SSH Tunnels

If it is not possible to connect directly to your database (e.g., it sits in a private network), you can connect to Metamapper via a SSH tunnel.

To connect via an SSH tunnel, you need to setup an SSH tunnel server (sometimes referred to as a bastion host) that has access to your database port. Bastion hosts are servers that sit within your public subnet and act as a "jump" server, allowing you to use SSH to login to other instances in a private subnet.

Create SSH user

We recommend creating a separate SSH user specifically for your Metamapper instance. To do this, you will need to run the following commands from within your SSH tunnel server.

Create group metamapper:

sudo groupadd metamapper

Create user metamapper and add it to the metamapper group:

sudo useradd -m -g metamapper metamapper

Switch to the metamapper user:

sudo su - metamapper

Add SSH keys

Metamapper authenticates against your bastion host using public/private SSH key pairs. This section walks through how to properly configure your keys within your bastion host.

First, create the .ssh directory (if it does not exist):

mkdir ~/.ssh

Set permissions on the directory. This means the metamapper user can read, can write and can execute commands against this directory.

chmod 700 ~/.ssh

Create the authorized_keys file. This will contain public SSH keys that are allowed access to the host.

touch ~/.ssh/authorized_keys

Set permissions on the authorized_key file. This means the metamapper user can read and can write to this file as needed.

chmod 600 authorized_keys

You will need to add the public SSH key from the datatore settings page in Metamapper to the authorized_keys file. This public SSH key is generated uniquely for each Metamapper workspace, so you should only need to do this once per workspace.

ssh-tunnel-pkey

Allow port access

Once the user is created, you'll need to allow port access. You should be able to do this using your cloud provider, whether it be using their web UI or a technology like Terraform.

This guide is a good example of how to open up ports on an Amazon EC2 instance.

Updating your connection settings

Once the above steps are completed, you can update the datastore connection to use SSH tunneling to connect to the datastore. Metamapper will confirm that our client can connect to your database before we commit your changes.

ssh-tunnel-setup

This feature (and guide) was heavily influenced connection options provided by Fivetran. Kudos!

Last updated on 9/9/2020
Schema InspectionCustom Properties