Access database through bastion hosts

A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks, so named by analogy to the military fortification. The computer generally hosts a single application or process, for example, a proxy server or load balancer, and all other services are removed or limited to reduce the threat to the computer

You can protect sensitive data stores from outside access by using a bastion host. Then the data is shielded by a firewall, and bastions are dedicated bridge machines that sit between the firewall and the outside world and only allow authorised users to tunnel through to the data.

You can use Google OS Login to manage access to the bastion hosts, if you use google cloud. This requires you to upload your SSH to Google.

Upload your SSH to Google Cloud

Get ready your SSH key pair. The public key is usually in ~/.ssh. If you don’t any, generate a new key.

Install gcloud CLI if you haven’t. Otherwise, authenticate the CLI tools with Google by running gcloud auth login

Check if you have already uploaded any key by running gcloud compute os-login ssh-keys list. If you have, you have a list of uploaded keys

Copycopy code to clipboard
FINGERPRINT    EXPIRY
8b1336...      2024-07-19T22:20:32Z

If you don’t have any uploaded key, add a key.

Copycopy code to clipboard
cloud compute os-login ssh-keys add \
	--project core \
	--key-file ~/.ssh/testkey.pub \
	--ttl 1y

Very if your OS Login profile exists

Copycopy code to clipboard
gcloud compute os-login describe-profile --project core

Create a tunnel

Copycopy code to clipboard
ssh -L <local_port>:localhost:<instance_port> <username>@<base_url>

Once it succeeds. localhost will be the host name of your database instance, even though it’s not on your local network. It’s because the port is forward to a remote host.