Oracle Cloud Free Tier generously provides 5 OCI Bastions for free: https://www.oracle.com/uk/cloud/free/#always-free. Sadly a NAT gateway is not included in the free tier, which likely leads to most instances getting setup with a public IP addresses for egress via an Internet Gateway. At the same time, their SSH servers will become exposed, with the default security list permitting ingress to port 22.
Given Internet connected machines in a NAT-less setup: is it possible to create a setup where an OCI Bastion is useful for not publically exposing an instance's SSH server?
I had two ideas:
- Use the firewall to allow ingress to the SSH server from the IP addresses that the OCI Bastion operates from. The issue with this is that the I cannot find documentation on what that range is.
- Position the instance on two networks: one with Internet egress and no ingress (firewall enforced); another with no Internet connectivity but through which OCI Bastion connections run. The SSH server is setup for connections on the latter interface only. I have a nasty suspicion that a Service Gateway (not free tier) might be required on the second network though?
I'd be happy to receive any advice or ideas.