dhcp#dns_local_name) Terraform option. | ||
| - **Via the Scaleway CLI or API**: The FQDN takes the form `resource-name.dns_local_name` where `dns_local_name` follows the specification [here](https://www.scaleway.com/en/developers/api/public-gateway/#path-dhcp-create-a-dhcp-configuration), defaulting to `.priv`. | ||
|
|
||
| </Message> | ||
|
|
||
| ### How to edit your SSH configuration files for connection | ||
|
|
||
| Carry out the following steps to avoid the need to repeat `-J bastion@<public-IP-of-gateway>:61000` in your SSH connection commands. The following steps must be repeated on all local machines that want to connect to a resource behind the SSH bastion in this way. | ||
|
|
@@ -81,12 +129,12 @@ Carry out the following steps to avoid the need to repeat `-J bastion@<public-IP | |
| nano ~/.ssh/config | ||
| ``` | ||
| Paste the following code into the file, then save and exit. Ensure that you make the following replacements: | ||
| - `.priv`: If you attached the Public Gateway to the Private Network via the console, this is the correct value. However, if you used another method such as Terraform, API, or CLI you may need to replace this value - see [above](#how-to-connect-using-the-resource's-fully-qualified-domain-name-(fqdn)). | ||
| - `.<private-network-name>`: If your Public Gateway is in IPAM mode, this is the correct value. However, if you have a legacy gateway, you may need to replace this value with `.priv` or `<dns_local_name>` - see [above](#how-to-connect-using-the-resource's-fully-qualified-domain-name-(fqdn)). | ||
| - `PUBLIC_IP_OF_PUBLIC_GATEWAY`: The public IP address of your gateway | ||
| - `SSH_BASTION_PORT`: The port you set when activating SSH bastion on your gateway | ||
|
|
||
| ```bash | ||
| Host *.priv | ||
| Host *.<private-network-name> | ||
| ProxyJump bastion@PUBLIC_IP_OF_PUBLIC_GATEWAY:SSH_BASTION_PORT | ||
| ``` | ||
| 2. Alternatively, to configure at system-wide level, open your system-wide configuration file on your local machine with a text-editor such as `nano`: | ||
|
|
@@ -100,14 +148,20 @@ Carry out the following steps to avoid the need to repeat `-J bastion@<public-IP | |
| ssh FQDN | ||
| ``` | ||
|
|
||
| ## How to edit or deactivate SSH bastion | ||
| ## How to edit the SSH bastion port | ||
|
|
||
| 1. Click **Public Gateways** in the **Network** section of the Scaleway console side menu. | ||
| 2. Click the Public Gateway for which you want to edit or deactivate SSH bastion. You are taken to the **Overview** page for that Public Gateway. | ||
| 3. Under **SSH Bastion** click the "edit" icon (<Icon name="edit" />) **Edit** button. A pop-up displays. | ||
| 4. Edit your SSH bastion as required. You can make the following edits: | ||
| - Use the <Icon name="toggle" /> toggle to disable SSH bastion. | ||
| - Change the port on which your SSH bastion listens. | ||
| 5. Click **Save settings**. | ||
| 2. Click the Public Gateway you want to edit SSH bastion for. You are taken to the **Overview** page for that Public Gateway. | ||
| 3. Under **SSH Bastion** click **Edit**, next to the port number. A pop-up displays. | ||
| 4. Edit your SSH bastion port as required. | ||
| 5. Click **Save**. | ||
|
|
||
| Your edits are saved, and you are redirected to your Public Gateway's **Overview** page. | ||
|
|
||
| ## How to deactivate SSH bastion | ||
|
|
||
| 1. Click **Public Gateways** in the **Network** section of the Scaleway console side menu. | ||
| 2. Click the Public Gateway you want to deactivate SSH bastion on. You are taken to the **Overview** page for that Public Gateway. | ||
| 3. Under **SSH Bastion** use the toggle <Icon name="toggle"/> to deactivate the bastion. | ||
|
|
||
| SSH bastion is deactivated on this gateway. You can reactivate it at any time. | ||