Skip to content

Commit

Permalink
Merge pull request #477 from stitchdata/reverse-ssh-tunnel-guide
Browse files Browse the repository at this point in the history 
Reverse SSH Tunnels
  • Loading branch information
Erin Cochran committed May 1, 2020
2 parents 9e301c3 + 3640790 commit 148c55c
Show file tree
Hide file tree
Showing 6 changed files with 194 additions and 54 deletions.
117 changes: 67 additions & 50 deletions _account-security/security/encryption/encryption-general.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ feedback: false

key: "data-encryption-overview"
type: "security"
weight: 1
weight: 2

enterprise: true
enterprise-cta:
Expand Down Expand Up @@ -42,7 +42,6 @@ intro: |
{% for section in page.sections %}
- [{{ section.title }}](#{{ section.anchor }})
{% endfor %}
In this guide, we'll cover Stitch's supported connection options and provide links to additional resources.
# -------------------------- #
Expand All @@ -57,70 +56,88 @@ ssh-tunnels:

- name: "Amazon"
guide: "ssh-amazon"
description: "Stitch currently supports connecting Amazon RDS and Amazon Redshift (destination only) databases."
description: "Stitch currently supports connecting Amazon RDS (including Aurora) and Amazon Redshift (destination only) databases."

- name: "Microsoft Azure"
guide: "ssh-microsoft-azure"
description: "Stitch currently supports connecting Microsoft Azure SQL Server (as an integration) and Azure SQL Data Warehouse (as a destination). Other Microsoft Azure offerings aren't currently supported."
description: "Stitch currently supports connecting Microsoft Azure SQL Server and MySQL databases (as integrations) and Azure SQL Data Warehouse (as a destination). Other Microsoft Azure offerings aren't currently supported."

