Forward SSH tunnel

The following steps describe how to set up connectivity to a source database using a forward SSH tunnel.

Step 1: Choose a host on which to terminate the tunnel

The first step to set up SSH tunnel access for your database is to choose the host that will be used to terminate the tunnel. The tunnel can be terminated on either the database host itself, or on a separate host (the tunnel server).

Use the database server

Terminating the tunnel on the database has the advantage of simplicity. There's one fewer host involved, so there are no additional machines and their associated costs. The disadvantage is that your database server might be on a protected network that doesn't have direct access from the internet.

Use a tunnel server

Terminating the tunnel on a separate server has the advantage of keeping your database server inaccessible from the internet. If the tunnel server is compromised, then it's one step removed from the database server. We recommend that you remove all non-essential software and users from the tunnel server and closely monitor it with tools, such as an intrusion detection system (IDS).

The tunnel server can be any Unix or Linux host that:

  1. Can be accessed from the internet using SSH.
  2. Can access the database.

Step 2: Create an IP allowlist

The second step to set up SSH tunnel access for your database is to allow network traffic to reach the tunnel server or the database host using SSH, which is generally on TCP port 22.

Allow network traffic from each of the IP addresses for the region where Datastream resources are created.

Step 3: Use the SSH tunnel

Provide the tunnel details in the connection profile configuration. For more information, see Create a connection profile.

To authenticate the SSH tunnel session, Datastream requires either the password for the tunnel account, or a unique private key. To use a unique private key, you can use OpenSSH or OpenSSL command-line tools to generate keys.

Datastream stores the private key securely as part of the Datastream connection profile configuration. You must add the public key manually to the bastion host's ~/.ssh/authorized_keys file.

Generate private and public keys

You can generate SSH keys using the following method:

  • ssh-keygen: An OpenSSH command-line tool to generate SSH key pairs.

    Useful flags:

    • -t: Specifies the type of key to create, for example:

      ssh-keygen -t rsa

      ssh-keygen -t ed25519

    • -b: Specifies the key length in the key to create, for example:

      ssh-keygen -t rsa -b 2048

    • -y: Reads a private OpenSSH format file and prints an OpenSSH public key to standard output.

    • -f: Specifies the filename of the key file, for example:

      ssh-keygen -y [-f KEY_FILENAME]

    For more information about supported flags, see OpenBSD documentation.

You can generate a private PEM key using the following method:

  • openssl genpkey: An OpenSSL command-line tool to generate a PEM private key.

    Useful flags:

    • algorithm: Specifies the public key algorithm to use, for example:

      openssl genpkey -algorithm RSA

    • -out: Specifies the filename to which to output the key, for example:

      openssl genpkey -algorithm RSA -out PRIVATE_KEY_FILENAME.pem

    For more information about supported flags, see OpenSSL documentation.

What's next