Search documentation...

K

SSH Tunneling

Only the following sources support tunneling: Redshift, Postgres, Mixpanel, Clickhouse, MongoDB, MySQL, SQL Server, Trino, and Metabase. Hightouch also supports tunneling for the Postgres and MySQL destinations.

Overview

Tunneling lets Hightouch securely open a connection to a data warehouse in your private network or Virtual Private Cloud (VPC) without exposing it to the internet. SSH tunnels are secure, authenticated, encrypted, and dedicated to your workspace. To learn more about SSH tunneling, check out this introductory article.

Standard versus reverse tunneling

Both Standard and Reverse tunnels open a secure port connection between Hightouch and your data warehouse. However, they differ in implementation, and you may prefer one based on your network specifications.

Standard tunnels require you to run sshd on a bastion host accessible from the public internet. Our systems open an SSH connection to your bastion, then open a port forwarding connection from your bastion to the private service you specify.

Reverse tunnels let you forward a port by connecting as a client to an SSH server managed by Hightouch. This removes the necessity for a bastion host in your infrastructure but requires you to maintain that connection. That means if your connection goes down for whatever reason, your systems automatically re-open the connection. You can use programs like `autossh``, Docker container restart policies, or process supervisors like supervisord to help maintain your connection.

Standard tunneling

Requirements

You need to allowlist Hightouch's IP addresses to let our systems contact your bastion host. Reference our docs to determine which IPs you need to allowlist.

  • Allowlist the Hightouch static IP addresses corresponding to your region.
  • Allow connections from the bastion host to your warehouse.
  • Set up a user on the bastion host named hightouch.

Setup

To get started, navigate to Settings > Tunnel.

  1. Select Add Tunnel.
  2. Enter a Name for your tunnel.
  3. Fill out the SSH Host and SSH Port.
    • These are the connection details for your public-facing bastion server host.
    • The port is most likely 22, standard for sshd.
  4. Fill out the Service Host and Service Port.
    • These are the connection details for the data warehouse you are connecting to Hightouch.
    • Think of your bastion server as a jump host. Hightouch jumps through it to connect to your warehouse using these details.
  5. Select Create.
  6. Copy or download the generated SSH public key. Add this to the ~/.ssh/authorized_keys file for the hightouch user on your bastion server. You can use ssh-copy-id to help with this.
  7. The tunnel Status turns green when the connection is established. Your tunnel is now ready for use.

Troubleshooting

If you're having trouble establishing a connection with a standard tunnel, check the following:

  • Check that you've allowlisted the static Hightouch IP addresses on your bastion host. See requirements for more information.
  • Check that the hightouch user exists on your bastion host and that the Hightouch public key is in their ~/.ssh/authorized_keys file.
  • Check permissions on the hightouch user's SSH files.
    • ~/.ssh directory should be 0700
    • ~/.ssh/authorized_keys file should be 0644
  • Check that the bastion host can network to your warehouse.
    • nc -z $warehouse_host $warehouse_port
  • If all else fails, .

Reverse tunneling

Requirements

  • You need a server within your VPC to act as the SSH client.
  • The SSH client server must be able to connect to both the public internet and your warehouse.

Setup

To get started, navigate to Settings > Tunnel.

  1. Select Add reverse tunnel.
  2. Enter a Name for your tunnel.
  3. Select Create.
  4. Download the private key to your machine.

    Hightouch doesn't store your private key. As a result, we can't recover a lost key. Please make a local copy of this key and store it securely.

  5. Copy the example ssh command and save it. You'll need to run it later.
    • Example
      ssh -i path/to/key.pem \
          -R 0.0.0.0:56000:$SERVICE_HOST:$SERVICE_PORT \
          tunnel.hightouch.io -p 49100 \
          -o ExitOnForwardFailure=yes
      
    • This command includes the remote Hightouch sshd host and port, and remote forwarding port.
    • Set or replace the $SERVICE_HOST and $SERVICE_PORT variables with your internal warehouse service host and port.
  6. Upload the private key to your SSH client server, store it securely, and ensure its permissions are set to 0400.
  7. From your SSH client server, run the modified ssh command.
    • Ensure the -i flag is pointing to the correct path of the private key.
    • You most likely want to wrap this ssh command with a process manager to restart in case of failure. Consider autossh.
  8. The tunnel Status turns green when the connection is established. Your tunnel is now ready for use.

If you prefer, you can check that Hightouch's hostname is correctly set to either tunnel.us-east-1.hightouch.io or tunnel.eu-west-1.hightouch.io depending on your region (for us-east-1 and eu-west-1 respectively) and that the Host Key is correctly included in ~/.ssh/known_hosts as follows:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCXjpH+c24rYGDBoUdHGN3Yazp4SrDU8Z0Oqb0WRaKJz0VpSPS+Kqmc0MioY3yK1aPDh32VSEFUykEHIobV7dsH9uKlR3OllTkxN9pIk3xfJBn1/x4TS2VX1I+XM7KE6xJH/QmBVaVyNzsYzZ+lR/hUdrVC3czV+ReJa5j+YS23atS3x9NznxHSBBOLcq0RpFj65/WZt0kJwbIqhrGYIq5qXR/8d7gzyCj6vg2iNNUszTFQvcFeQ8zeXC63ke4C9oCFHbneX2odvsDY5DQM6WF7H6j91qRhGEq+niQg2zCns1kJq1Gfa7bY3OxIHmQ3HP0R8ExJMsBBqdKoL5uNY8UK717yNuFzBQUV8fgJi1HZC6JR6uDVpLadbXUV3WD0LA0YQ1h24KKGtPRDrnyZxNTdn0R19asz31npyFHKrP95OIz2RoGuqsn9fr3FzO1wfXjdzYp5l6AAy04K6yPNQfTC/+LLk8U1PWbSsMBqlQnHkp/eMaSdTEVMVxqhAFKCz8M=

Troubleshooting

If you're having trouble establishing a connection with a reverse tunnel, check the following:

  • Check that your SSH client server is running and can access the public internet.
  • Check that you've uploaded the private key and that it's only readable by the user initiating the SSH connection (chmod 0400).
  • Add the -v (verbose) flag to your SSH command to see more detailed errors.
  • If all else fails, . Please include any errors in the SSH output.

    Need help?

    Our team is relentlessly focused on your success. We're ready to jump on a call to help unblock you.

    • Connection issues with your data warehouse?
    • Confusing API responses from destination systems?
    • Unsupported destination objects or modes?
    • Help with complex SQL queries?

    Feature Requests?

    If you see something that's missing from our app, let us know and we'll work with you to build it!

    We want to hear your suggestions for new sources, destinations, and other features that would help you activate your data.

On this page

OverviewStandard versus reverse tunnelingStandard tunnelingRequirementsSetupTroubleshootingReverse tunnelingRequirementsSetupTroubleshooting

Was this page helpful?