Skip to main content
Feedback

Creating SSH tunnel

SSH tunneling (port forwarding) sends network data across an encrypted connection. It connects resources from external networks to an internal network without exposing internal resources to the internet. In most Data Integration use-cases, the SSH tunnelling provides a safer and encrypted access from Data Integration servers to internal databases to retrieve data.

Prerequisites

  • A publicly accessible and running SSH server.
  • Data Integration IPs with access to the tunnel server's SSH port.

Configuring an SSH tunnel

Connect to an AWS EC2 Linux instance via SSH, and use the same connection to connect to the database instance/Redshift/Azure SQL DWH cluster.

Set up an SSH tunnel on AWS EC2

  1. Create a small instance in your database. While creating the instance, an internal user (ec2-user in most instances) is created and attached to a KeyPair file (.pem/.pub files). If an additional user for our service is required in the instance, follow the instructions and get the KeyPair to connect to the instance.
  2. Create a security group for the instance that lets SSH port 22 inbound rules to Data Integration IPs.
  3. Create a security group on your Redshift cluster/database instances that lets inbound rules of ports 5439 from the SSH tunneling instance's private IP.

Creating SSH tunnel using auto-generated public key

prerequisites

  • A Linux or Ubuntu system with an SSH server set up.
  • For Windows users, install an SSH client such as OpenSSH.

Run the following commands on your SSH tunnel host.

  1. Connect to your SSH tunnel server using ssh:
ssh -i /path/to/key_pair.pem ec2-user@`<instance-public-ip-or-dns>`
  1. Create a group data integration:
sudo groupadd data integration
  1. Create a user data integration:
sudo useradd -m -g data integration data integration
  1. Switch control to data integration user:
sudo su - data integration
  1. Create ~/.ssh direcrtory:
mkdir ~/.ssh
  1. Set permissions to the directory:
chmod 700 ~/.ssh
  1. Create authorized_keys file:
touch ~/.ssh/authorized_keys
  1. Set permissions to the file:
chmod 600 ~/.ssh/authorized_keys
  1. Generate new public key in Data Integration to connect Data Integration to the server.

Generating new public key

Procedure

  1. Navigate to the Data Integration console.
  2. Click Connections in the main menu and select New Connection.
  3. Select the correct SSH-tunneled source connection (MySQL).
  4. Select Auto Generated from the SSH Options section.

You can create new key pairs, use existing ones, or delete them.

  1. Click Create New Key Pair.
  2. Enter a name for your Key Pair and click the Create Key Pair.
    • After generating the Key-Pair, get the public key (starts with ssh-rsa).
    • Copy it to your clipboard.
  1. Open the ~/.ssh/authorized_keys file in your preferred text editor on the bastion server.
  2. Paste the public key (ensure to paste in a single line).
  3. Click Save and close the file.

Optimizing SSH tunnel for security and performance

Certain limits and restrictions apply to SSH connections when using a Linux server to configure an SSH tunnel. For example, the MaxSessions parameter in the /etc/ssh/sshd_config file represents the maximum number of connections that a single SSH connection can accept. This limits the number of sessions that can run in parallel over one SSH connection.

Setting up multiple SSH sessions in parallel

You can set up multiple SSH sessions to run in parallel.

Procedure

  1. Open the /etc/ssh/sshd_config file in your preferred text editor on the bastion server.
  2. Use the following values in your configurations:
   ClientAliveInterval 15 # Healthcheck interval
   ClientAliveCountMax 4 # Max retries before closing connection 4*15=60 seconds till you close an inactive connection
   AllowAgentForwarding yes # Allow ssh forwarding to additional clients if needed
   LogLevel VERBOSE # For troubleshooting
   MaxSessions 20 # Suggested minimum of 20. Use at least Concurrent Table Runs number. 
   PasswordAuthentication no # Disables username password connections
   PermitTunnel yes  # Enables the ssh daemon to tunnel connection forward
   PubkeyAuthentication yes # Enables RSA authentication
   StrictModes yes  # Checks permissions of files is limited before approving connection
   TCPKeepAlive yes # To avoid hanging session
   X11Forwarding no # {conKeyRefs.DataIntegration} does not require X11
  1. To make the changes take effect, use this command to restart the service:
   sudo systemctl restart sshd

Setting up SSH tunnel using an existing .pem file

Procedure

  1. Enter the SSH Hostname instance (or IP).
  2. Enter the SSH Port (mostly 22).
  3. Provide SSH Username and Password.
  4. Click Choose File and upload the SSH KeyPair file (.pem/.pub) provided when creating the instance in AWS.
note
  • SSH connectivity is established using a private key file (.pem), which acts as the user's "password," and corresponding public key files (.pub) stored on each machine the user wants to access. Public keys are saved in the ~/.ssh/known_hosts, which contains all the public keys authorized to connect to the host.
  • When the user initiates a connection with the private key, an algorithm is executed on the user's side and the target machine to validate the key pair match.
On this Page