Connecting via Reverse SSH Tunnel

Getting Started

The Reverse SSH Tunnel is used to securely connect local data sources without opening ports, while encrypting data in-transit. By default, this option supports multiple concurrent integration syncs.

Setup

On your own EC2/VM, you will run the secoda/agent docker image. You can use docker-compose, like so:

version: "3"
services:
  agent:
    restart: always
    image: "secoda/agent:latest"
    environment:
      - SSH_PORT=
      - SSH_HOST=
      - SSH_LISTEN_PORT=
      - SSH_KEY_BASE64=

To retrieve the docker compose environment for your tunnel, go to https://app.secoda.co/tunnels and create a new reverse tunnel.

Copy the details to your clipboard, and replace the contents of your docker compose file with this configuration.

Running

docker-compose (recommended)

Once you have inputted the values in Setup, you can restart the Reverse SSH agent with:

Custom

Using the reverse tunnel

On an integration credentials page, fill in the integration connection details. DNS names are resolved on the agent, so you may use local hostnames.

Select the reverse tunnel you would like to use then click "Test connection".

Troubleshooting

Issue: Agent Stuck on Version Number During Startup

Symptom: The agent displays its version (e.g., agent | OpenSSH_9.3p2, OpenSSL 3.1.3 19 Sep 2023) and does not proceed with the startup process.

Likely Cause: Outbound network connection is blocked.

Troubleshooting Steps:

1. Check Firewall Settings: Verify your firewall rules to ensure outbound connections are not being blocked for the agent.

2. Contact Support (if necessary): If firewall adjustments are not feasible or don't resolve the issue, contact Secoda support. We can assist in configuring the agent to use a whitelisted outbound port.

Issue: DNS Resolution Error During Integration

Symptom: Integration fails with the error: "Error: Unable to find the DNS query names for <DNS_NAME>. Please check the spelling and try again."

Likely Cause: The reverse tunnel instance cannot resolve the hostname of the target database server.

Troubleshooting Steps (on the reverse tunnel instance):

1. Verify DNS Resolution:

   • Execute the following command to check DNS resolution for the database server's hostname:

     (Replace <DATABASE_HOSTNAME>.<DOMAIN_SUFFIX>.<TLD> with the fully qualified domain name of your database server, e.g., yourdb.yourcompany.com or yourdb.local).

   • Expected Output: A successful dig command should return the IP address of the database server.

2. Check Port Connectivity:

   • Use telnet to verify connectivity to the database server on its standard SQL port (default 1433):

   • Expected Output: A successful connection will display a blank screen or a "Connected to..." message. Press Ctrl + ] then type quit to exit.

3. Inspect Docker Container (if applicable):

   • If the reverse tunnel agent is in a Docker container, check DNS resolution from within the container:

     • a. Find Container ID:

       (Note the CONTAINER_ID of the reverse tunnel agent.)

     • b. Access Container Shell:

     • c. Perform In-Container DNS Check:

     • Expected Output (in-container): A successful dig command from within the container should return the IP address of the database server.