Create a Private Compute Instance and Access It Through Bastion Host

In cloud environments, compute instances do not always need public IP addresses. For better security, application servers, database servers, and internal workloads are usually placed in a private subnet. These private compute instances are not directly accessible from the internet.

Oracle Cloud Infrastructure provides OCI Bastion service to securely access private resources without exposing them through a public IP address. Bastion provides controlled and time bound SSH access to private compute instances.

In this article, we will create a private compute instance in OCI and access it using OCI Bastion service. We will use the OCI services Virtual Cloud Network, Private Subnet, Compute Instance, Bastion Service, Security List or Network Security Group, SSH Key Pair.

Before starting the configuration, the following items should be available:

OCI tenancy access
Required compartment
Permission to create networking resources
Permission to create compute instance
Permission to create Bastion
SSH key pair

For this article, we will use a Linux compute instance and SSH access.

Step 1 : Create VCN

First, we need a Virtual Cloud Network.

From the OCI Console, navigate to:

Networking → Virtual Cloud Networks

Create a VCN with the required CIDR block.

Example:

VCN Name: PrivateAccessVCN
CIDR Block: 10.0.0.0/16

For a simple setup, we can create the VCN with internet connectivity option.

x

Since the compute instance will be private, the subnet used for the instance does not need to assign public IP addresses.

Example:

Subnet Name: PrivateSubnet
CIDR Block: 10.0.1.0/24
Subnet Type: Regional
Public IP Assignment: Disabled

The important point is that the subnet should not allow public IP assignment. This ensures compute instances launched in this subnet remain private.

Review Route Table

For this Bastion Managed SSH setup, the private compute instance does not need a public IP address. However, the VCN/subnet should have a valid route through a Service Gateway or NAT Gateway so that Oracle Cloud Agent and the Bastion plugin can communicate with required OCI services.

However, if the private compute instance needs to access OCI services or package repositories, we may need one of the following options:

Service Gateway for OCI services
NAT Gateway for outbound internet access

For this article, our focus is only on SSH access through Bastion.

Configure Security Rules

The private compute instance should allow SSH traffic from the Bastion service.

The required SSH port is:

TCP 22

The source can be controlled using a security list or Network Security Group.

For a simple lab, we can allow SSH traffic from the VCN CIDR or a more specific CIDR range.

Example ingress rule:

Source CIDR: 10.0.0.0/16
IP Protocol: TCP
Destination Port: 22

In production, more restrictive rules should be used wherever possible.

Create Private Compute Instance

Now create a compute instance in the private subnet.

Navigate to:

Compute → Instances → Create Instance

Use the following sample values:

Name: private-linux-instance
Image: Oracle Linux
Shape: VM.Standard.E2.1.Micro or available trial shape

In the Basic information page, make sure to enable Oracle cloud agent – Bastion plugin. Else we will get API error while creating Bastion session with this compute instance.

VCN: PrivateAccessVCN
Subnet: PrivateSubnet
Public IP: No public IP
SSH Key: Upload or paste public SSH key

After the instance is created, note down the private IP address.

Example:

Private IP: 10.0.1.112

This private IP will be used while creating the Bastion session.

Create Bastion

Now we will create the Bastion service.

Navigate to:

Identity & Security → Bastion

Create a new Bastion.

Example:

Bastion Name: PrivateInstanceBastion (kindly note bastion allows only alphanumeric characters)
Target VCN: PrivateAccessVCN
Target Subnet: PrivateSubnet

The Bastion should be created in the same VCN and subnet path where it can reach the private compute instance.

During Bastion creation, we need to provide a CIDR block for allowed client access.

Example:

Client CIDR Block Allowlist: <our public IP>/32

This controls which public IP addresses are allowed to create and use Bastion sessions.

If OCI Cloud Shell is used, the access behavior may differ because Cloud Shell does not always use the same public IP. For local access, using the current public IP with /32 is a more controlled option.

Create Bastion Session

After the Bastion is created, create a session.

Open the Bastion and select:

Create Session

Choose the session type:

Managed SSH Session

Select the target compute instance.

If the instance is not listed, we can use the private IP address option depending on the console flow.

Target Resource: private-linux-instance
Target OS Username: opc
SSH Public Key: Public key used for session

For Oracle Linux images, the common username is:

opc

The Bastion session will be created with a limited lifetime.

In case Bastion plugin is not enabled in compute instance, we will get API Error.

In that case enable the Bastion plugin in the compute instance. Compute Instance page -> Management -> Oracle cloud agent

After enabling the plugin, the plugin may initially show as stopped. We can wait for a few minutes and refresh the Oracle Cloud Agent page. If it remains stopped, the subnet route, egress rule, gateway configuration, and Oracle Cloud Agent status should be validated.

 

Copy SSH Command

After the session is created, OCI provides an SSH command.

The command usually includes a proxy command through the Bastion session.

It may look similar to this:

ssh -i <private_key_file> -o ProxyCommand="ssh -i <private_key_file> -W %h:%p -p 22 <bastion_session_ocid>@host.bastion.<region>.oci.oraclecloud.com" opc@<private_ip>

We need to replace:

<private_key_file>
<private_ip>
<region>

with the correct values.

