Connecting via SSH Tunnel

This page walks through connecting your data sources via a direct SSH tunnel

Getting Started with SSH Tunnels

Tunnels require you to run an SSH server process (SSHD) on a host accessible from the public internet. These hosts are often referred to as jump hosts or Bastion hosts and can be set up in nearly all cloud providers. The sole purpose of these host is to provide access to resources in a private network from an external network like the internet.

Set Up

There are three main steps to set up a tunnel:

Set up can vary depending on the Cloud provider used. We provide some general tips and tricks for AWS and Azure below.

  1. Configure a host in your environment that is accessible from the public internet. Make sure the Secoda IP address is whitelisted.

  2. Create a Tunnel in Secoda and add in the configuration details from the host (SSH Username, SSH Hostname, Port). Once you submit these details, a Public Key will be shown.

  3. Add the Public Key to the authorized_keys file in your host.


  • Create an EC2 instance from the AWS Management Console in a public subnet in the same VPC as the resource that you'd like to integrate with Secoda.

  • Add the SSH key from Secoda.

  • Create a Security Group for this instance, and add an inbound rule for the Secoda IPs.

  • Make sure the EC2 instance has access to the resource that you'd like to integrate with Secoda. This might mean adding an inbound rule for the IP of the EC2 instance to the database or source that you're integrating with Secoda.

Azure Cloud

  • Create a Virtual Network from the Azure console, that has access to the database or datasource that you'd like to integrate with Secoda. Make sure the Azure firewall is enabled for this network.

  • Create a Virtual Machine. This machine is acting as the jump server. This VM does not need an public access, but must have access to the database or datastore that is meant to integrate with Secoda.

  • Go to your firewall rules, and add a NAT rule.

    • Protocol should be set to TCP

    • Source IP address should be set to the Secoda IP Address

    • Destination IP address should be the IP address of your Firewall

    • Recommended Port is 22

    • Translated IP address should be the IP address of the Virtual Machine

  • From within your instance, you'll need to create a user and set up the SSH key provided by Secoda. The follow commands are recommended to do this:

$ sudo useradd -m secoda // Create a new non admin user for Secoda
$ sudo su - secoda // Finegrain permissions for this user as you see fit
$ mkdir .ssh // Create an SSH folder if one doesn't already exist
$ chmod 0700 .ssh // Set restrictive permissions on this folder
$ cd .shh // Go into this folder
$ vi authorized_keys // Open a new file called authorized_keys, add a Public Key to this file and save it
$ chmod 0600 authorized_keys // Set restrictive permissions on this folder

Connecting your Integration using a Tunnel

Once your tunnel has been made, navigate to the source that you're integrating with. On the connect page, add the credentials for the datasource.

At the bottom of the connect page, you'll see the option to add a tunnel. Click on the arrow to see a drop down menu with your recently created Tunnel. Select this tunnel, and click Test Connection to complete your integration setup!


If you're having trouble establishing a connection with a standard tunnel, check the following:

  • Check that the Secoda IP is whitelisted on your Bastion host.

  • Check that the public key we provide you on tunnel creation is in the ~/.ssh/authorized_keys file.

  • Check permissions on the SSH files.

    • ~/.ssh directory should be 0700

    • ~/.ssh/authorized_keys file should be 0644

  • Check that the Bastion host can network to your data source.

    • nc -z $data_source_host $data_source_port

  • Check that you can use the bastion host from your personal machine. You will need to use your own private and public keys, not the public key from the above step. Replace the values where appropriate.

    ssh -L localhost:1111:<POSTGRES_URL_OR_IP>:5432 -i <PRIVATE_KEY_NAME>.pem <BASTION_USER>@<BASTION_IP> psql -h localhost -P 1111 -U secodapostgres

Last updated