Access OCI Compute Instance in Private Subnet with OCI Cloud Shell

There are several options for securely accessing OCI compute instances located in a VCN’s private subnet. The efficient option is the OCI’s Bastion service. Another secure and faster option is using Oracle OCI Cloud Shell. In this blog, we will cover the steps to use OCI Cloud Shell.

Prerequisites:

- An Oracle cloud fee trial or paid account.

- OCI VCN with private subnet.

- OCI compute instance located in a VCN’s private subnet with API RSA private key.

The Oracle Cloud Shell is a web browser-based terminal in the OCI Console that provides access to a Linux shell, with a pre-authenticated OCI Command Line Interface (CLI). It includes a Network Private Access feature. This feature allows you to create an endpoint in private subnet. This endpoint is governed by the rules in the private subnet’s Security Lists.

Restrictions:

- This feature is supported only in the tenancy’s home region. However, with Regular Remote Peering connections you can extend the accessibility to other regions. 

Step #1: Launch Cloud Shell and configure the Private Network Access

1. Navigate to "Cloud Shell" under 'Developer tools' next to your Home Region.

2. In the Cloud Shell menu, “Network:Public” > “Private Network Definition List”.

3. In “Private Network Definition List” screen, click “Create Private Network Definition”.

4. In “Create Private Network Definition” screen, provide a name, select VCN and private subnet where OCI compute instance is located, then click “Create”.

Now, OCI Cloud Shell is connected to private subnet using new created private network definition.

Step #2: Connect to OCI Compute Instance

1. In Cloud Shell command line, change directory to “.ssh”, create a file and past the contents of compute instance’s API private key.

2. SSH to compute instance using compute instance private IP.

You are now connected to the Compute Instance in the Private Subnet!