Bastion with short-lived certs --> SSH to other instance

Hello community,

I am in the process of setting up Cloudflare for our GCP infrastructure.
For that, I want to use a bastion instance that issues short-lived certificates which are used for SSH’ing into other instances via ProxyCommand

I setup the bastion instance which issues the short-lived certificates, by following this article:

However, I don’t know how to do the setup to connect to a server in our GCP account using the bastion instance.

I added the following to my .ssh config

Match host exec "/usr/local/bin/cloudflared access ssh-gen --hostname %h" 
  ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
  IdentityFile ~/.cloudflared/%h-cf_key
  CertificateFile ~/.cloudflared/

How do I use the bastion server to for example connect to the server myServer1?
I set up a tunnel following this guide:
But I am not sure if that is needed.
How do I call the myServer1?
Would that be
ssh [email protected]

Best regards,

Did you setup tunnels to each application you want to reach? The old way was to create a YML tunnel config with ingress rules on the bastion machine, but the new way is explained in the [tunnel guide](

1 Like

Have you tried the ProxyJump command from your ssh client?

For example to another host on your 192.168.x.x local network:

ssh -J

# or maybe, though not sure if this works
ssh -J [email protected]

If you have the ingress rule setup on your server the way the tutorial explains

  - hostname:
    service: bastion
  - service: http_status:404

Thanks a lot for your support!

Did you setup tunnels to each application you want to reach?

I did set up a tunnel on the other instance I wanted to SSH to following this tutorial. But it might have been that I messed something up due to my inexperience.

So the (rough) setup would be:

  1. create a tunnel on the bastion instance with the config.yml file containing service: bastion
  2. create a tunnel on the other instance (myServer1) in, I want to SSH to through the SSH bastion
    1. use the guide:
    2. Use Connect a Network and use the internal IP address of that instance
  3. connect to the instance myServer1 using ssh -J fabian@[INTERNAL IP ADDRESS]

In the meantime, I changed the setup so that I directly SSH into the bastion server. With our current setup that’s enough, as we use that bastion server’s fixed IP address to call other APIs etc.
Using cloudflared, our devs can now access that instance by using short-lived certificates which is already a good step forward.

I hope I did not confuse your setup when I gave two possible answers. If you want a true SSH Bastion, then the original guide you asked about should be the only thing to setup. Plus the SSH clients use of the ProxyJump SSH parameter, and config sshd remote hosts behind the bastion. No other Cloudflare tunnnels or additional ingress rules except for what is in that tutorial. Best practices for a Bastion host is to not allow any access (from outside) to that host, since it’s job is to only route the proxy jumps.

Typically a Bastion Host would require you to harden the sshd_config for that hosts SSHD instance. I have not tested yet, but I understand in this case Cloudflare is hosting a special Bastion service so the host machines SSHD server is not used at all for this need.

I suggest first proving that case. If you find Cloudflare Bastion service is limited, then switch to traditional Bastion using the hosts SSHD server with regular ssh Cloudflare tunnel ingress rules without using the Cloudflare bastion service as an ingress rule.