sections:
- title: "SSL connections"
anchor: "ssl-connections"
- title: "Encryption in transit"
anchor: "in-transit-encryption"
content: |
[SSL/TLS](https://www.verisign.com/en_US/website-presence/online/ssl-certificates/index.xhtml){:target="new"} is a standard security technology used to establish encrypted communication between a web server and a browser. SSL/TLS ensures that communication to and from Stitch remains private and secure.
{% for subsection in section.subsections %}
- [{{ subsection.title }}](#{{ subsection.anchor }})
{% endfor %}
subsections:
- title: "Stitch application access"
anchor: "stitch-application"
- title: "SSL connections"
anchor: "ssl-connections"
content: |
The Stitch application enforces SSL to ensure all communication with Stitch remains secure.
[SSL/TLS](https://www.verisign.com/en_US/website-presence/online/ssl-certificates/index.xhtml){:target="new"} is a standard security technology used to establish encrypted communication between a web server and a browser. SSL/TLS ensures that communication to and from Stitch remains private and secure.
- title: "Connections that use verified SSL by default"
anchor: "connections-ssl-default"
content: |
For any connection using an HTTP API - for example, integrations like [Salesforce]({{ site.baseurl }}/integrations/saas/salesforce) or [Facebook Ads]({{ site.baseurl }}/integrations/saas/facebook-ads) - or Stitch's [Import API]({{ link.integrations.import-api | prepend: site.baseurl }}), Stitch will use [SSL/TLS-based encryption](https://www.verisign.com/en_US/website-presence/online/ssl-certificates/index.xhtml){:target="new"} by default.
{% for sub-subsection in subsection.sub-subsections %}
- [{{ sub-subsection.title }}](#{{ sub-subsection.anchor }})
{% endfor %}
sub-subsections:
- title: "Stitch application access"
anchor: "stitch-application"
content: |
The Stitch application enforces SSL to ensure all communication with Stitch remains secure.
This is also applicable to Stitch's [Amazon Redshift]({{ link.destinations.overviews.redshift | prepend: site.baseurl }}), [Google BigQuery]({{ link.destinations.overviews.bigquery | prepend: site.baseurl }}), [Microsoft Azure SQL Data Warehouse]({{ link.destinations.overviews.azure | prepend: site.baseurl }}), and [Snowflake]({{ link.destinations.overviews.snowflake | prepend: site.baseurl }}) destination offerings.
- title: "Connections that use verified SSL by default"
anchor: "connections-ssl-default"
content: |
For any connection using an HTTP API - for example, integrations like [Salesforce]({{ site.baseurl }}/integrations/saas/salesforce) or [Facebook Ads]({{ site.baseurl }}/integrations/saas/facebook-ads) - or Stitch's [Import API]({{ link.integrations.import-api | prepend: site.baseurl }}), Stitch will use [SSL/TLS-based encryption](https://www.verisign.com/en_US/website-presence/online/ssl-certificates/index.xhtml){:target="new"} by default.
Connections to these integrations and destinations will attempt to use verified SSL with no action required on your part.
This is also applicable to Stitch's [Amazon Redshift]({{ link.destinations.overviews.redshift | prepend: site.baseurl }}), [Google BigQuery]({{ link.destinations.overviews.bigquery | prepend: site.baseurl }}), [Microsoft Azure SQL Data Warehouse]({{ link.destinations.overviews.azure | prepend: site.baseurl }}), and [Snowflake]({{ link.destinations.overviews.snowflake | prepend: site.baseurl }}) destination offerings.
- title: "Connections with configurable SSL options"
anchor: "connections-configurable-ssl"
Connections to these integrations and destinations will attempt to use verified SSL with no action required on your part.
- title: "Connections with configurable SSL options"
anchor: "connections-configurable-ssl"
content: |
For some integrations - for example, a database hosted on your server - Stitch may support configurable SSL. To use SSL with a database Stitch supports, the database must be configured to support and allow SSL connections.
**Note**: SSL connections are not supported for all databases. Refer to the [documentation for the database]({{ site.baseurl }}/integrations/databases) for SSL support details.
- title: "SSH tunnels"
anchor: "ssh-tunnel-connections"
content: |
For some integrations - for example, a database hosted on your server - Stitch may support configurable SSL. To use SSL with a database Stitch supports, the database must be configured to support and allow SSL connections.
If a database you want to connect to Stitch doesn't support [SSL connections](#ssl-connections) or isn't publicly accessible, you can use an SSH tunnel.
**Note**: SSL connections are not supported for all databases. Refer to the [documentation for the database]({{ site.baseurl }}/integrations/databases) for SSL support details.
The steps for setting up an SSH connection vary depending on where your database is hosted.
- title: "SSH tunnels"
anchor: "ssh-tunnel-connections"
content: |
If a database you want to connect to Stitch doesn't support [SSL connections](#ssl-connections) or isn't publicly accessible, you can use an SSH tunnel.
The steps for setting up an SSH connection vary depending on where your database is hosted.
<table class="attribute-list">
{% for item in page.ssh-tunnels %}
<tr>
<td class="attribute-name">
<strong>{{ item.name | append: " databases" }}</strong>
</td>
<td>
{{ item.description | markdownify }}
<p>Refer to the <a href="{{ link.security[item.guide] | prepend: site.baseurl }}">SSH tunnels for {{ item.name | append: " databases"}}</a> guide.</p>
</td>
</tr>
{% endfor %}
</table>
<table class="attribute-list">
{% for item in page.ssh-tunnels %}
<tr>
<td class="attribute-name">
<strong>{{ item.name | append: " databases" }}</strong>
</td>
<td>
{{ item.description | markdownify }}
- title: "Advanced connectivity"
anchor: "advanced-connectivity"
content: |
Additional connection options are available as part of a Stitch Enterprise plan. This includes:
<p>Refer to the <a href="{{ link.security[item.guide] | prepend: site.baseurl }}">SSH tunnels for {{ item.name | append: " databases"}}</a> guide.</p>
</td>
</tr>
{% endfor %}
</table>
- Virtual Private Network (VPN)
- Reverse SSH tunneling
- [Amazon Web Services (AWS) Private Link](https://aws.amazon.com/privatelink/){:target="new"}
**Note**: [Reverse SSH tunnels]({{ link.security.reverse-ssh | prepend: site.baseurl }}) are also available for Stitch Enterprise customers.
- title: "Advanced connectivity"
anchor: "advanced-connectivity"
content: |
Additional connection options are available as part of a Stitch Enterprise plan. This includes:
Reach out to [Stitch Sales]({{ site.sales }}){:target="new"} for more info.
- Virtual Private Network (VPN)
- [Reverse SSH tunneling]({{ link.security.reverse-ssh | prepend: site.baseurl }})
- [Amazon Web Services (AWS) Private Link](https://aws.amazon.com/privatelink/){:target="new"}
Reach out to [Stitch Sales]({{ site.sales }}){:target="new"} for more info.
- title: "Encryption at rest"
anchor: "data-at-rest"
content: |
For data at rest, Stitch uses [AES-256](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard){:target="new"} to encrypt data.
---
100 changes: 100 additions & 0 deletions _account-security/security/encryption/reverse-ssh-tunnel-setup.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
---
# -------------------------- #
# Page & Formatting #
# -------------------------- #

