Search documentation...


SSH Tunneling


Hightouch supports self-service SSH tunneling, allowing you to connect to your data warehouse securely.

Tunneling allows Hightouch to securely open a connection to a data warehouse in your private network or VPC, without exposing it to the internet. SSH tunnels are secure, authenticated, encrypted, and dedicated to your workspace. To learn more about SSH tunneling, try this helpful article.

Standard vs Reverse

At the end of the day, both Standard and Reverse tunnels accomplish the same goal of opening a secure port connection between Hightouch, and your data warehouse. However, they differ in implementation, and one may be more preferable than the other due to the specifics of your network.

Standard tunnels require you to run sshd on a Bastion host accessible from the public internet. Our systems will open an SSH connection to your Bastion, then open a port forwarding connection to the private service that you specify.

Reverse tunnels allow you to forward a port by connecting as a client to a SSH server managed by Hightouch. This removes the necessity for a Bastion host in your infrastructure, but requires you to maintain that connection.



You'll need to allowlist Hightouch's IP addresses to allow our systems to contact your bastion host. Reference our docs to determine which IPs you need to allowlist.

  • Whitelist the Hightouch static IP addresses corresponding to your region.
  • Allow connections from the Bastion host to your warehouse.
  • Set up a user on the Bastion host named hightouch.


To get started, navigate to Settings > Tunnel.

  1. Click on Create Tunnel
  2. Enter a name for your tunnel.
  3. Fill out the SSH Host and SSH Port.
    • These are the connection details for your publicly-facing Bastion server host.
    • Port will most likely be 22, standard for sshd.
  4. Fill out the Service Host and Service Port.
    • These are the connection details for the data warehouse you are connecting to Hightouch.
    • Think of your Bastion server as a "jump host". Hightouch will jump through it to connect to your warehouse using these details.
  5. Click Create.
  6. Copy or download the generated SSH public key.
    • You will need to add this to the ~/.ssh/authorized_keys file for the hightouch user on your Bastion server. You can use ssh-copy-id to help with this.
  7. Tunnel status will turn green when connection is established. Your tunnel is now ready for use.


If you're having trouble establishing a connection with a standard tunnel, check the following:

  • Check that the Hightouch IPs are allowlisted on your Bastion host. See Requirements
  • Check that the hightouch user exists, and the Hightouch public key is in their ~/.ssh/authorized_keys file.
  • Check permissions on the hightouch user's SSH files.
    • ~/.ssh directory should be 0700
    • ~/.ssh/authorized_keys file should be 0644
  • Check that the Bastion host can network to your warehouse.
    • nc -z $warehouse_host $warehouse_port
  • If all else fails, reach out to our Customer Success team via Slack or Intercom.



  • You'll need a server within your VPC to act as the SSH client.
  • SSH client server must be able to connect to both the public internet and your warehouse.


  1. Click Create reverse tunnel
  2. Enter a name for your tunnel.
  3. Click Create
  4. Copy the example ssh command and save it. You'll need to run it later.
    • This command includes the remote Hightouch sshd host and port, and remote forwarding port.
    • Set or replace the $SERVICE_HOST and $SERVICE_PORT variables with the host and port of your internal warehouse service.
    • Example
      ssh -i path/to/key.pem \
 -p 49100 \
          -o ExitOnForwardFailure=yes
  5. Download the private key to your machine.

    We do not store the private key anywhere in our backend. As a result, we have no ability to recover a lost key. Please make a local copy of this key and store in a secure location.

  6. Upload the private key to your SSH client server, store it in a safe location, and ensure its permissions are set to 0400.
  7. From your SSH client server, run the modified ssh command.
    • Ensure the -i flag is pointing to the correct path of the private key.
    • You'll most likely want to wrap this ssh command with a process manager in order to restart in case of failures. Consider autossh.
  8. Tunnel status will turn green when connection is established. Your tunnel is now ready for use.


If you're having trouble establishing a connection with a reverse tunnel, check the following:

  • Check that your SSH client server is running and can access the public internet.
  • Check that you've uploaded the private key, and it is only readable by the user initiating the SSH connection (chmod 0400)
  • Add the -v (verbose) flag to your SSH command to see more detailed error output.
  • If all else fails, reach out to our Customer Success team via Slack or Intercom.
    • Include any errors found in the SSH output.

    Need help?

    Our team is relentlessly focused on your success. We're ready to jump on a call to help unblock you.

    • Connection issues with your data warehouse?
    • Confusing API responses from destination systems?
    • Unsupported destination objects or modes?
    • Help with complex SQL queries?

    Feature Requests?

    If you see something that's missing from our app, let us know and we'll work with you to build it!

    We want to hear your suggestions for new sources, destinations, and other features that would help you activate your data.

On this page

OverviewStandard vs ReverseStandardRequirementsSetupTroubleshootingReverseRequirementsSetupTroubleshooting

Was this page helpful?