If you have private networking enabled, you may use it to expose some servers to the Internet while limiting access to others on the private network. For example, you may want your web server exposed on port 80 or 443 while keeping your database access restricted to only the private network. One complication of this configuration is how to access your private instances without a floating IP address. The answer to that is to use a jump host.
How it works
A jump (or bastion) host acts as a middleman for all traffic to your non-public instances. It is easy to set up using SSH and its configuration options.
The first thing you want to do is to make sure you have an instance running with a floating IP address. This could be any DreamCompute instance with a floating IP, but you’d typically use a dedicated jump host or your web server. Ensure you can SSH into that machine with your SSH key. View the following article for instructions on how to upload a public key to your DreamCompute dashboard:
Configuring a jump host in DreamCompute
The following configuration shows an SSH config file (~/.ssh/config) on a local machine so that it can connect first to a jump host called “jump”. Change $username to the default user for your image.
Instances created before October 5th, 2016 will continue to have “dhc-user” as the default user, except for CoreOS, which will have “core” as the default user. View the following article for instructions on how to find the default user of an image:
- Enter the following. Replace “X.X.X.X” with the floating IP address for your instance in the HostName option. Also make sure you’re using the correct public key.
Host jump HostName X.X.X.X #Replace with your Floating IP Address User $username IdentityFile ~/.ssh/id_rsa.pub
- Ensure you can log into your jump host with SSH:
[user@localhost]$ ssh jump
- Once you verify that it works, update the SSH config to send all traffic from your machine to the private DreamCompute network through a proxy on the jump host by entering the following:
Host 10.10.10.* ProxyCommand ssh jump -W %h:%p User $username IdentityFile ~/.ssh/dreamcompute.pem
This example uses a separate key for private instances rather than the jump host, which allows you to keep both keys on your machine - the jump host doesn’t need the private key for the other instances. This provides an extra level of security.
The -W option forwards all stdin and stdout to the specified host and port.
To connect to your private instances from a local machine, SSH to the private IP:
[user@localhost]$ ssh 10.10.10.5