Disclaimer

Sunday, 7 June 2026

How to connect to Private instance from Local Machine - OCI

 
Scenario :-

1. Windows machine
2. Public Instance - 130.61.175.208 -- needs to be connected ( as Bastion Host)
3. Private Instance - 192.68.20.80 -- how can we connect ?



Windows location:--->  C:\Users\amit\Desktop\Keys>












For Example:- Below scenario I am trying to perform 




Before starting this activity, let's generate OpenSSH 


Part 1 :-

Step : Use the Correct OpenSSH Private Key
If your am_private_key.ppk is your actual private key, you need to convert it to an OpenSSH format using PuTTYgen:

  1. Open PuTTYgen on your computer.
  2. Click Load and select your am_private_key.ppk file.
  3. Go to the top menu and click Conversions -> Export OpenSSH key.
  4. Save the file in your C:\Users\amit\Desktop\Keys folder as am_openssh.key (make sure not to add .txt).



Part 2:- 

C:\Users\amit\Desktop\Keys>
C:\Users\amit\Desktop\Keys>
C:\Users\amit\Desktop\Keys>ssh -i am_openssh.key opc@130.61.175.208

Last login: Sun Jun  7 04:31:12 2026 from 150.129.159.205
[opc@public-instance-vm2 ~]$
[opc@public-instance-vm2 ~]$
[opc@public-instance-vm2 ~]$ hostname -i
192.168.10.57
[opc@public-instance-vm2 ~]$
[opc@public-instance-vm2 ~]$
[opc@public-instance-vm2 ~]$ hostname
public-instance-vm2






Part 3:- 

Syntax:-
ssh -i <key> -o ProxyCommand="ssh -W %h:%p -i <key> opc@<Public IP>" opc@<Private_IP 

ssh -i am_openssh.key -o ProxyCommand="ssh -W %h:%p -i am_openssh.key opc@130.61.175.208" opc@192.168.20.80



C:\Users\amit\Desktop\Keys>
C:\Users\amit\Desktop\Keys>ssh -i am_rsa_ssh.key -o ProxyCommand="ssh -W %h:%p -i am_rsa_ssh.key opc@130.61.175.208" opc@192.168.20.80
Load key "am_rsa_ssh.key": invalid format
opc@130.61.175.208: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Connection closed by UNKNOWN port 65535

C:\Users\amit\Desktop\Keys>
C:\Users\amit\Desktop\Keys>
C:\Users\amit\Desktop\Keys>
C:\Users\amit\Desktop\Keys>ssh -i am_openssh.key -o ProxyCommand="ssh -W %h:%p -i am_openssh.key opc@130.61.175.208" opc@192.168.20.80

The authenticity of host '192.168.20.80 (<no hostip for proxy command>)' can't be established.
ED25519 key fingerprint is SHA256:9x2S8tMspKzqbDO3/Jigq1EGit/tPpT5oujTqe8o9ZM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.20.80' (ED25519) to the list of known hosts.
[opc@private-instance-vm2 ~]$
[opc@private-instance-vm2 ~]$
[opc@private-instance-vm2 ~]$ hostname
private-instance-vm2
[opc@private-instance-vm2 ~]$
[opc@private-instance-vm2 ~]$ hostname -i
192.168.20.80
[opc@private-instance-vm2 ~]$
[opc@private-instance-vm2 ~]$
[opc@private-instance-vm2 ~]$ ifconfig -a
enp0s6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 9000
        inet 192.168.20.80  netmask 255.255.255.0  broadcast 192.168.20.255
        inet6 fe80::200:17ff:fe01:b141  prefixlen 64  scopeid 0x20<link>
        ether 00:00:17:01:b1:41  txqueuelen 1000  (Ethernet)
        RX packets 7853  bytes 2378714 (2.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 14006  bytes 1160205 (1.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 133  bytes 10908 (10.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 133  bytes 10908 (10.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


Interview Question

Q: Why use ProxyCommand or a Bastion Host in OCI?

