Connecting Through Reverse SSH Tunnel

Hevo can connect to your database via a Reverse SSH Tunnel. Reverse SSH tunneling or remote port forwarding helps you connect to a remote (and private) network without needing a public gateway.

Contrary to how SSH works, where you establish a secure connection with a remote system and can receive and send data, in reverse SSH, the remote system connects with your local system. Then, using the established connection, you can set up a connection to the remote system and fetch the data from that system. As the original connection was formed from the remote system to your local system, it is called a reverse SSH.

Requesting a Reverse SSH Tunnel

To request a reverse SSH tunnel, contact Hevo either through the in-app support or by mailing us at with the SSH public key you wish to connect with.

Once Hevo gets your request it creates an SSH user for your team and allocates a set of ports that you can use to tunnel the traffic. Hevo provides you the following details that you can use to set up the reverse SSH tunnel and configure your Source:

  • ssh_host: The hostname of the SSH instance.

  • ssh_user: The username you would be using to connect to the SSH instance. This applies to your entire team.

  • a set of remote_forward_ports: A list of ports that Hevo allocates to you for tunneling the traffic. You can use one port for each DB host you want to fetch the data from.

Connecting to the SSH Instance

To connect the reverse SSH host, do one of the following:

  • Run the following command:

    ssh -f -N -R <REMOTE_FORWARD_PORT>:<DB_HOSTNAME_OR_IP>:<DB_PORT> <SSH_USER>@<SSH_HOST> -g -i <PATH_TO_PRIVATE_KEY> -o ServerAliveInterval=30 -o ServerAliveCountMax=1 -o ExitOnForwardFailure=yes

    Refer to the following table for the values of the variables.

    Configuration Description
    Any port from the list of ports allocated by Hevo to tunnel the traffic.
    The hostname or IP address of the DB instance you want to connect to.
    The port your database is listening on.
    @ -g -i The SSH user name provided to you by Hevo.
    The hostname of the SSH server provided to you by Hevo. This starts with the region your account is created in. For example,
    -o The path to the SSH private key available with you.
    ServerAliveInterval The interval in seconds, at which the server checks the connection. For example, 30, to indicate 30 seconds.
    ServerAliveCountMax The maximum number of server-alive messages for which a response may not be received before ssh disconnects from the server and terminates the session. For example, 1.

    If you prefer to connect using the SSH config, use the following option.

  • Provide the settings using the SSH configuration file:

    1. Edit your SSH config file, normally found at the path, ~/.ssh/config.

    2. Add the following reverse SSH settings to the file:

       Host <SSH_HOST>
         user                  <SSH_USER>
         IdentityFile          <PATH_TO_PRIVATE_KEY>
         ServerAliveInterval   30
         ServerAliveCountMax   1
         ExitOnForwardFailure  yes
    3. Run the following command with the values of the variables as defined in the SSH config file. Specify the port number to be assigned to the database from the list provided by Hevo.


      If you are using an SSH process manager, such as autossh, use the command:

         autossh -M 0 -f -N -R <REMOTE_FORWARD_PORT>:<DB_HOSTNAME_OR_IP>:<DB_PORT> <SSH_HOST> -g

    This sets up the reverse SSH tunnel.

Connecting the Database to Hevo

While connecting the database to Hevo, for the Database Host specify the <SSH_HOST>, and for the Database Port, specify the <REMOTE_FORWARD_PORT>.

Reverse SSH settings


Let us suppose that you are configuring a MySQL Source and have:

  • A MySQL server (can also be a private subnet), and

  • An internet gateway with an ssh client installed with the following configuration:

    • Host:

    • Port: 3306

    • Username: mysql_server_user

    • Password: mysql_s3rv3r_p@@5w0rd

    • Private_key_path: /Users/my_user/.ssh/id_rsa

When you request for a reverse SSH tunnel, Hevo provides you the following details:

  • Host:

  • Username: my_org_hevo_user

  • Ports: 1500, 1501, 1502, 1503, 1504, 1505, 1506, 1507, 1508, 1509

Based on these details:

  1. You connect to the reverse SSH tunnel by entering the following command on your terminal:

     ssh -f -N -R -g -i /Users/my_user/.ssh/id_rsa -o ServerAliveInterval=30 -o ServerAliveCountMax=1 -o ExitOnForwardFailure=yes
  2. As part of configuring MySQL as the Source in your Hevo Pipeline using reverse SSH tunnel, you specify the settings as follows:

    Reverse SSH Example

    • Database Host:

    • Database Port: 1504

    • Database User: mysql_server_user

    • Database Password: mysql_s3rv3r_p@@5w0rd

Revision History

Refer to the following table for the list of key updates made to this page:

Date Release Description of Change
Oct-25-2021 NA Improved the content on the page for better guidance on using a reverse SSH tunnel.
Last updated on 08 Mar 2022