Skip to content

Latest commit

 

History

History
53 lines (32 loc) · 3.11 KB

20-operator-access.md

File metadata and controls

53 lines (32 loc) · 3.11 KB

Providing operator access to the VPC landing zone

Overview of operator access

By default, network access to the VPC landing zone topology is locked down for security compliance reasons. In this part of the lab, you open the necessary access for an operator to access the VPC environment, including deploying application on the VSIs located in the workload VPC.

You give operator access through the Management VPC. You have several options to give operator access, with varying level of security, compliance, and ease of enablement.

  • Exposing a VSI in the management VPC as a ‘jump-box’ by assigning a public floating IP
  • Deploying a client-to-site VPN solution in the management VPC
  • Deploying a site-to-site VPN solution in the management VPC
  • Deploying a certified bastion solution, such as Gravitational Teleport in the management VPC.

In this lab, you expose one of the VSIs in the management VPC as a 'jump-box'. This method is one of the simplest ways to proceed, although it is not overly secure. The Going further section later in the lab provides links to some of the other ways that you can provide operator access.

Steps

Complete the following steps to enable public SSH access to one of the VSI in the management VPC. This VSI is the unique operator entry point ('jump-box') to the landing zone VPC topology.

  1. Access the Virtual server instances for VPC list.

  2. Verify that the region is set to the region you provisioned your resources and click the VSI labeled <your_initials>-management-server-1.

  3. Add a floating IP address by clicking the pencil icon in the Network Interface section. Reserve a new floating IP address.

    Pencil icon

    Important: Take note of the public floating IP address. You need it later.

    Floating IP address

  4. In the Security Groups for VPC, click the one labeled <your_initials>-management.

  5. Go to the Rules section and allow port 22 for inbound by clicking Create in the Inbound rules section.

    ℹ️ Tip: Security groups are stateful so you don’t need to add a corresponding outbound rule.

    Allow SSH in Security group

  6. Click Create.

  7. In the Access control lists for VPC, click the one labeled <your_initials>-management-acl.

  8. Create the following ACL inbound rule:

    SSH ACL Inbound rule

  9. Create the following ACL outbound rule:

    SSH ACL Outbound rule

  10. You can now access the 'jump-box' through the public floating IP address that you provisioned earlier. On your computer, issue the following command from the terminal or command window:

    ssh -i ./lab-key root@<Floating IP of Virtual server instance>

    Replace <Floating IP of Virtual server instance> with the address that you reserved earlier.