Answer:
Private instances do not have public IP addresses and cannot be accessed directly from the internet. A Bastion/Jump Host located in a public subnet is used to securely relay SSH connections from administrators to private instances inside the VCN. This improves security by avoiding direct internet exposure of private servers.



SSH Key Rotation for OCI Private Instance Access


ssh-keygen -t rsa -b 2048 -f ~/.ssh/mykey


[opc@public-instance-vm2 .ssh]$ ssh-keygen -t rsa -b 2048 -f ~/.ssh/mykey
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/opc/.ssh/mykey
Your public key has been saved in /home/opc/.ssh/mykey.pub
The key fingerprint is:
SHA256:pRzjy06R4RDfHR3NUvj76tUFsXmyaQCwf5oQYbWgtHA opc@public-instance-vm2
The key's randomart image is:
+---[RSA 2048]----+
|    . E =oo ..o*.|
|     + * = + .++o|
|      + B + o =o.|
|       = X   . *.|
|        S . . + o|
|       . + + . .o|
|        + o     +|
|       o       ..|
|        .    .o. |
+----[SHA256]-----+


It will generate two keys mykey.pub and mykey 


[opc@public-instance-vm2 .ssh]$ ls -lrt
total 20
-rw-------. 1 opc opc  400 Jun  6 15:53 authorized_keys
-rw-r--r--. 1 opc opc  400 Jun  6 17:50 mykey.pub_bkup
-rw-r--r--. 1 opc opc  378 Jun  7 04:26 authorized_keys_bkp1
-rw-r--r--. 1 opc opc  405 Jun  7 07:04 mykey.pub -----------------------------> 1
-rw-------. 1 opc opc 1831 Jun  7 07:04 mykey     -----------------------------> 2

Since I created two Keys but I won't be able to login to My Private instance because it has not been added into Private Instance

Now I will open my public key i.e. --> am_public_key.pub and replace with mykey.pub

[opc@public-instance-vm2 .ssh]$
[opc@public-instance-vm2 .ssh]$ vi mykey.pub
[opc@public-instance-vm2 .ssh]$
[opc@public-instance-vm2 .ssh]$


Now I will open my Private key i.e. --> am_openssh.key and replace with mykey -- this is Private key

Let's test it.

Private_Instance_VM2 Running - 192.168.20.80

ssh -i mykey opc@192.168.20.80


[opc@public-instance-vm2 .ssh]$ vi mykey
[opc@public-instance-vm2 .ssh]$ ssh -i mykey opc@192.168.20.80
The authenticity of host '192.168.20.80 (192.168.20.80)' can't be established.
ED25519 key fingerprint is SHA256:9x2S8tMspKzqbDO3/Jigq1EGit/tPpT5oujTqe8o9ZM.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.20.80' (ED25519) to the list of known hosts.
Last login: Sun Jun  7 05:26:12 2026 from 192.168.10.57
[opc@private-instance-vm2 ~]$
[opc@private-instance-vm2 ~]$


Now I am able to connect to the Private Instance from Public Instance 


[opc@private-instance-vm2 ~]$
[opc@private-instance-vm2 ~]$ ping google.com
PING google.com (142.251.110.139) 56(84) bytes of data.
64 bytes from bz-in-f139.1e100.net (142.251.110.139): icmp_seq=1 ttl=113 time=1.60 ms
64 bytes from bz-in-f139.1e100.net (142.251.110.139): icmp_seq=2 ttl=113 time=1.28 ms
64 bytes from bz-in-f139.1e100.net (142.251.110.139): icmp_seq=3 ttl=113 time=1.30 ms
^C64 bytes from bz-in-f139.1e100.net (142.251.110.139): icmp_seq=4 ttl=113 time=1.28 ms

--- google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 1.283/1.366/1.601/0.135 ms



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Service gateway in OCI , CLI Installation , Bucket Creation , Object Storage in OCI

  Service Gateway in OCI  A simple way to remember Service Gateway (SGW) in OCI is: Trick 1: "S = Services, Not Internet" IGW =...