Advanced Server Access gateways and bastions
Gateways are inserted at project ingress when you connect using SSH to a server on a project that has gateways enabled. To ensure that any combination of gateways and bastions that you use match your networking requirements, it's useful to understand the connection ordering behavior between gateways and bastions. For example, you might have a situation where you have a single network bastion that you can't use as a gateway.
There are three general possibilities when using gateways and bastions:
- Gateways without bastions
- Gateways with bastions configured in Advanced Server Access
- Gateways with bastions configured using the command line
Gateways without bastions
In this basic scenario, a gateway is always traversed before connecting to a server on a project where gateways are enabled.
Gateways with bastions configured in Advanced Server Access
The following situations may occur when you configure the Bastion option in the server agent configuration file. See Configure the Advanced Server Access Advanced Server Access server agent. These servers are considered to be bastions managed by Advanced Server Access since they aren't specified manually by users from the command line.
|
Projects |
Gateway requirements |
Description |
|---|---|---|
|
Servers and bastion in same project |
Both need a gateway |
If the server and bastion both belong to a project that requires a gateway, the gateway is inserted before the bastion. Clients connect to the gateway, then the bastion, and then to the target server. |
|
Servers and bastion in different projects |
Server needs a gateway |
The gateway is inserted between the bastion and the target server. The client connects to the bastion, then the gateway, and then to the target server. |
| Servers and bastion in different projects |
Bastion needs a gateway |
The gateway is inserted before the bastion. The client connects to the gateway, then the bastion, and then to the target server. |
| Servers and bastion in different projects |
Both need a gateway |
Gateways are inserted both before the bastion and the server. The client connects to Gateway-1, then the bastion, then Gateway-2, and finally to the target server. In this example, only Gateway-2 records the session. Teams can configure the same server to function as Gateway-1 and Gateway-2. This can result in a cycle, if the gateway selectors for both projects allow it. This isn't harmful, but Okta recommends that teams configure projects to avoid unnecessary network hops. |
Gateways with bastions configured using the command line
In addition to bastions that are automatically used by properly configuring the Advanced Server Access server agent, clients can specify bastions to use by using the --through or --bastion flags with the Advanced Server Access client. See Use the Advanced Server Access client.
The behavior of bastions configured using the command-line flags is the same as that for bastions that are configured in Advanced Server Access. Bastions specified using the command line are always added before bastions that were configured through their server agent configuration. For example, suppose you have BastionA, a bastion specified using the command line, and BastionB, a bastion specified through its server agent configuration. If you attempt to reach a target through both bastions, then the connection would go from the client to BastionA, then BastionB, and then to the target server. Depending on the project configuration, gateways would be inserted at project ingress.