Ansible: Using a Bastion ( Jumphost ) and ProxyCommand

Ansible: Using a Bastion ( Jumphost ) and ProxyCommand


Problem


Have you ever encountered a situation when you want to securely access the production server using Ansible via the jumphost. In real scenario for security reason production servers are only accessible using the jumphost. If we want to directly connect the production server using Ansible then we need to open the port on servers from the Ansible server. We will see in this article, How we can avoid the port open on every server to get the access from the Ansible server via jumphost.



Solution


If we have only one bastion host then we will be editing the inventory file as mentioned below.

$ vi /var/ansible/hosts


[all:vars]
ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -q bastion-hostname"'


[web-server]

192.168.20.100


[app-server]

192.168.20.102


[db-server]

192.168.20.105



If we have one bastion per host then we will be editing the inventory file as mentioned below.

$ vi /var/ansible/hosts


[web-server]

192.168.20.100 ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -q web-bastion-hostname"'


[app-server]

192.168.20.102 ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -q app-bastion-hostname"'


[db-server]

192.168.20.105 ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -q db-bastion-hostname"'



The other way to do the same as mentioned above.

$ vi /var/ansible/hosts


[web-server]

192.168.20.100


[web-server:vars]

ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -q web-bastion-hostname"'


[app-server]

192.168.20.102


[app-server:vars]

ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -q app-bastion-hostname"'


[db-server]

192.168.20.105


[db-server:vars]

ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -q db-bastion-hostname"'



Code

Code_@_Github


Leave a Reply

Your email address will not be published. Required fields are marked *