SSH bastion server on AWS #

An SSH bastion server on AWS enables you to connect Starburst Galaxy to a database on AWS with an SSH tunnel. This allows you to create a catalog for a database that is not publicly available.

Database configuration #

Your database does not have to allow public access, and access can be limited to a specific virtual private cloud (VPC). The following steps detail this configuration and other necessary steps for your database.

  • Public access: set to NO.
  • Configure the VPC, and note the value for your bastion server configuration.
  • Set the VPC Security Group to RDS (allow all in and out) to allow the bastion host to connect to the database.

Bastion server #

You can create a suitable bastion server on EC2 with the following configuration:

  1. Click Launch instance to go to the Launch an instance page.
  2. Provide a Name or any tags required in your AWS account.
  3. Choose the Amazon Linux AWS AMI template to create a new Amazon Linux 2 AMI (HVM) with SSD Volume Type.
  4. Select the t2.micro Instance type.
  5. Choose a Key pair or create a new one.
  6. Choose Create new pair to create a key pair, and store the key to connect to your instance later.
  7. Click Edit to expand Network settings.
  8. Set Auto-assign public IP to Enable.
  9. Select Create security group.
  10. Name the security group starburst-galaxy-tunnel.
  11. Add a Description.
  12. Add Security group rules: for Type SSH, Protocol TCP, Port range 22, Source IP range/CIDR from Starburst Galaxy or 0.0.0.0/0.

The recommended setup for the security group is to allow SSH connections only from the specific IP address range/CIDR of Starburst Galaxy. This information is available when you configure the SSH tunnel with a locked down bastion host and use Validate and save SSH tunnel. The connection attempt fails and the correct range is displayed. Use the information to update the security group for the bastion host, and rerun the validation.