Tunnels
Using Akeyless Connect
Akeyless Secure Remote Access solution has a built-in Tunnel
mode, which can be used to connect with various native and thick clients to remote hosts via Akeyless bastions, with a complete audit trail.
While your local machine uses the Akeyless Connect CLI, any thick client can be used to establish the connection to a remote server within your internal network via the Akeyless Bastion.
Prerequisites
Usage
Note
For security reasons, please bind services only to the local interface. You can use local port forwarding to access the service that is listening on the remote server.
Connections on the local machine made to the forwarded port will, in effect, connect to the remote machine.
akeyless connect --target <user>@<targetserver> \
--via sra-bastion:2222 \
--tunnel='-L 127.0.0.1:<port>:<targetserver>:<port>' \
--cert-issuer-name "<Path/To/SSHCertIssuer>" \
--name "</Path/To/Secret>" \
--bastion-ctrl-proto "http\https"
Where:
-
target: The target resource, e.g.
user@ssh-server[:port]
,us-east-2
,mysql-server:3306
, etc. -
via-bastion : The Secure Remote Access Bastion host which the connection will go through, e.g.
ssh-sra-bastion:2222
. -
tunnel : SSH tunnel setting e.g.
-T='-L 127.0.0.1:<port>:127.0.0.1:<port>'
-
cert-issuer-name : Optional. If already configured inside
akeyless-connect.rc
file, alternativity provide
the full path to the SSH Cert Issuer to establish the connection to the bastion. -
name : Full name of the secret item to use in order to connect. i.e. Dynamic or a Rotated Secret for Database,RDP etc. Or a static secret which contains the credentials of the target system.
-
command : Command to execute on the target remote host (useful for non-interactive mode). e.g.
-C='ls -al'
-
ssh-extra-args : Additional SSH arguments (except -i).
RDP
To connect to a remote desktop server via the Akeyless Bastion from your local terminal, run the following command, and open your Remote Desktop client, where you should use the localhost endpoint to connect to your remote server.
akeyless connect -t <RDP User>@<RDP Host> \
-v sra-bastion:2222 \
--tunnel='-L 127.0.0.1:3389:<RDP Host>:3389'\
-c "<Path/To/SSHCertIssuer>" \
-n "/Path/To/RDP/Dynamic/Secret"
Once the tunnel is opened, you can connect with your local RDP client to the TargetServer
using your localhost port via the Akeyless Bastion.
K8s
To connect with a remote K8s cluster, you can use the Akeyless Tunnel with a command that will be executed on the remote target server, for example, to start a proxy service on your remote K8s server:
akeyless connect -t <k8s.server.host> \
-n "/Path/To/K8s/Dynamic/Secret" \
-c "/Path/To/SSHCertIssuer" \
-v sra-bastion:2222 \
--bastion-ctrl-proto=https \
--tunnel="-L 127.0.0.1:5555:127.0.0.1:5555" \
--command="proxy -p 5555"
Lens
To work with Lens K8s IDE, open your Lens settings>Proxy and set the proxy server with your localhost interface in the following format: http://127.0.0.1:5555.
Now, you can start interacting with your remote K8s API server using the tunnel. For example, to add a new cluster to lens add, you can use the following template:
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: <base-64-certificate>
server: http://127.0.0.1:5555
name: AKEYLESS_Lens_K8S
contexts:
- context:
cluster: AKEYLESS_Lens_K8S
user: AKEYLESS_Lens_K8S
name: AKEYLESS_Lens_K8S
current-context: AKEYLESS_Lens_K8S
kind: Config
preferences: {}
users:
- name: AKEYLESS_Lens_K8S
Where the server
should point to your local proxy endpoint.
SSH Tools
To work with your native SSH tools, you can run a local tunnel on your host:
akeyless connect -t <user>@<targetServer> \
-v <sra-bastion:2222> \
--tunnel='-L 127.0.0.1:<localPort>:<targetServer>:<targetPort>'
Then, any SSH client (such as SecureCRT, PuTTY, tmux, etc.) can be used to establish connections to the remote targetServer
. After running the above command to open the tunnel, on your SSH client, open a connection to 127.0.0.1:localPort
to connect with your remote server.
Updated 8 months ago