SSH tunnels #

You can use an SSH tunnel between Starburst Galaxy and your data source for an added layer of security. The server providing this SSH tunnel access is known as bastion host or jump server.

This setup enables access to data sources that are not accessible directly from Starburst Galaxy, such as databases with no public access from outside the cloud provider network and protected in a virtual private network (VPC). All connections from Starburst Galaxy go to the bastion host, and are forwarded inside the private network to the data source.

Requirements #

To use an SSH tunnel, you need the following:

  • A server running SSH, and configured as bastion host.
  • Network access from the bastion host to the data source.
  • A public IP address or fully qualified domain name (FQDN) for the bastion host, and network access to it from Starburst Galaxy, typically on port 22.

Use our tips to configure a bastion host in your cloud provider:

Considerations #

Once configured, all network traffic and data transfer between Starburst Galaxy and your data source is encrypted, and moves through the bastion host.

This server must be located within the same network and region as the data source and the Starburst Galaxy cluster to minimize data transfer costs and negative performance impacts.

The server also needs to be sufficiently performant to process the data transfer, and have sufficient network connectivity.

Configuration #

Configure the use of a SSH tunnel for the connection to the data source in your catalog:

  • Select Connect via SSH tunnel in the configuration for the connection type.
  • Click on Generate RSA key and copy the value.
  • Add the key to the desired user on the bastion host.
  • Add a name for the SSH tunnel in SSH tunnel alias. You can use the alias to identify the SSH tunnel configuration, and use it with other catalog configurations.
  • Add the public IP address or FQDN for the bastion host in SSH host.
  • Leave the port to use for the SSH-encrypted data transfers at the default 22, unless you have configured SSH on the bastion server to use a different port.
  • Add the name of the operating system user on the bastion host with the generated RSA key in SSH user.
  • Click Validate and save SSH tunnel to complete the configuration.
  • If the connections fails, the error message exposes the specific IP address range/CIDR that you need to allow on the bastion host for inbound traffic.

Now you can proceed to configure the data source connection, and use host name and port values that are only available via the SSH tunnel.

Add key to bastion server #

The SSH tunnel needs the RSA key from Starburst Galaxy in the SSH bastion server. Copy the value of the key from the user interface. Paste it into a new text file and save it in your user home directory in ~/.ssh/examplekey.

Use the username and host name of the bastion server, and copy the key to it with the ssh-copy-id command:

ssh-copy-id -i ~/.ssh/examplekey sshuser@bastionhostname

Alternatively, you can use the SSH key from the user interface of your cloud provider to SSH into the machine and perform the configuration remotely on the bastion host as described in the following section. Steps vary with different Linux distributions used.

  1. The certificate file of the bastion host as pem file (bastion.pem).
  2. Connect to the bastion host with SSH ssh -i bastion.pem user@<ip_address>
  3. Create a group with sudo groupadd starburstgalaxy
  4. Create a user with sudo useradd -m -g starburstgalaxy starburstgalaxy
  5. Switch to the new user sudo su - starburstgalaxy
  6. Create the users SSH configuration directory with mkdir ~/.ssh
  7. Set permissions on the directory with chmod 700 ~/.ssh
  8. Create the authorized_keys file with touch ~/.ssh/authorized_keys
  9. Set permissions with chmod 600 ~/.ssh/authorized_keys
  10. Add the RSA key from the Starburst Galaxy SSH tunnel dialog into the authorized_keys file with a text editor.

The details for setting up the bastion also vary on your cloud provider platform and bastion host details: