SSH Tunnels
Connecting through an SSH tunnel allows Cluvio to securely access your database when it is on a private network or does not have a public IP. Cluvio establishes connections to an SSH tunnel server under your control.
For database types which are not "cloud-native" (i.e. can be self-hosted), using Cluvio Agents to connect is generally preferred, since it does not require inbound connections from Cluvio IP addresses. With Cluvio Agents you can even securely connect to databases on a local computer with internet access.
Make sure to enable and secure the network connectivity between your SSH server and your database. This can be achieved by running the SSH server on the same host as the database or by running both the SSH server and the database in a secured, private network.
SSH Server Setup
To connect to your database from Cluvio through an SSH tunnel, you generally need to operate a unix/linux-based SSH server (e.g. a Linux EC2 instance if you run on AWS) that has access to your database. The SSH server needs to have a public IP and listen on a port for connections using the SSH protocol.
The following steps performed on the tunnel server set up an SSH tunnel for Cluvio:
- Create a new user that is used for the tunnel (e.g.
cluvio). - In the user's home directory, create the folder .ssh and make sure it is
owned by the user created in step 1 and has permissions restricted to
700. - In the newly created
.sshfolder create the fileauthorized_keys, also owned by the user created in step 1, and with permissions restricted to600. Then add Cluvio's public key to theauthorized_keysfile:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBnwmewDUcrAToaHV2CBY64WOl1YxO09pWdyQ63ixX8rRpSNbCFsz+pDLJSuIZNuzJVqxitKY2Q1mov4BFENpZqd6258DlCfJxCRgsytCZtgA+hgZjMzmwEaudhkDppv72FoP4cIZimOFYE7lSOQhW9PsSIkE7OhFpS07ixOWnIcYTo0XqxfmQyvXH2gjD/EChh69W+sYDXQz0kLlwIFTZM1lwO1gG8kj5QXNrOxyveI3blZzonvGNEONIXW2i3lgLWTw7uWAsTqbtQ5CQ76AWft+usSV1PDSXf1eNF4tkbTnfzNzFTuuwFpZ4VkwJ0NtX1XJ6YuFEyUGCF/iXrzT9KfryO1dFvHDN/lqQX1Zqg1GiRnX1X4zKINa2Da0qJZfCpKzQEQHLXgZiGK/2y7CVAOrwNF1CKUVIMYibV/EA9KgaIZKICz5fi+pPf3BKV5YbViTa4vKCKZzEq/OUCU8gQ6x9iYXIogRJSz2+xlBgHNZgGB8viUyP3Rb9pGHgVglDyConvNeqaHf953p0rBMT7YVFJ3OINJoXg3qjxPEBcYvpjijBsNheyWXUA6RknE/XOkdgIDH1aRrXuy8SWHEGgSQ+PUgukR9Zt8BRnkBB7mfxlIocexyq8AItKyb39b2U3RhilhbJF6BqZ+PHGpnjB1dPMCNJhGsSDIyaZEuaww== connect@cluvio.com
Here is a full example for a Linux system, with the steps performed as root or with sudo:
useradd cluvio
mkdir -p /home/cluvio/.ssh && chmod 700 /home/cluvio/.ssh && chown cluvio /home/cluvio/.ssh
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBnwmewDUcrAToaHV2CBY64WOl1YxO09pWdyQ63ixX8rRpSNbCFsz+pDLJSuIZNuzJVqxitKY2Q1mov4BFENpZqd6258DlCfJxCRgsytCZtgA+hgZjMzmwEaudhkDppv72FoP4cIZimOFYE7lSOQhW9PsSIkE7OhFpS07ixOWnIcYTo0XqxfmQyvXH2gjD/EChh69W+sYDXQz0kLlwIFTZM1lwO1gG8kj5QXNrOxyveI3blZzonvGNEONIXW2i3lgLWTw7uWAsTqbtQ5CQ76AWft+usSV1PDSXf1eNF4tkbTnfzNzFTuuwFpZ4VkwJ0NtX1XJ6YuFEyUGCF/iXrzT9KfryO1dFvHDN/lqQX1Zqg1GiRnX1X4zKINa2Da0qJZfCpKzQEQHLXgZiGK/2y7CVAOrwNF1CKUVIMYibV/EA9KgaIZKICz5fi+pPf3BKV5YbViTa4vKCKZzEq/OUCU8gQ6x9iYXIogRJSz2+xlBgHNZgGB8viUyP3Rb9pGHgVglDyConvNeqaHf953p0rBMT7YVFJ3OINJoXg3qjxPEBcYvpjijBsNheyWXUA6RknE/XOkdgIDH1aRrXuy8SWHEGgSQ+PUgukR9Zt8BRnkBB7mfxlIocexyq8AItKyb39b2U3RhilhbJF6BqZ+PHGpnjB1dPMCNJhGsSDIyaZEuaww== connect@cluvio.com" > /home/cluvio/.ssh/authorized_keys
chmod 600 /home/cluvio/.ssh/authorized_keys && chown cluvio /home/cluvio/.ssh/authorized_keys
Instead of creating a new user, you can also simply add the Cluvio
public key to any existing user's ~/.ssh/authorized_keys file on the tunnel
server.
For added security, to make sure that the cluvio user cannot do anything but
connect to the database, alter the authorized_keys file by prepending the
following to the ssh-rsa ...... line of Cluvio's public key, thereby replacing
the db_server_host and db_server_port with actual values for your database
server:
no-pty,no-X11-forwarding,permitopen="<db_server_host>:<db_server_port>",command="/bin/echo do-not-send-comman
These instructions apply to unix-based systems. If you need to use an SSH server on a Windows machine, the setup will differ and you will need to refer to the documentation of your OS or hosting provider on how to set up an SSH tunnel.
Firewall Setup
When using SSH tunnel connections, Cluvio's query executors connect to your
SSH tunnel host from specific IP addresses, depending on your Account Location
(shown in Admin Settings).
Your firewall must allow inbound connections from these IP addresses to the SSH tunnel host to allow access.
To support a resilient setup that continues to work even during disaster recovery (DR) events, you must allow both the 3 primary IP addresses and the 3 disaster recovery IP addresses listed below.
EU:
# Primary IPs:
52.58.9.34
52.58.26.238
52.58.98.150
# Disaster Recovery IPs:
13.37.144.17
15.236.199.141
35.181.130.94
US:
# Primary IPs:
52.10.232.238
52.27.71.53
54.200.39.48
# Disaster Recovery IPs:
13.58.30.8
18.119.45.57
3.22.35.174
If your SSH tunnel / database is hosted on AWS (e.g., RDS, Redshift, or an EC2 instance), add the six relevant IP addresses (three primary + three disaster recovery) to the inbound rules of the SSH tunnel's Security Group.
Datasource Configuration
When you have set up an SSH server and the necessary firewall rules, you can
configure your datasource. Open the datasource connection configuration
and select SSH Tunnel as the connection mode.
Your SSH server must be publicly reachable on the specified IP address and port.
Test your datasource connection by selecting Test Connection.