An SSH tunnel through a bastion host allows you to connect Starburst Galaxy to a database that is not accessible directly from Starburst Galaxy, such as databases with no public access from outside the virtual private cloud (VPC).
The steps required to set up a bastion host for your specific environment vary based on your cloud provider and your organization’s needs, as described in bastion host options.
You can create a server on Amazon EC2 to serve as a bastion host using the following steps:
.pem private key file locally, possibly as
TCP, Port range
Source the IP range/CIDR for the region of your VPC from the appropriate
table for AWS’s IP allowlist.
With your EC2 instance successfully launched, AWS shows a number of tiles. Open the links in the following tiles into new browser tabs so that you can return to this tile page.
Use this tile to verify that connectivity is open from your local machine through the public IP address of the bastion host. Follow the instructions in the SSH client tab.
Connect an existing RDS database instance that is supported by Starburst Galaxy, or create a new RDS instance and connect it.
Make sure your RDS database’s configuration includes these settings:
In Starburst Galaxy, generate an RSA public and private key pair to secure communication between Starburst Galaxy and your bastion host.
In the navigation menu, click Cloud settings > AWS.
Click Configure SSH Tunnel.
Click Generate RSA key.
Save the contents of the RSA key field to to a local file, possibly named
Leave Galaxy open to this pane.
The following steps presume familiarity with issuing Linux commands at a Terminal prompt. These commands may vary depending on the Linux version of your server. You can instead use a Linux management app to perform the same steps.
Use SSH from your local machine to log in interactively to your bastion host.
Follow the steps in the Connect to your instance tile described above.
ssh -i ~/.ssh/bastionkey.pem ec2-user@bastionhostname
Or with IP address:
ssh -i ~/.ssh/bastionkey.pem ec2-user@bastion-public-ip-address
If prompted whether you want to continue connecting, type
Create a group with
sudo groupadd starburst
Create a user with
sudo useradd -m -g starburst starburst-galaxy
Become the new user
sudo su - starburst-galaxy
starburst-galaxy user’s SSH directory with
Set user-only permissions on the directory with
chmod 700 ~/.ssh
Go into the new directory:
Create an empty
Set user-only permissions on the file:
chmod 600 ./authorized_keys
Use a text editor to open the empty
Paste the contents of the
generated-public.key file you saved in the
previous section into the empty
Return to Starburst Galaxy to test the connection and to create a tunnel alias for the bastion host.
Now when creating a catalog or editing one, specify the alias for an SSH tunnel to configure connecting through that SSH tunnel.
Is the information on this page helpful?