Configuring Reverse SSH tunnel

info

Reverse SSH Tunnel is available to users on the Pro Plus plan.

Reverse SSH (Secure Shell) tunneling lets you connect to a device behind a firewall or NAT (Network Address Translation) remotely. You can set up a Reverse SSH Tunnel using Data Integration, letting remote access to services on the local machine.

• Customer connectivity account (local machine): Data Integration provides customers a dedicated VPN within a dedicated account, designed to actively listen on a specified port for incoming SSH connections.

• Client network (remote machine):

  • The Client Network runs the SSH protocol to establish a connection with the customer connectivity account provided by Data Integration.
  • The connection is initiated from the client network to the customer connectivity account, so-called Reverse SSH.

• Tunnel establishment:

  • Once the SSH connection is established, a secure tunnel is created between the Client Network and the Customer Connectivity Account.
  • This tunnel lets traffic flow securely.

• Bridging the Data Integration workers account and customer connectivity: The Data Integration Workers Account establishes a link with the Customer Connectivity Account, letting services operating within the Customer Connectivity Account be accessed by the Client Network as if they were running locally.

(LB - Load Balancer)

Prerequisites

Confirm the following requirements:

• The client’s Reverse SSH host (internal bastion) must have outbound internet access to the Data Integration Reverse SSH endpoint.
• Ensure the internal database hostname and port are identified.

Procedure

note

Make sure to execute all instructions within a Linux environment.

Step 1: Generate and prepare SSH keys

1. Create the Data Integration connection key:
   • Log in to Data Integration Console.
   • Navigate to your Database Connection settings.
   • Under the SSH section, choose your preferred method:
     • Auto-generate: Click to generate a key and copy the Public Key to provide to support.
     • Upload PEM: Upload your existing private key file. You must provide the corresponding public key to support.
   • Save this Public Key for your support ticket.
   note

   If you are setting up multiple database connections, use the same SSH key for all of them to simplify management.

2. Create the Bastion Host key:

   • On your internal bastion host (the machine initiating the tunnel), generate an SSH key pair:

     ssh-keygen

     important

     Do not enter a password or passphrase for the key file when prompted.

   • View and copy the content of the Public Key to provide to support: cat ~/.ssh/id_rsa.pub

   • The Private Key path (typically ~/.ssh/id_rsa); is required for the autossh script.

Key usage

• The SSH key pair generated in this step can be reused across multiple Reverse SSH connections from the same bastion host.

• You do not need to generate a new key for each connector unless your organization requires key rotation or separation.

Step 2: Information to provide support

Before submitting the support ticket, complete Step 1 (Key Generation) and copy the public key created on your bastion host.

Submit a support ticket to the Data Integration support team with the following details:

• Bastion Public Key: The public key from your internal host.
• Data Integration Public Key: The public key from the Data Integration UI.
• ssh_client_cidr_blocks: The Public IP address (in CIDR notation) of your SSH bastion host.
• Internal database hostname and port.

Step 3: Support deliverables and port selection

After support completes the Data Integration configuration, you receive the following:

• Public Network Load Balancer address (for example, public-nlb-xxxxx).
• SSH Hostname (for example, vpce-xxxxxxx).
• SSH tunnel username (for example, dataintegration).

Selecting High port

You must select a High Port (between 1024 and 65535) that is not currently in use.

To set the SSH high port number, you must include a single digit (typically 1) as a prefix to the source database port. For example, when connecting to MySQL on a default port 3306, it is recommended to use port 13306 for the SSH high port of your initial MySQL connector, port 23306 for the second connector, and so on.

Step 4: Running the script

Replace the placeholder variables in the following script and run it on the SSH host in a single line:

autossh -M 0 -f -N -R `<SSH_HIGH_PORT>`:`<PRIVATE_DB_MACHINE_NAME_OR_IP>`:`<PRIVATE_DB_MACHINE_PORT>` rivery @`<Rivery_SUPPLIED_IP>` -g -i `<PATH_TO_PRIVATE_KEY>` -o ServerAliveInterval=10 -o ServerAliveCountMax=1 -o ExitOnForwardFailure=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null

Variable descriptions:

• <Rivery_SUPPLIED_IP>: The address of the public network load balancer provided by Data Integration. For example, public-nlb-xxxxx.
• <SSH_HIGH_PORT>: The unique port on the Data Integration side to tunnel through.
• <PRIVATE_DB_MACHINE_NAME_OR_IP>: The internal hostname or IP address of your database.
• <PRIVATE_DB_MACHINE_PORT>: The actual port your database listens on.
• <PATH_TO_PRIVATE_KEY>: The local path to the private key file.

note

• You can track the progress by removing the -f flag and adding the -v flag for verbose logging.
• If you reuse the autossh script for the same SSH high port, terminate the original script before proceeding.
• You must run a separate instance of the autossh script for each different database source, ensuring each uses a unique High Port.

Verifying the Tunnel: To confirm the tunnel is active, run these commands on your internal SSH server:

ps aux | grep autossh
netstat -tulnp | grep ssh

Step 5: Finalizing the connection

After successfully running the autossh script on the internal SSH server and confirming the tunnel is active, enter the connection details (Hostname, your chosen High Port, and SSH credentials) into the Data Integration setup form.

No.	Field	Value	Description
1.	Host	127.0.0.1	Lets your SSH host to handle port routing
2.	Port	{ SSH high port }	For example, 13306. The port that your SSH host will translate
3.	Database	{ Database name }	The name of the database you want to replicate
4.	User	{ Database user }	The user account for accessing the database
5.	Password	{ Database user's password }	The password associated with the database user
6.	SSH Tunnel Toggle	True	When set to true, all SSH fields become visible
7.	SSH Port	22	The port number for the SSH connection
8.	SSH Hostname	{ IP Address }	Provided by Data Integration. For example, vpce-xxxxxxx
9.	SSH User	Data Integration	The user account used for the SSH connection
10.	SSH Tunnel - Auto Generated	Key Pair Name	Select the name of the auto-generated key pair that you have previously set up (For example, Test)

note

Replace the placeholder variables with the corresponding values obtained during the setup process.