title: Setting up a Reverse SSH Tunnel for a Database Connection
permalink: /account-security/data-encryption/setting-up-reverse-ssh-tunnel
summary: "If a database is privately accessible, you can use a reverse SSH tunnel to connect Stitch. This tutorial will walk you through requesting and configuring a reverse SSH tunnel for use with Stitch as part of an Enterprise plan."

input: false
layout: tutorial
use-tutorial-sidebar: false

key: "reverse-ssh-tunnel-setup"
type: "security"
weight: 3

enterprise: true
enterprise-cta:
feature: "Reverse SSH tunnels "
title: "{{ site.data.strings.enterprise.title.are-an | prepend: page.enterprise-cta.feature }}"


# -------------------------- #
# Introduction #
# -------------------------- #

intro: |
{% include misc/data-files.html %}
Unlike other connection methods, reverse SSH enables Stitch to establish a connection to a database in your private network without opening holes in your network's firewall. A reverse SSH tunnel is an outbound connection from a machine on your network that connects securely over the internet to Stitch.
# -------------------------- #
# Requirements #
# -------------------------- #

requirements:
- item: |
**A Stitch Enterprise plan.** Reverse SSH tunnels are available only on a Stitch Enterprise plan. Reach out to [Stitch Sales]({{ site.sales }}) for more info.
- item: |
**Some familiarity with Linux and the command line.** While we’ve provided the commands you’ll need to establish the reverse SSH tunnel, you should know how to access a server using the command line and feel comfortable running commands.
# -------------------------- #
# Instructions #
# -------------------------- #

