# Grant access to a private network In some cases, your cluster sits in a private network. Although this is a **very good practice**, it means **additional steps needs to be taken** in order to allow our products to connect to your cluster. Before following this guide, make sure that there is a way to reach your private network from a machine that is publicly exposed. This machine is commonly called a **bastion host** and it controls all access to your private network. We will walk you through the creation of a specific user on the bastion host that will be used by our products to reach your cluster. ## :pencil: Prerequisites Following content assumes that your bastion is a **Linux machine** and **`ssh-keygen` binary is installed** on it. {% hint style="warning" %} Next commands needs to be executed **on your bastion with superuser privileges**. Make sure you have the permissions to perform such commands or use `sudo` command if it’s available. {% endhint %} ## :bust\_in\_silhouette: Create a new user This command will create a new `kubolabs` system user. {% tabs %} {% tab title="RHEL" %} ```bash useradd --system --create-home kubolabs ``` {% endtab %} {% tab title="Debian" %} ```bash useradd --disabled-password --system kubolabs ``` {% endtab %} {% endtabs %} ## :closed\_lock\_with\_key: Generate SSH keys This command will generate a SSH key pair that will be used by our products to authenticate on your bastion. ```bash ssh-keygen -t rsa -b 4096 -C "kubolabs" -N "" -q -f kubolabs-key ``` If the command is successful, two files would have been generated in the current directory: * `kubolabs-key`: private key file * `kubolabs-key.pub`: public key file {% hint style="danger" %} Make sure to store `kubolabs-key` file somewhere safe and do not share it publicly nor without encryption. {% endhint %} ## :passport\_control: Authorize SSH key to authenticate This command will add the SSH public key that we just created to the list of `kubolabs`’s authorized SSH keys. ```bash mkdir /home/kubolabs/.ssh/ cat kubolabs-key.pub | tee -a /home/kubolabs/.ssh/authorized_keys chown -R kubolabs:kubolabs /home/kubolabs/.ssh chmod 0700 /home/kubolabs/.ssh chmod 0644 /home/kubolabs/.ssh/authorized_keys ``` {% hint style="danger" %} Anyone in possession of the private key will be allowed to connect on your bastion as `kubolabs` user. {% endhint %} ## :white\_check\_mark: Check public key authentication is enabled This command will make sure that the public key authentication is enabled. ```bash grep -E '^PubkeyAuthentication' /etc/ssh/sshd_config ``` If public key authentication is enabled, command output will be the following: ``` PubkeyAuthentication yes ``` If the output is either: ``` #PubkeyAuthentication yes ``` Or: ``` PubkeyAuthentication no ``` You must enable it: ```bash sed -i=backup 's/#\?PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config ``` {% hint style="info" %} If something went wrong with this command, a backup of the original file is available at `/etc/ssh/sshd_config.backup`. {% endhint %} ## :police\_officer: Allow access from our products {% hint style="info" %} This step is only required if your bastion is filtering the allowed incoming IPs. If you are not sure, ask your administrator. {% endhint %} Add the following IP to the list of authorized networks: **34.141.253.143**. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.kubolabs.io/guides/grant-access-to-a-private-network.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.