Skip to main content

SSH Tunnels

Connecting through an SSH tunnel allows Cluvio to securely access your database when it is on a private network or does not have a public IP. Cluvio establishes connections to an SSH tunnel server under your control.

SSH TunnelSSH Tunnel

Cluvio Agents

For database types which are not "cloud-native" (i.e. can be self-hosted), using Cluvio Agents to connect is generally preferred, since it does not require inbound connections from Cluvio IP addresses. With Cluvio Agents you can even securely connect to databases on a local computer with internet access.

Your Private Network

Make sure to enable and secure the network connectivity between your SSH server and your database. This can be achieved by running the SSH server on the same host as the database or by running both the SSH server and the database in a secured, private network.

SSH Server Setup

To connect to your database from Cluvio through an SSH tunnel, you generally need to operate a unix/linux-based SSH server (e.g. a Linux EC2 instance if you run on AWS) that has access to your database. The SSH server needs to have a public IP and listen on a port for connections using the SSH protocol.

The following steps performed on the tunnel server set up an SSH tunnel for Cluvio:

  1. Create a new user that is used for the tunnel (e.g. cluvio).
  2. In the user's home directory, create the folder .ssh and make sure it is owned by the user created in step 1 and has permissions restricted to 700.
  3. In the newly created .ssh folder create the file authorized_keys, also owned by the user created in step 1, and with permissions restricted to 600. Then add Cluvio's public key to the authorized_keys file:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBnwmewDUcrAToaHV2CBY64WOl1YxO09pWdyQ63ixX8rRpSNbCFsz+pDLJSuIZNuzJVqxitKY2Q1mov4BFENpZqd6258DlCfJxCRgsytCZtgA+hgZjMzmwEaudhkDppv72FoP4cIZimOFYE7lSOQhW9PsSIkE7OhFpS07ixOWnIcYTo0XqxfmQyvXH2gjD/EChh69W+sYDXQz0kLlwIFTZM1lwO1gG8kj5QXNrOxyveI3blZzonvGNEONIXW2i3lgLWTw7uWAsTqbtQ5CQ76AWft+usSV1PDSXf1eNF4tkbTnfzNzFTuuwFpZ4VkwJ0NtX1XJ6YuFEyUGCF/iXrzT9KfryO1dFvHDN/lqQX1Zqg1GiRnX1X4zKINa2Da0qJZfCpKzQEQHLXgZiGK/2y7CVAOrwNF1CKUVIMYibV/EA9KgaIZKICz5fi+pPf3BKV5YbViTa4vKCKZzEq/OUCU8gQ6x9iYXIogRJSz2+xlBgHNZgGB8viUyP3Rb9pGHgVglDyConvNeqaHf953p0rBMT7YVFJ3OINJoXg3qjxPEBcYvpjijBsNheyWXUA6RknE/XOkdgIDH1aRrXuy8SWHEGgSQ+PUgukR9Zt8BRnkBB7mfxlIocexyq8AItKyb39b2U3RhilhbJF6BqZ+PHGpnjB1dPMCNJhGsSDIyaZEuaww== connect@cluvio.com

Here is a full example for a Linux system, with the steps performed as root or with sudo:

useradd cluvio
mkdir -p /home/cluvio/.ssh && chmod 700 /home/cluvio/.ssh && chown cluvio /home/cluvio/.ssh
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBnwmewDUcrAToaHV2CBY64WOl1YxO09pWdyQ63ixX8rRpSNbCFsz+pDLJSuIZNuzJVqxitKY2Q1mov4BFENpZqd6258DlCfJxCRgsytCZtgA+hgZjMzmwEaudhkDppv72FoP4cIZimOFYE7lSOQhW9PsSIkE7OhFpS07ixOWnIcYTo0XqxfmQyvXH2gjD/EChh69W+sYDXQz0kLlwIFTZM1lwO1gG8kj5QXNrOxyveI3blZzonvGNEONIXW2i3lgLWTw7uWAsTqbtQ5CQ76AWft+usSV1PDSXf1eNF4tkbTnfzNzFTuuwFpZ4VkwJ0NtX1XJ6YuFEyUGCF/iXrzT9KfryO1dFvHDN/lqQX1Zqg1GiRnX1X4zKINa2Da0qJZfCpKzQEQHLXgZiGK/2y7CVAOrwNF1CKUVIMYibV/EA9KgaIZKICz5fi+pPf3BKV5YbViTa4vKCKZzEq/OUCU8gQ6x9iYXIogRJSz2+xlBgHNZgGB8viUyP3Rb9pGHgVglDyConvNeqaHf953p0rBMT7YVFJ3OINJoXg3qjxPEBcYvpjijBsNheyWXUA6RknE/XOkdgIDH1aRrXuy8SWHEGgSQ+PUgukR9Zt8BRnkBB7mfxlIocexyq8AItKyb39b2U3RhilhbJF6BqZ+PHGpnjB1dPMCNJhGsSDIyaZEuaww== connect@cluvio.com" > /home/cluvio/.ssh/authorized_keys
chmod 600 /home/cluvio/.ssh/authorized_keys && chown cluvio /home/cluvio/.ssh/authorized_keys

Instead of creating a new user, you can also simply add the Cluvio public key to any existing user's ~/.ssh/authorized_keys file on the tunnel server.

For added security, to make sure that the cluvio user cannot do anything but connect to the database, alter the authorized_keys file by prepending the following to the ssh-rsa ...... line of Cluvio's public key, thereby replacing the db_server_host and db_server_port with actual values for your database server:

no-pty,no-X11-forwarding,permitopen="<db_server_host>:<db_server_port>",command="/bin/echo do-not-send-comman
Windows Server

These instructions apply to unix-based systems. If you need to use an SSH server on a Windows machine, the setup will differ and you will need to refer to the documentation of your OS or hosting provider on how to set up an SSH tunnel.

Firewall Setup

With SSH connections, Cluvio's query executors connect to your database with one of the following IP addresses, depending on your Account Location (found in the Admin Settings). The firewall of your SSH server must allow inbound connections from these IP addresses.

EU:

52.58.9.34
52.58.26.238
52.58.98.150

US:

52.10.232.238
52.27.71.53
54.200.39.48

If your database runs on AWS, you can add the applicable three IPs to your Security Group inbound rules that guard access to the database (e.g. RDS, Redshift, or your own EC2 instance).

Datasource Configuration

When you have set up an SSH server and the necessary firewall rules, you can configure your datasource. Open the datasource connection configuration and select SSH Tunnel as the connection mode.

image-600 image-600

Your SSH server must be publicly reachable on the specified IP address and port. Test your datasource connection by selecting Test Connection.