There are many scenarios where some of your infrastructure isn't directly accessible from your Ansible deployment system (home desktop or work laptop). That's why I think it's super useful to know how you can get certain Ansible hosts use SSH jumphost – a special server that accepts your connection and forwards it to those remote systems that are not accessible directly.
Why You May Need an SSH Jumphost
Here are just some of the most common scenarios. If you know of other situations – please get in touch as I'd like to explore them.
- On-line Infrastructure Behind Firewall – especially in online services companies, most of servers are not accessible directly. Typically you'll have a gateway server (SSH jumphost) or VPN to access such infrastructure.
- Cloud Infrastructure like AWS with internal networking – lots of cloud deployments use internal networking that's rarely exposed. Access to hosted apps and services is done via endpoints like load balancers. If you need direct access, a VPN instance or SSH server will be required.
- Dynamic IP address on Your Workstation – if you're working from laptop and using 4G or non-standard WiFi hotspots, your public IPv4 address will be different every time. Even if your infrastructure has SSH entry points, they're probably accepting connections only from a list of static and well-defined IP addresses or ranges. You may have some VPS server with static IP address online, that you connect from your laptop and then connect to the infrastructure itself.
How To Configure Ansible Hosts for SSH Jumphosts
Simply add like like this to the host_vars/HOSTNAME.yaml file for your hostname or – more likely – add the same line to group_vars/GROUP.yaml (obviously replace HOSTNAME with a specific name and GROUP with your server group name):
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q firstname.lastname@example.org -p 202"'
In this code snippet, this is what everything means:
- -o ProxyCommand is a command line option to SSH client
- -W %h:%p – special mode that requests SSH client to forward input/output from the specified SSH client (%h – hostname) and port (%p). You can't see them here, because we're updating Ansible settings. But you'll see it in the example below.
- greys is my username
- gw.ts.fm is the SSH jumphost I use
- 202 is the SSH port number on my jumphost
What the above configuration does is it makes Ansible use an SSH client command line similar to this (where myserver is the remote host we can't access directly):
$ ssh -o ProxyCommand="ssh -W %h:%p -q email@example.com -p 202"' myserver1
That's it for today! Enjoy!