Skip to content

Latest commit

 

History

History
40 lines (28 loc) · 2.93 KB

20-operator-access.md

File metadata and controls

40 lines (28 loc) · 2.93 KB

Providing operator access to the VPC landing zone

Introduction

By default, network access to the VPC landing zone topology is locked down for security compliance reasons. In this section, you will open up the necessary access for an operator to access the VPC environment, including deploying application on the VSIs located in the workload VPC.

Operator access is provided through the Management VPC. There are multiple ways to give operator access to the VPC landing zone, with varying level of security, compliance, and ease of enablement:

  • Exposing a VSI in the management VPC as a ‘jump-box’ by assigning a public floating IP
  • Deploying a client-to-site VPN solution in the management VPC
  • Deploying a site-to-site VPN solution in the management VPC
  • Deploying a certified bastion solution, such as Gravitational Teleport in the management VPC.

This part of the lab shows how to expose one of the VSI in the management VPC as a 'jump-box', as this is one of the simplest way to proceed, albeit not being strongly secure. The Going Further section below provides links to some of the other ways to provide operator access.

Steps

Perform the following actions to enable public ssh access to one of the VSI in the management VPC. This VSI will be the unique operator entry point ('jump-box') to the landing zone VPC topology.

  1. Access the Virtual server instances for VPC list
  2. Verify that the region is set to the region you provisioned your resources and click the VSI labeled <initials>-management-server-1
  3. Add a Floating IP address by clicking the pencil icon in the Network Interface section and reserve a new floating IP Pencil icon

Floating IP

  1. Take note of the public Floating IP. This IP will be used in a subsequent step.
  2. In the Security Groups for VPC, click the one labelled <initials>-management
  3. Go to the Rules section and allow port 22 for inbound by clicking Create in the Inbound rules section (Note: Security groups are stateful so you don’t need to add a corresponding outbound rule)

Allow SSH in Security group

  1. Click Create
  2. In the Access control lists for VPC, click the one labeled <initials>-management-acl
  3. Create the following ACL inbound rule: SSH ACL Inbound rule
  4. Create the folloiwng ACL outbound rule: SSH ACL Outbound rule
  5. You will now be able to access the 'jump-box' through the public Floating IP address that you provisioned in a prior step. On your workstation, issue the following command from a terminal
    ssh -i ./lab-key root@<Floating IP of Virtual server instance>