Set up a bastion host in AWS #

An SSH tunnel through a bastion host allows you to connect Starburst Galaxy to a database that is not accessible directly from Starburst Galaxy, such as databases with no public access from outside the virtual private cloud (VPC).

The steps required to set up a bastion host for your specific environment vary based on your cloud provider and your organization’s needs, as described in bastion host options.

Configure server on AWS #

You can create a server on Amazon EC2 to serve as a bastion host using the following steps:

1. Sign in to AWS and navigate to the EC2 Dashboard.
2. Click Launch instance to go to the Launch an instance page.
3. Provide a Name for your instance.
4. Choose an Amazon Machine Image (AMI) from the available list and drop-down menu that is appropriate for your workload. The default Amazon Linux 2 option can be a good starting point.
5. Choose an Instance type from the drop-down menu, again starting with a small instance.
6. Choose an existing Key pair or create a new pair to securely connect to your instance via SSH. If you create a new key pair, securely store the .pem private key file locally, possibly as ~/.ssh/bastionkey.pem.
7. Click Edit to expand Network settings.
8. If your AWS account has a VPC and Subnet that you want to use, select their names in the drop-down lists. If you don’t have a VPC or Subnet, create them and return to this step.
9. Important! In the Auto-assign public IP drop-down menu, select Enable.
10. Click to select Create security group, which is a named set of firewall rules.
11. Provide a name and optional description for the security group.
12. Add a security group rule to allow traffic between the bastion host and Starburst Galaxy: Type ssh, Protocol TCP, Port range 22, Source the IP range/CIDR for the region of your VPC from the appropriate table for AWS’s IP allowlist.
13. Optional. Add a second security group rule to allow testing from your site to the bastion host. Source My IP.
14. Configure storage for your instance.
15. Review the configuration settings, then click Launch instance.

Connect an RDS database #

With your EC2 instance successfully launched, AWS shows a number of tiles. Open the links in the following tiles into new browser tabs so that you can return to this tile page.

Connect to your instance

Use this tile to verify that connectivity is open from your local machine through the public IP address of the bastion host. Follow the instructions in the SSH client tab.

Connect RDS database

Connect an existing RDS database instance that is supported by Starburst Galaxy, or create a new RDS instance and connect it.

Make sure your RDS database’s configuration includes these settings:

• Public access: set to No.
• Existing VPC security groups: from the drop-down menu, select at least the security group that includes your bastion host.
• Availability zone: from the drop-down menu, select the same zone that contains your bastion host.

Generate RSA keys in Starburst Galaxy #

In Starburst Galaxy, generate an RSA public and private key pair to secure communication between Starburst Galaxy and your bastion host.

1. In the navigation menu, click Admin > Cloud settings > AWS.

2. Click Configure SSH Tunnel.

3. Click Generate RSA key.

4. Save the contents of the RSA key field to to a local file, possibly named ~/.ssh/generated-public.key.

5. Leave Galaxy open to this pane.

Create service account on bastion host #

The following steps presume familiarity with issuing Linux commands at a Terminal prompt. These commands may vary depending on the Linux version of your server. You can instead use a Linux management app to perform the same steps.

1. Use SSH from your local machine to log in interactively to your bastion host. Follow the steps in the Connect to your instance tile described above. For example: ssh -i ~/.ssh/bastionkey.pem ec2-user@bastionhostname

   Or with IP address: ssh -i ~/.ssh/bastionkey.pem ec2-user@bastion-public-ip-address

2. If prompted whether you want to continue connecting, type yes

3. Create a group with sudo groupadd starburst

4. Create a user with sudo useradd -m -g starburst starburst-galaxy

5. Become the new user sudo su - starburst-galaxy

6. Create the starburst-galaxy user’s SSH directory with mkdir ~/.ssh

7. Set user-only permissions on the directory with chmod 700 ~/.ssh

8. Go into the new directory: cd .ssh

9. Create an empty authorized_keys file: touch ./authorized_keys

10. Set user-only permissions on the file: chmod 600 ./authorized_keys

11. Use a text editor to open the empty authorized_keys file.

12. Paste the contents of the generated-public.key file you saved in the previous section into the empty authorized_keys file.

13. Save the authorized_keys file.

Create SSH tunnel alias in Starburst Galaxy #

Return to Starburst Galaxy to test the connection and to create a tunnel alias for the bastion host.

1. Return to the Admin > Cloud settings > AWS > SSH tunnel pane you left open at the end of Generate RSA keys in Starburst Galaxy.
2. SSH tunnel alias: Add a name for the SSH tunnel. Starburst suggests using a descriptive name that includes the bastion host name and the connected catalog.
3. SSH host: Add the public IP address or FQDN for the bastion host.
4. SSH port: Leave the port at the default 22, unless you have configured SSH on the bastion host to use a different port.
5. SSH user: Add the name of the service account on the bastion host to which you gave the generated RSA key. Our example steps above used the name starburst-galaxy.
6. Click Validate and save to complete the configuration. Galaxy tests the connection. If valid, it saves this named SSH tunnel for future use.

Now when creating a catalog or editing one, specify the alias for an SSH tunnel to configure connecting through that SSH tunnel.