Connect to Private Instance

Run the SSH command from the local terminal.

If the SSH key and Bastion session are correct, the login should be successful.

After login, we can confirm the hostname and private IP.

hostname
ip addr

This confirms that we have connected to the private compute instance through OCI Bastion.

Points to Note:

·       OCI Bastion does not require us to create and manage a jump server.

·       Bastion sessions are temporary and time-bound.

·       The compute instance does not need a public IP address.

·       Access can be limited using the client CIDR allowlist.

·       SSH access can be controlled using IAM, security rules, and session duration.

·       This makes Bastion a safer access pattern compared to exposing SSH directly to the internet.

 

 

Send Email Notification When Object Is Uploaded to OCI Object Storage

In cloud environments mostly Object Storage is used as a landing zone for files, documents, logs, reports, images, and application data. Once a file is uploaded, teams often need an alert so that the next process can begin. This could be a manual review, downstream processing, file validation, or simply an operational notification. The desired requirement is to get alerted when an object is uploaded to bucket.

Oracle Cloud Infrastructure provides a simple event-driven approach for this requirement. We can use OCI Object Storage, OCI Events, and OCI Notifications to send an email whenever a new object is uploaded to a bucket.

In this article, we will configure an automated email notification flow. When a file is uploaded to an Object Storage bucket, OCI Events will detect the object creation event and send an email through OCI Notifications. We user OCI services OCI Object Storage, OCI Events, OCI Notifications.

OCI Object Storage is used to store the uploaded files.

OCI Events is used to detect the object upload activity.

OCI Notifications is used to send the email alert.

This is a serverless notification pattern. We do not need to manage any compute instance, scheduler, or custom polling script.

Prerequisites

Before starting the configuration, the following items should be available:

OCI tenancy access
Required compartment
Permission to create Object Storage bucket
Permission to create Notification topic
Permission to create Events rule
Valid email address for subscription

For this article, we will use a simple Object Storage bucket and one email subscription.

Create Object Storage Bucket

We will start by creating an Object Storage bucket.

From the OCI Console, we can navigate to Object Storage and create a new bucket in the required compartment.

 

Example bucket name:

object-upload-notification-bucket

The default bucket settings can be used for this activity. Once the bucket is created, it will be used as the source for upload events.

Enable Object Events for the Bucket

After creating the bucket, object events must be enabled for the bucket.

This is an important step. If object events are not enabled, OCI Events will not receive object-level activities from the bucket.

In the bucket console page, setting is available under the bucket details.

We can edit the bucket and enable:

Emit Object Events

After enabling this option, Object Storage can publish events when objects are created, updated, or deleted.

Create Notification Topic

Next, we will create a Notification topic. Click Developer Services -> Application Integration -> Notifications.

The Notification topic acts as the target for the Events rule. When the Events rule matches an object upload event, it sends the message to this topic.

 

Example topic name:

object-upload-email-topic

After the topic is created, it will be used as the action target in the Events rule.

Create Email Subscription

After creating the topic, we need to add an email subscription.

The subscription has multiple protocols; in this article we use Email. The email address should be the recipient address where upload alerts need to be sent.

Once the subscription is created, OCI sends a confirmation email to the recipient. The subscription remains in pending status until the confirmation link is accepted.

The email subscription must be confirmed before notifications can be received.

After confirmation, the subscription status changes to active.

Create Events Rule

Now we will create an Events rule.

The Events rule is responsible for capturing the Object Storage upload event and triggering the Notification topic.

From the OCI Console, we can navigate to Events Service through observability & Managemetn -> Events service -> Rules. and create a new rule.

Example rule name:

object-upload-email-rule

The rule condition should match the Object Storage object creation event.

The event type should be related to:

Object Storage - Create Object

This event is generated when a new object is uploaded into Object Storage.

To keep the rule specific, we can also add a condition for the bucket name. This helps us avoid sending alerts for every bucket in the compartment.

Example condition:

bucketName = object-upload-notification-bucket

This means the rule will only match object upload events from this specific bucket.

Configure Rule Action

After defining the rule condition, we need to configure the action.

The action type should be:

Notifications

The target topic should be:

object-upload-email-topic

Once the rule is created, OCI Events will monitor object creation events and send matching events to the Notification topic.

Upload Test File

After the Events rule is created, we can test the setup by uploading a file to the Object Storage bucket.

Example file name:

Sample_test.txt

Once the file is uploaded, Object Storage emits a create object event. OCI Events evaluates the event and sends it to the Notification topic. The subscribed email address receives the alert.

In most cases, the email is delivered within a short time. A small delay is normal.

Validate Email Notification

After the test file is uploaded, we can check the subscribed email inbox.

The notification email usually contains event details in JSON format. The message includes useful information such as:

eventType
eventTime
compartmentId
bucketName
objectName
namespace
resourceName

The most important values for this use case are:

bucketName
objectName
eventType
eventTime

These values confirm which object was uploaded and when the event occurred.

Sample Notification Payload

The email message may include an event payload similar to the following:

This payload confirms that the uploaded object triggered the event successfully.