ETL can access your database or file server, allowing you to read and write data easily, regardless of their whereabouts - on the cloud, hosted or on premise. There are three ways to do so:
Directly by whitelisting ETL’s IP
Through an SSH tunnel
Through a Reverse SSH tunnel
Direct Connection
Provide ETL access to your server from ETL's network
SSH Tunnel
SSH Tunnel lets you connect ETL to your database or file server through a bastion host or a tunnel server. This connection type is used if you are unable to add an inbound firewall rule to your data warehouse, or your data warehouse IP address is on an internal network (no outside network access).
Creating ETL Connection
SSH Tunnel connection is supported on database connections and SFTP.
On the dashboard Connections , click New Connection and choose for a connection to use.
Choose SSH tunnel connection as Access type and supply your connection and tunnel host details.
Then Click Create Connection to generate a unique SSH public key for your connection.
- Copy the SSH Public key by clicking the copy button and prepare your tunnel host for access.
Once your tunnel host is prepared, click Test connection and Create connection once the connection is successful.
Preparing the Tunnel Host
You will need to prepare your host (either bastion host or tunnel server) by creating an ETL user and adding the connection's public key to the integrate-io ETL ~/.ssh/authorized_keys file. Here’s how:
Create group ETL
sudo groupadd integrate-io
Create user ETL and its home directory:
sudo useradd -m -g integrate-io integrate-io
Switch to the ETL user
sudo su - integrate-io
Create the .ssh directory and change permission
mkdir ~/.ssh && chmod 700 ~/.ssh
Create the authorization_keys file and change permission
touch ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys
Using your favorite text editor, add your connections’s public key to the authorized_keys.
- Allow access to your server's host and port from ETL's IP addresses.
Reverse SSH Tunnel
You can also connect to ETL through reverse SSH Tunnel if you are unable to provide direct port access to your instance.
We recommend that you use autossh which starts an instance of SSH client and monitors it, restarting it as necessary should it die or stop passing traffic. In order to allow ETL to connect to your server through an SSH tunnel, you have to complete the following steps:
Add a public key in your user settings. The public key will be propagated to all ETL servers in up to 30 minutes.
Creating ETL Connection
On the dashboard Connections , click New Connection and choose for a connection to use.
Choose Reverse SSH tunnel connection as Access type and supply your connection’s hostname, username and port
Click Create connection.
It will fail because we haven't created the tunnel yet, but the light blue box will appear and you will be able to retrieve ETL’s tunnel server ( ETL server endpoint that includes everything before the colon) and connection port (the number after the colon).
Establishing Reverse SSH Connection
If you're running Windows, see here about opening an SSH tunnel. If you're on Linux, Install autossh on either the target server or a server that has access to it. On Ubuntu/Debian for example, you can install using apt-get:
sudo apt-get install autossh
For other Linux distributions, follow the instructions here.
Create directories to keep logs and pid files for the connection. For example:
mkdir -p ~/MyDB/logs ~/MyDB/run
Add ETL's server public key to a known_hosts file. For example:
ssh-keyscan -p 50683 < ETL server> >> ~/MyDB/known_hosts
You can test the tunnel using SSH. Use the following syntax and insert your information at the placeholders:
ssh -NR <connection port>:<my server>:<local port> sshtunnel@< ETL server> -g -i <private key file> -p 50683 -o "ExitOnForwardFailure yes" -o ServerAliveInterval=10 -o ServerAliveCountMax=1 -N -v
Run autossh. Use the following syntax and insert your information at the placeholders:
AUTOSSH_LOGFILE=~/MyDB/logs/tunnel.log AUTOSSH_PIDFILE=~/MyDB/run/ autossh -M 0 -f -N -R <connection port>:<my server>:<local port> sshtunnel@< ETL server> -g -i <path to private key> -p 50683 -o "ExitOnForwardFailure yes" -o ServerAliveInterval=10 -o ServerAliveCountMax=1 -o UserKnownHostsFile=<path to known_hosts file>
For example, if you open the tunnel to a database that listens to port 5432 on host mydbserver, and the connection's assigned host and port at ETL are and 12345.
Note that the SSH port in ETL's servers is 50683
AUTOSSH_LOGFILE=~/MyDB/logs/tunnel.log AUTOSSH_PIDFILE=~/MyDB/run/ autossh -M 0 -f -N -R 12345:mydbserver:5432 -g -i ~/.ssh/id_rsa -p 50683 -o "ExitOnForwardFailure yes" -o ServerAliveInterval=10 -o ServerAliveCountMax=1 -o UserKnownHostsFile=~/MyDB/known_hosts
Add crontab record to run autossh automatically to reconnect after reboots. For example:
@reboot AUTOSSH_LOGFILE=~/MyDB/logs/tunnel.log AUTOSSH_PIDFILE=~/MyDB/run/ autossh -M 0 -f -N -R 12345:mydbserver:5432 -g -i ~/.ssh/id_rsa -p 50683 -o "ExitOnForwardFailure yes" -o ServerAliveInterval=10 -o ServerAliveCountMax=1 -o UserKnownHostsFile=~/MyDB/known_hosts