In this blog post, you’ll learn how to record SSH sessions on a Red Hat Enterprise Linux (RHEL) VSI in a private VPC network using in-built packages. The VPC private network is provisioned through Terraform and the RHEL packages are installed using Ansible automation. Additionally, you’ll learn how to set up a highly available bastion host.

What is session recording and why is it required?

A bastion host and a jump server are both security mechanisms used in network and server environments to control and enhance security when connecting to remote systems. They serve similar purposes but have some differences in their implementation and use cases. The bastion host is placed in front of the private network to take SSH requests from public traffic and pass the request to the downstream machine. Bastion host and jump servers are vulnerable to intrusion because they are exposed to public traffic.

Session recording helps an administrator of a system to audit user SSH sessions and make sure they comply with regulatory requirements. In the event of a security breach, the administrator will want to audit and analyze the user sessions. This is critical for a security-sensitive system.

What is a private VPC network?

A virtual private cloud is completely private if there is no public ingress or outgress network traffic. In simple technical terms, it’s private if there are no public gateways on the subnets (private subnets) and no floating IPs on the Virtual Server Instances (VSIs).

How do I connect to the private VPC network?

Client-to-site VPN for VPC is one of the two VPN options available on IBM Cloud, and it allows users to connect to IBM Cloud resources through secure, encrypted connections.

The client-to-site VPN is highly available, with two VPN servers that are created in two different availability zones in the same region. The bastions are highly available as well.


Provision the private VPC network using Terraform

  • Once you have the IBM Cloud Secrets Manager secret with the certificate, launch your terminal and set the following Terraform variables:
export TF_VAR_ibmcloud_api_key=<IBM_CLOUD_API_KEY>

export TF_VAR_secrets_manager_certificate_crn=<SECRET_CRN>
git clone

cd terraform
  • Run the Terraform commands to provision the VPC resources (e.g., subnets, bastion hosts (VSIs), VPN, etc.):
terraform init

terraform plan

terraform apply

Connect to client-to-site VPN

  • Once the VPC resources are successfully provisioned, you need to download the VPN client profile by navigating to VPN servers page on IBM Cloud.
  • Click the Client-to-site servers tab and then on the name of the VPN:
  • Download the profile from the Clients tab.
  • The VPN provisioned through Terraform uses certificates. Follow the instructions here to connect to the OpenVPN Client.
  • You should see the successful connection on your OpenVPN Client:

Verify the SSH connection

  • On a terminal, add the SSH private key to the SSH agent with the following command:
  • Example: ssh-add ~/.ssh/<NAME_OF_THE_PRIVATE_KEY>
  • Run the following command to SSH into the RHEL VSI through a bastion host. You will be using the private IP address of the bastion in Zone 1:
ssh -J root@ root@
  • Remember, you should be connected to the client-to-site VPN to access the RHEL VSI through the bastion host.
  • After SSH, You should see instructions to enable SSH session recording using the TLOG package on RHEL.

Deploy session recording using Ansible

To deploy the session recording solution, you need to have the following packages installed on the RHEL VSI:

  • tlog
  • SSSD
  • cockpit-session-recording

The packages will be installed through Ansible automation on all the VSIs—both bastion hosts and RHEL VSI.

  • Move to the Ansible folder:
cd ansible
  • Create hosts.ini from the template file:
cp hosts_template.ini hosts.ini
  • Run the Ansible playbook to install the packages from an IBM Cloud private mirror/repository:
ansible-playbook main_playbook.yml -i hosts.ini --flush-cache

You can see in Figure 1 that after you SSH into the RHEL machine, you will see a note saying: ATTENTION! Your session is being recorded!

Check the session recordings, logs and reports

If you closely observe the messages post-SSH, you will see a URL to the web console that can be accessed using the machine name or private IP over port 9090. To allow traffic on port 9090, in the Terraform code, change the value of allow_port_9090 variable to true and run terraform apply. The latest terraform apply will add ACL and security group rules to allow traffic on port 9090.

  • Now, open a browser and navigate to To access using the VSI name, you need to set up a private DNS (out of scope for this article). You need a root password to access the web console:
  • Navigate to Session Recording on the left-hand side to see the list of session recordings. Along with session recordings, you can check the logs, diagnostic reports, etc.:

Recommended reading


This article covered why session recording is required in bastion hosts for auditing and compliance and how session recording can be set up with the built-in RHEL packages using Ansible Automation.

While designing a secured virtual private cloud network, you learned the best practices in architecting a VPC private network. We also covered the need to build highly available VPN servers and bastion hosts. With the provisioning of cloud infrastructure using Terraform and Ansible for session recording, you got hands-on experience.

Learn more about IBM Cloud VPC

If you have any queries, feel free to reach out to me on Twitter or on LinkedIn


More from Cloud

IBM Tech Now: October 2, 2023

< 1 min read - ​Welcome IBM Tech Now, our video web series featuring the latest and greatest news and announcements in the world of technology. Make sure you subscribe to our YouTube channel to be notified every time a new IBM Tech Now video is published. IBM Tech Now: Episode 86 On this episode, we're covering the following topics: AI on IBM Z IBM Maximo Application Suite 8.11 IBM NS1 Connect Stay plugged in You can check out the IBM Blog Announcements for a…

IBM Cloud inactive identities: Ideas for automated processing

4 min read - Regular cleanup is part of all account administration and security best practices, not just for cloud environments. In our blog post on identifying inactive identities, we looked at the APIs offered by IBM Cloud Identity and Access Management (IAM) and how to utilize them to obtain details on IAM identities and API keys. Some readers provided feedback and asked on how to proceed and act on identified inactive identities. In response, we are going lay out possible steps to take.…

IBM Cloud VMware as a Service introduces multitenant as a new, cost-efficient consumption model

4 min read - Businesses often struggle with ongoing operational needs like monitoring, patching and maintenance of their VMware infrastructure or the added concerns over capacity management. At the same time, cost efficiency and control are very important. Not all workloads have identical needs and different business applications have variable requirements. For example, production applications and regulated workloads may require strong isolation, but development/testing, training environments, disaster recovery sites or other applications may have lower availability requirements or they can be ephemeral in nature,…

IBM accelerates enterprise AI for clients with new capabilities on IBM Z

5 min read - Today, we are excited to unveil a new suite of AI offerings for IBM Z that are designed to help clients improve business outcomes by speeding the implementation of enterprise AI on IBM Z across a wide variety of use cases and industries. We are bringing artificial intelligence (AI) to emerging use cases that our clients (like Swiss insurance provider La Mobilière) have begun exploring, such as enhancing the accuracy of insurance policy recommendations, increasing the accuracy and timeliness of…