Connecting Through Reverse SSH Tunnel

Hevo can connect to your database via a Reverse SSH Tunnel. Reverse SSH tunneling or remote port forwarding helps you connect to a remote (and private) network without needing a public gateway.

Contrary to how SSH works, where you establish a secure connection with a remote system and can receive and send data, in reverse SSH, the remote system connects with your local system. Then, using the established connection, you can set up a connection to the remote system and fetch the data from that system. As the original connection was formed from the remote system to your local system, it is called a reverse SSH.


Requesting a Reverse SSH Tunnel

To request a reverse SSH tunnel, contact Hevo either through the in-app support or by mailing us at support@hevodata.com with the SSH public key you wish to connect with.

Once Hevo gets your request it creates an SSH user for your team and allocates a set of ports that you can use to tunnel the traffic. Hevo provides you the following details that you can use to set up the reverse SSH tunnel and configure your Source:

ssh_host: The hostname of the SSH instance.

ssh_user: The username you would be using to connect to the SSH instance. This applies to your entire team.

a set of remote_forward_ports: A list of ports that Hevo allocates to you for tunneling the traffic. You can use one port for each DB host you want to fetch the data from.

Connecting to the SSH Instance

To connect the reverse SSH host, do one of the following:

  • Run the following command:

    ssh -f -N -R <REMOTE_FORWARD_PORT>:<DB_HOSTNAME_OR_IP>:<DB_PORT> <SSH_USER>@<SSH_HOST> -g -i <PATH_TO_PRIVATE_KEY> -o ServerAliveInterval=30 -o ServerAliveCountMax=1 -o ExitOnForwardFailure=yes
    

    Refer to the following table for the values of the variables.

    |Configuration | Description| |—————| ————|

    Any port from the list of ports allocated by Hevo to tunnel the traffic.
    The hostname or IP address of the DB instance you want to connect to.
    The port your database is listening on.
    @ -g -i The SSH user name provided to you by Hevo.
    The hostname of the SSH server provided to you by Hevo. This starts with the region your account is created in. For example, us-tunnel.hevodata.com.
    -o The path to the SSH private key available with you.
    ServerAliveInterval The interval in seconds, at which the server checks the connection. For example, 30, to indicate 30 seconds.
    ServerAliveCountMax The maximum number of server-alive messages for which a response may not be received before ssh disconnects from the server and terminates the session. For example, 1.

    If you rather wish to use SSH config add the following in your SSH config file (~/.ssh/config):

  • Provide the settings using the SSH configuration file:

    1. Edit your SSH config file, normally found at the path, ~/.ssh/config.

    2. Add the following reverse SSH settings to the file:

       Host <SSH_HOST>
         user                  <SSH_USER>
         IdentityFile          <PATH_TO_PRIVATE_KEY>
         ServerAliveInterval   30
         ServerAliveCountMax   1
         ExitOnForwardFailure  yes
      
    3. Run the following command with the values of the variables as defined in the SSH config file. Specify the port number to be assigned to the database from the list provided by Hevo.

       ssh -f -N -R <REMOTE_FORWARD_PORT>:<DB_HOSTNAME_OR_IP>:<DB_PORT> <SSH_HOST> -g
      
    If you are using an SSH process manager, such as [autossh](https://linux.die.net/man/1/autossh){:target="\_blank"}, use the command:
    
      ```
      autossh -M 0 -f -N -R <REMOTE_FORWARD_PORT>:<DB_HOSTNAME_OR_IP>:<DB_PORT> <SSH_HOST> -g
      ```
    This sets up the reverse SSH tunnel.   
    

Connecting the Database to Hevo

While connecting the database to Hevo, for the Database Host specify the <SSH_HOST>, and for the Database Port, specify the <REMOTE_FORWARD_PORT>.

Reverse SSH settings

Example

Let us suppose that you are configuring a MySQL Source and have:

  • a MySQL server (can also be a private subnet), and

  • an internet gateway with an ssh client installed

with the following configuration:

  • host: mysql-server.my-org.com){:target=”_blank”}

  • port: 3306

  • username: mysql_server_user

  • password: mysql_s3rv3r_p@@5w0rd

  • private_key_path: /Users/my_user/.ssh/id_rsa

When you request for a reverse SSH tunnel, Hevo provides you the following details:

  • host: us-tunnel.hevodata.com

  • username: my_org_hevo_user

  • ports: 1500, 1501, 1502, 1503, 1504, 1505, 1506, 1507, 1508, 1509

Based on these details,

  1. You connect to the reverse SSH tunnel by entering the following command on your terminal:

     ssh -f -N -R 1504:mysql-server.my-org.com:3306 my_org_hevo_user@region-tunnel.hevodata.com -g -i /Users/my_user/.ssh/id_rsa -o ServerAliveInterval=30 -o ServerAliveCountMax=1 -o ExitOnForwardFailure=yes
    
  2. As part of configuring MySQL as the Source in your Hevo Pipeline using reverse SSH tunnel, you specify the settings as follows:

    • Database Host: us-tunnel.hevodata.com

    • Database Port: 1504

    • Database User: mysql_server_user

    • Database Password: mysql_s3rv3r_p@@5w0rd



Revision History

Refer to the following table for the list of key updates made to this page:

Date Release Description of Change
Oct-25-2021 NA Improved the content on the page for better guidance on using a reverse SSH tunnel.
Last updated on 12 Oct 2021