Accessing OCI Compute Instances Using VNC Console (Instance Console Connection)

-

 Overview

In Oracle Cloud Infrastructure (OCI), administrators occasionally face scenarios where SSH access to a compute instance is unavailable—for example, due to network misconfiguration, firewall issues, or OS-level boot problems.

To handle such situations, OCI provides Instance Console Connection, which enables VNC-based graphical console access and serial console access to compute instances.

In this post, I demonstrate how to access an OCI Compute instance using the VNC console, explain when to use it, and highlight best practices for secure and effective troubleshooting.

⚠️ This demonstration is performed in a personal OCI tenancy using test instances.
No customer environments or confidential information are exposed.

Oracle Products Used

  • Oracle Cloud Infrastructure
  • OCI Compute
  • Instance Console Connection
  • OCI IAM
  • Virtual Cloud Network (VCN)

What Is Instance Console Connection?

Instance Console Connection provides out-of-band access to a compute instance, similar to a physical server console.

OCI supports two types:

  1. Serial Console – Text-based access
  2. VNC Console – Graphical console (for supported images)

This access is independent of:

  • VCN routing
  • Security lists
  • NSGs
  • SSH configuration

When to Use VNC Console Access

VNC console access is useful when:

  • SSH keys are misconfigured
  • Firewall rules block port 22
  • OS boot issues need investigation
  • GUI-based troubleshooting is required
  • Initial OS configuration validation is needed

·         High-Level Architecture

·         User Browser

·              |

·              |  HTTPS (OCI Console)

·              |

·         OCI Control Plane

·              |

·              |  Console Channel

·              |

·         OCI Compute Instance

·         No inbound network access to the instance is required.

Prerequisites

OCI Requirements

  • Active OCI tenancy
  • Compute instance in RUNNING state
  • User with permission to manage instance-console-connections

·         IAM Policy Example

·         Allow group InstanceAdmins to manage instance-console-connections in tenancy

·         Allow group InstanceAdmins to read instances in tenancy

Step 1: Launch or Identify a Compute Instance

  • Any Linux-based or Windows OCI compute instance can be used
  • Public IP is not mandatory
  • Works for both public and private subnets

We have one Linux Instance running in private subnet


Step 2: Navigate to Instance Console Connection

  1. Open the Instance Details
  2. Click on "OS Management" Tab
  3. Scroll down to the Console Connection section


Step 3: Create a Console Connection

You will see two options:

  • Launch Cloud Shell connection
  • Local connection

For browser-based access, Cloud Shell is recommended. We wil use the Local Connection for VNC access

Click on "Local Connection", now you can generate a new SSH key or upload existing public key that you already have.


I have uploaded one existing public key, and the connection will show as "Active"

Now click on - copy VNC connection for Linux/MAC


You will get a connection string as -

ssh -o ProxyCommand='ssh -W %h:%p -p 443 ocid1.instanceconsoleconnection.oc1.phx.anyhqljtwynqi5qc5u3hdx4b3vigz7j7rsy3vzsdui6li2wtgzaxeydlnhga@instance-console.us-phoenix-1.oci.oraclecloud.com' -N -L localhost:5900:ocid1.instance.oc1.phx.anyhqljtwynqi5qcjq4kfmmonelltk7jbou5ipxxv627xbokwq55nwdsq4xq:5900 ocid1.instance.oc1.phx.anyhqljtwynqi5qcjq4kfmmonelltk7jbou5ipxxv627xbokwq55nwdsq4xq

You have to edit it to as below-

ssh -i console.key -o ProxyCommand="ssh -i console.key -W %h:%p -p 443 ocid1.instanceconsoleconnection.oc1.phx.anyhqljtwynqi5qc5u3hdx4b3vigz7j7rsy3vzsdui6li2wtgzaxeydlnhga@instance-console.us-phoenix-1.oci.oraclecloud.com" -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa -N -L localhost:5900:ocid1.instance.oc1.phx.anyhqljtwynqi5qcjq4kfmmonelltk7jbou5ipxxv627xbokwq55nwdsq4xq:5900 ocid1.instance.oc1.phx.anyhqljtwynqi5qcjq4kfmmonelltk7jbou5ipxxv627xbokwq55nwdsq4xq

 from your laptop you need to execute this to establoish the SSH tunnel, I have used Windows Terminal-



