SSH bastion server on AWS #

An SSH bastion server on AWS enables you to connect Starburst Galaxy to a database on AWS with an SSH tunnel. This allows you to create a catalog for a database that is not publicly available.

Database configuration #

Your database does not have to allow public access, and access can be limited to a specific virtual private cloud (VPC). The following steps detail this configuration and other necessary steps for your database.

  • Public access: set to NO.
  • Configure the VPC, and note the value for your bastion server configuration.
  • Set the VPC Security Group to RDS (allow all in and out) to allow the bastion host to connect to the database.

Bastion server #

You can create a suitable bastion server on EC2 with the following configuration.

  1. Use Launch instance to create a new Amazon Linux 2 AMI (HVM) with SSD Volume Type.
  2. Select Size as t2.micro.
  3. Set Auto-assign Public IP to Enable.
  4. Leave defaults in Add storage.
  5. Leave Add tags empty, or add any tags required in your AWS account.
  6. Select Configure Security Group
  7. Create a new security group starburst-galaxy-tunnel
  8. Add rules for type SSH, protocol TCP on port 22 with the IP range/CIDR from Starburst Galaxy or 0.0.0.0/0.

The recommended setup for the security group is to allow SSH connections only from the specific IP address range/CIDR of Starburst Galaxy. This information is available when you configure the SSH tunnel with a locked down bastion host and use Validate and save SSH tunnel. The connection attempt fails and the correct range is displayed. Use the information to update the security group for the bastion host, and rerun the validation.