SSH Tunneling

Overview

Tunneling lets Hightouch securely open a connection to a data warehouse in your private network or Virtual Private Cloud (VPC) without exposing it to the internet. SSH tunnels are secure, authenticated, encrypted, and dedicated to your workspace. To learn more about SSH tunneling, check out this introductory article.

This feature is supported for the following sources:

• Amazon Redshift
• Azure Synapse
• ClickHouse
• Datawarehouse.io
• Greenplum Database
• Metabase
• Microsoft SQL Server
• MongoDB
• MySQL
• Oracle DB
• PostgreSQL
• SingleStore
• Tableau
• Teradata Vantage
• Trino

And the following destinations:

• AlloyDB
• MariaDB
• Microsoft SQL Server
• MongoDB
• MySQL
• Oracle DB
• PostgreSQL
• Redis

Standard versus reverse tunneling

Both Standard and Reverse tunnels open a secure port connection between Hightouch and your data warehouse. However, they differ in implementation, and you may prefer one based on your network specifications.

Standard tunnels require you to run sshd on a bastion host accessible from the public internet. Our systems open an SSH connection to your bastion, then open a port forwarding connection from your bastion to the private service you specify.

Reverse tunnels let you forward a port by connecting as a client to an SSH server managed by Hightouch. This removes the necessity for a bastion host in your infrastructure but requires you to maintain that connection. That means if your connection goes down for whatever reason, your systems automatically re-open the connection. You can use programs like `autossh``, Docker container restart policies, or process supervisors like supervisord to help maintain your connection.

Standard tunneling

Requirements

• Allowlist the Hightouch static IP addresses corresponding to your region.
• Allow connections from the bastion host to your warehouse.
• Set up a user on the bastion host named hightouch.

Setup

To get started, navigate to Settings > Tunnel.

1. Select Add Tunnel.
2. Enter a Name for your tunnel.
3. Fill out the SSH Host and SSH Port.
   • These are the connection details for your public-facing bastion server host.
   • The port is most likely 22, standard for sshd.
4. Fill out the Service Host and Service Port.
   • These are the connection details for the data warehouse you are connecting to Hightouch.
   • Think of your bastion server as a jump host. Hightouch jumps through it to connect to your warehouse using these details.
5. Select Create.
6. Copy or download the generated SSH public key. Add this to the ~/.ssh/authorized_keys file for the hightouch user on your bastion server. You can use ssh-copy-id to help with this.
7. The tunnel Status turns green when the connection is established. Your tunnel is now ready for use.

Troubleshooting

If you're having trouble establishing a connection with a standard tunnel, check the following:

• Check that you've allowlisted the static Hightouch IP addresses on your bastion host. See requirements for more information.
• Check that the hightouch user exists on your bastion host and that the Hightouch public key is in their ~/.ssh/authorized_keys file.
• Check permissions on the hightouch user's SSH files.
  • ~/.ssh directory should be 0700
    • Fix: chmod 0700 /home/hightouch/.ssh
  • ~/.ssh/authorized_keys file should be 0644
    • Fix: chmod 0644 /home/hightouch/.ssh/authorized_keys
  • ~/.ssh directory and ~/.ssh/authorized_keys file should be owned by the hightouch user
    • Fix: chown -R /home/hightouch/.ssh
• Check that the bastion host can network to your warehouse.
  • nc -z $warehouse_host $warehouse_port
• If all else fails, reach out to our Customer Success team.

Reverse tunneling

Requirements

• You need a server within your VPC to act as the SSH client.
• The SSH client server must be able to connect to both the public internet and your warehouse.

Setup

To get started, navigate to Settings > Tunnel.

1. Select Add reverse tunnel.
2. Enter a Name for your tunnel.
3. Select Create.
4. Download the private key to your machine.

   Hightouch doesn't store your private key. As a result, we can't recover a lost key. Please make a local copy of this key and store it securely.

5. Copy the example ssh command and save it. You'll need to run it later.
   • Example

     ssh -i path/to/key.pem \
         -R 0.0.0.0:56000:$SERVICE_HOST:$SERVICE_PORT \
         tunnel.hightouch.io -p 49100 \
         -o ExitOnForwardFailure=yes
     

   • This command includes the remote Hightouch sshd host and port, and remote forwarding port.
   • Set or replace the $SERVICE_HOST and $SERVICE_PORT variables with your internal warehouse service host and port.
6. Upload the private key to your SSH client server, store it securely, and ensure its permissions are set to 0400.
7. From your SSH client server, run the modified ssh command.
   • Ensure the -i flag is pointing to the correct path of the private key.
   • You most likely want to wrap this ssh command with a process manager to restart in case of failure. Consider autossh.
8. The tunnel Status turns green when the connection is established. Your tunnel is now ready for use.

Hightouch Reverse SSH Host Key

If you prefer, you can check that Hightouch's hostname is correctly set to either tunnel.aws-us-east-1.hightouch.com, tunnel.aws-eu-west-1.hightouch.com, tunnel.aws-ap-south-1.hightouch.com, or tunnel.gcp-us-east4.production.hightouch.com depending on your workspace region and that the Host Key is correctly included in ~/.ssh/known_hosts as follows:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCXjpH+c24rYGDBoUdHGN3Yazp4SrDU8Z0Oqb0WRaKJz0VpSPS+Kqmc0MioY3yK1aPDh32VSEFUykEHIobV7dsH9uKlR3OllTkxN9pIk3xfJBn1/x4TS2VX1I+XM7KE6xJH/QmBVaVyNzsYzZ+lR/hUdrVC3czV+ReJa5j+YS23atS3x9NznxHSBBOLcq0RpFj65/WZt0kJwbIqhrGYIq5qXR/8d7gzyCj6vg2iNNUszTFQvcFeQ8zeXC63ke4C9oCFHbneX2odvsDY5DQM6WF7H6j91qRhGEq+niQg2zCns1kJq1Gfa7bY3OxIHmQ3HP0R8ExJMsBBqdKoL5uNY8UK717yNuFzBQUV8fgJi1HZC6JR6uDVpLadbXUV3WD0LA0YQ1h24KKGtPRDrnyZxNTdn0R19asz31npyFHKrP95OIz2RoGuqsn9fr3FzO1wfXjdzYp5l6AAy04K6yPNQfTC/+LLk8U1PWbSsMBqlQnHkp/eMaSdTEVMVxqhAFKCz8M=

Troubleshooting

If you're having trouble establishing a connection with a reverse tunnel, check the following:

• Check that your SSH client server is running and can access the public internet.
• Check that you've uploaded the private key and that it's only readable by the user initiating the SSH connection (chmod 0400).
• Add the -v (verbose) flag to your SSH command to see more detailed errors.
• If all else fails, reach out to our Customer Success team. Please include any errors in the SSH output.