|
| 1 | +--- |
| 2 | +page_title: "Using Scaleway SSH Bastion" |
| 3 | +description: |- |
| 4 | + Using Scaleway SSH Bastion config. |
| 5 | +--- |
| 6 | + |
| 7 | +# How to use Scaleway VPC SSH Bastion config |
| 8 | + |
| 9 | +In this guide you'll learn how to deploy Scaleway SSH bastion to your Scaleway Private Network using the Scaleway Terraform provider. |
| 10 | +After Bastion is deployed, you can connect (SSH) to virtual machines in the virtual network via Bastion using the private IP address of the VM. |
| 11 | +When you connect to a VM, it doesn't need a public IP address, client software, agent, or a special configuration. |
| 12 | + |
| 13 | +## Prerequisites |
| 14 | + |
| 15 | +* You have created a virtual machine (Instance) in a VPC Private Network. Check our example below. |
| 16 | + |
| 17 | +1. When you deploy Bastion, the values are pulled from the Private Network in which your VM resides. |
| 18 | + 1. This VM doesn't become a part of the Bastion deployment itself, but you do connect to it later in the exercise. |
| 19 | + |
| 20 | +2. If you don't have any VMs connected to the Private Network, use the `scaleway_instance_private_nic` or the attribute `private_network` on `scaleway_instance_server` to connect. |
| 21 | + |
| 22 | +3. Detach any VMs that are attached to a `scaleway_instance_ip`. |
| 23 | + |
| 24 | + **Note**: Your VMs and Private Network should be in the same Availability Zone. e.g. `fr-par-1` |
| 25 | + |
| 26 | +```hcl |
| 27 | +provider "scaleway" { |
| 28 | + zone = "fr-par-1" |
| 29 | +} |
| 30 | +``` |
| 31 | + |
| 32 | +```hcl |
| 33 | +variable "machine_count" { |
| 34 | + description = "Number of virtual machines in private network" |
| 35 | + default = 3 |
| 36 | +} |
| 37 | +
|
| 38 | +# SCALEWAY VPC PRIVATE NETWORK |
| 39 | +resource scaleway_vpc_private_network "pn" { |
| 40 | + name = "myprivatenetwork" |
| 41 | + zone = "fr-par-1" |
| 42 | +} |
| 43 | +
|
| 44 | +# SCALEWAY VPC VIRTUAL MACHINES |
| 45 | +resource scaleway_instance_server "servers" { |
| 46 | + count = var.machine_count |
| 47 | + name = "machine${count.index}" |
| 48 | + image = "ubuntu_focal" |
| 49 | + type = "DEV1-S" |
| 50 | +} |
| 51 | +
|
| 52 | +# SCALEWAY INSTANCES PRIVATE NETWORK CONNECTION |
| 53 | +resource scaleway_instance_private_nic "nic" { |
| 54 | + count = length(scaleway_instance_server.servers) |
| 55 | + private_network_id = scaleway_vpc_private_network.pn.id |
| 56 | + server_id = scaleway_instance_server.servers[count.index].id |
| 57 | +} |
| 58 | +``` |
| 59 | + |
| 60 | +## Reserve a public gateway IP |
| 61 | + |
| 62 | +Reserve your public IP, allowing it to reach the public Internet, as well as to forward (masquerade) traffic from member Instances of attached Private Networks. |
| 63 | + |
| 64 | +This IP is a static IPv4 address designed for dynamic cloud computing. |
| 65 | + |
| 66 | +```hcl |
| 67 | +# SCALEWAY PUBLIC GATEWAY IP |
| 68 | +resource scaleway_vpc_public_gateway_ip "pgw_ip" { |
| 69 | +} |
| 70 | +``` |
| 71 | + |
| 72 | +## Set up your Public Gateway |
| 73 | + |
| 74 | +Public Gateways sit at the border of Private Networks and allow you to enable the bastion. |
| 75 | +You can also choose your port of preference on `bastion_port` option. The default port is `61000` |
| 76 | + |
| 77 | +You can check the types of gateways currently supported via our CLI. |
| 78 | + |
| 79 | +```shell |
| 80 | +scw vpc-gw gateway-type list |
| 81 | +``` |
| 82 | + |
| 83 | +Example: |
| 84 | + |
| 85 | +```hcl |
| 86 | +resource scaleway_vpc_public_gateway "pgw" { |
| 87 | + type = "VPC-GW-S" |
| 88 | + bastion_enabled = true |
| 89 | + ip_id = scaleway_vpc_public_gateway_ip.pgw_ip.id |
| 90 | +} |
| 91 | +``` |
| 92 | + |
| 93 | +## Configure your DHCP on your subnet |
| 94 | + |
| 95 | +The [DHCP](https://fr.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol) server sets the IPv4 address dynamically, |
| 96 | +which is required to communicate over the private network. |
| 97 | + |
| 98 | +The `dns_local_name` is the [TLD](https://en.wikipedia.org/wiki/Top-level_domain), the value by default is `priv`. |
| 99 | +This is used to resolve your Instance on a Private Network. |
| 100 | + |
| 101 | +In order to resolve the Instances using your Bastion you should set the `dns_local_name` with `scaleway_vpc_private_network.pn.name`. |
| 102 | + |
| 103 | +Please check our API [documentation](https://developers.scaleway.com/en/products/vpc-gw/api/v1/#dns-local-name-5b691b) for more details. |
| 104 | + |
| 105 | +```hcl |
| 106 | +resource scaleway_vpc_public_gateway_dhcp "dhcp" { |
| 107 | + subnet = "192.168.1.0/24" |
| 108 | + dns_local_name = scaleway_vpc_private_network.pn.name |
| 109 | +} |
| 110 | +``` |
| 111 | + |
| 112 | +## Attach your VPC Gateway Network to a Private Network |
| 113 | + |
| 114 | +To enable DHCP on this Private Network you must set `enable_dhcp` and `dhcp_id`. |
| 115 | +Do not set the `address` attribute. |
| 116 | + |
| 117 | +```hcl |
| 118 | +resource scaleway_vpc_gateway_network "gn" { |
| 119 | + gateway_id = scaleway_vpc_public_gateway.pgw.id |
| 120 | + private_network_id = scaleway_vpc_private_network.pn.id |
| 121 | + dhcp_id = scaleway_vpc_public_gateway_dhcp.dhcp.id |
| 122 | + enable_dhcp = true |
| 123 | +} |
| 124 | +``` |
| 125 | + |
| 126 | +## Config my Bastion config |
| 127 | + |
| 128 | +You should add your config on your local config file e.g: `~/.ssh/config` |
| 129 | + |
| 130 | +``` |
| 131 | +Host *.myprivatenetwork |
| 132 | +ProxyJump bastion@<your-public-ip>:<bastion_port> |
| 133 | +``` |
| 134 | + |
| 135 | +Then try to connect to it: |
| 136 | + |
| 137 | +```shell |
| 138 | +ssh root@<vm-name>.myprivatenetwork |
| 139 | +``` |
| 140 | + |
| 141 | +For further information using our console please check [our dedicated documentation](https://www.scaleway.com/en/docs/network/vpc/how-to/use-ssh-bastion/). |
0 commit comments