Step 5: Log in to the Instance via VNC Viewer or similar tools (I have used Devolutions Remote Desktop Manager)

Use OS-level credentials:

  • Linux username (e.g., opc). You must have created password for the opc user beforehand
  • Root or sudo access as required


Common Use Cases Demonstrated

1️ Fixing SSH Configuration Issues

  • Inspect /etc/ssh/sshd_config
  • Restart SSH service
  • Validate firewall rules

2️ Recovering from Network Misconfiguration

  • Fix incorrect routes
  • Correct DNS resolver issues
  • Restore default gateway

3️ Debugging Boot Failures

  • Review system logs
  • Enter emergency mode
  • Repair filesystem issues

Serial Console vs VNC Console

Feature

    Serial Console

    VNC Console

Interface

    Text-based

    Graphical

OS dependency

    Minimal

    Requires GUI

Network dependency

    None

    None

Troubleshooting

    Low-level

    OS-level

Recommendation:
Use serial console for deep recovery, and VNC console for OS-level troubleshooting.

Security Considerations

  • Access controlled via IAM policies
  • Console sessions are time-bound
  • No direct network exposure
  • Use least-privilege access
  • Remove unused console connections

Limitations

  • Not intended for continuous administration
  • GUI availability depends on OS image
  • Performance is lower than SSH
  • Clipboard support may be limited

Best Practices

  • Use VNC console only for troubleshooting
  • Prefer SSH for regular administration
  • Audit IAM permissions regularly
  • Disable unused console connections
  • Document recovery steps

Lessons Learned

  • Instance Console Connection is a critical break-glass mechanism
  • VNC console access works even when networking is broken
  • OCI provides secure, native out-of-band access
  • Proper IAM controls are essential
  • This feature reduces reliance on instance redeployment

Conclusion

The VNC Console via Instance Console Connection is an essential troubleshooting tool in Oracle Cloud Infrastructure.

It enables administrators to recover, debug, and repair compute instances even when network access is unavailable, making it a valuable feature for production-grade OCI environments.

References

  • OCI Compute Documentation
  • OCI Instance Console Connection Documentation

🔗 About the Author

Debapriya Biswas
Oracle ACE Apprentice | Sr. Consultant – Cloud Technologies
Focused on OCI Compute, Networking, and Automation

 

Comments

Post a Comment

Popular posts from this blog

Access Oracle OCI Object Storage through GUI Client

-
Image
 As we already know that there are several GUI clients available for Amazon AWS S3 Object storage like - S3 Browser (https://s3browser.com/), CloudBerry Explorer (https://www.msp360.com/explorer/windows/amazon-s3.aspx), CyberDuck (https://cyberduck.io/) etc. Using these tools we can easily connect to the Object Storage service, upload & download "objects" i.e files and folders and also do some advance management like Bucket Policies, Replication, Versioning, lifecycle policies etc. Now these tools can also be used with Oracle OCI Object storage, but there are some prerequisites to get the proper credentials. You need to get following information before you can connect to you OCI Object storage - Object Storage Namespace: REST Endpoint: Access Key: Secret Key ID: How to get these details - Login to your OCI Account, head over to - Hamburger Icon on left hand top corner -> Storage -> Under Object Storage & Archive -> Buckets. It will list all the buckets in thi...
Read more

Instance OS Baseline Configuration Runbook

-
Overview & Scope This runbook defines the standard baseline configuration procedure for new OCI compute instances across five supported operating system families. It is intended for use by Cloud SRE and operations personnel during initial instance provisioning. Objectives Each OS configuration procedure achieves the following baseline state: •        Set system timezone to Asia/Kolkata (IST, UTC+05:30) •        Apply all available OS security and feature updates •        Enable and configure the host-based firewall to permit SSH (Linux) or RDP (Windows) ingress exclusively from the VCN CIDR block •        Enable EPEL repository where applicable (Oracle Linux, Rocky Linux, Alma Linux) •        Create a named administrative user account separate from the default OCI-provisioned user (opc / Administrator) •   ...
Read more