steps:
- title: "Contact Stitch with your SSH public key"
anchor: "contact-stitch-ssh-public-key"
content: |
To set up a reverse SSH tunnel, you'll need to provide Stitch with the following:
- The public key corresponding to the SSH keypair you plan to use to establish the tunnel
- The IP address(es) that you'll connect to the Stitch SSH server from
Once our team receives this information, we'll set up a secure SSH server for you to connect to. We'll provide you with the `SSH_HOST`, `SSH_USER`, and `TUNNEL_PORT` info needed to establish the SSH connection.
- title: "Establish the reverse SSH tunnel"
anchor: "establish-reverse-ssh-tunnel"
content: |
After you receive the SSH connection information from us, you can establish the SSH tunnel. There are two methods you can use to accomplish this:
- [With autossh (recommended)](#with-autossh)
- [Without autossh](#without-autossh)
### With autossh (recommended) {#with-autossh}
We recommend running SSH through [autossh](https://www.harding.motd.ca/autossh/){:target="new"}, which will start a copy of SSH, monitor it, and automatically restart the tunnel if it goes down or stops passing traffic. If you don't already have autossh installed, you'll need to do so before continuing. Refer to [autossh's documentation](https://www.harding.motd.ca/autossh/){:target="new"} for instructions.
The following command will establish the tunnel using autossh. When you run this, replace the items in brackets:
{% capture code %}autossh -M 0 -f -N -R <TUNNEL_PORT>:<DATABASE_HOST_OR_IP>:<DATABASE_PORT> -i <SSH_PRIVATE_KEY> <SSH_USER>@<SSH_HOST> -o ServerAliveInterval=10 -o ServerAliveCountMax=1 -o ExitOnForwardFailure=yes
{% endcapture %}
{% include layout/code-snippet.html language="shell" code=code %}
The `<DATABASE_HOST_OR_IP>` and `<DATABASE_PORT>` values are the host/endpoint and port of the database you're connecting from, respectively. For `<TUNNEL_PORT>`, `<SSH_USER>`, and `<SSH_HOST>`, use the SSH connection values you received from our team.
For example: Here's the same command, but with all the values inserted:
{% capture code %}autossh -M 0 -f -N -R 10000:database.private.yourcompany.com:5432 -i id_rsa.pem [email protected] -o ServerAliveInterval=10 -o ServerAliveCountMax=1 -o ExitOnForwardFailure=yes
{% endcapture %}
{% include layout/code-snippet.html language="shell" code=code %}
### Without autossh {#without-autossh}
To establish the tunnel without using autossh, run the following command, replacing the items in brackets:
{% capture code %}ssh -f -N -R <TUNNEL_PORT>:<DATABASE_HOST_OR_IP>:<DATABASE_PORT> -i <SSH_PRIVATE_KEY> <SSH_USER>@<SSH_HOST>
{% endcapture %}
{% include layout/code-snippet.html language="shell" code=code %}
The `<DATABASE_HOST_OR_IP>` and `<DATABASE_PORT>` values are the host/endpoint and port of the database you're connecting from, respectively. For `<TUNNEL_PORT>`, `<SSH_USER>`, and `<SSH_HOST>`, use the SSH connection values you received from our team.
Here's the same command, but with all the values inserted:
{% capture code %}ssh -f -N -R 10000:database.private.yourcompany.com:5432 -i id_rsa.pem [email protected]
{% endcapture %}
{% include layout/code-snippet.html language="shell" code=code %}
---
10 changes: 8 additions & 2 deletions _account-security/security/stitch-security.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ layout: faq
toc: true

type: "security"
weight: 5
weight: 1

enterprise: true
enterprise-cta:
Expand Down Expand Up @@ -77,7 +77,11 @@ frequently-asked-questions:
- **For data pulled from an HTTP API or submitted directly to Stitch's Import API,** we'll use SSL/TLS-based encryption.
- **For data replicated from a database**, we can use the encryption functionality built into the database, or an SSH tunnel.
- **For data replicated from a database**, we can use the encryption functionality built into the database or an SSH tunnel.
- **For data at rest**, Stitch uses [AES-256](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard){:target="new"} to encrypt data.
Refer to the [Data encryption guide]({{ link.security.encryption | prepend: site.baseurl }}) for more info.
- question: "Are SSL connections supported?"
anchor: "ssl-connection-support"
Expand All @@ -104,6 +108,8 @@ frequently-asked-questions:
answer: |
Additional connection options such as VPNs or reverse SSH tunnels may be implemented as part of an Enterprise plan. Contact [Stitch Sales]({{ site.sales | append: page.enterprise-utm.reverse-ssh-url }}) for more info.
Refer to the [Advanced connectivity section]({{ link.security.encryption | prepend: site.baseurl | append: "#advanced-connectivity" }}) in the Data encryption guide for more info.
- topic: "Data Access"
anchor: "stitch-access"
items:
Expand Down
13 changes: 11 additions & 2 deletions _data/sidebars/stitchnav.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,11 +99,20 @@ all-docs:

- title: Security
subsections:
- title: "Compliance"
url: "{{ link.security.faq }}#stitch-compliance"

- title: "Data encryption"
url: "{{ link.security.encryption }}"

- title: "FAQ"
url: "{{ link.security.faq }}"
- title: "Data access policies"
url: "{{ link.security.faq }}#stitch-access"

- title: "Protocols and recommendations"
url: "{{ link.security.faq }}#stitch-protocols-recommendations"

- title: "Reporting issues"
url: "{{ link.security.faq }}#security-issues"

- title: Enterprise
url: "{{ link.account.enterprise-features }}"
Expand Down
7 changes: 7 additions & 0 deletions _data/stitch/subscription-plans/enterprise.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,13 @@ features:
- key: "data-encryption-overview"
title: "Advanced connectivity"
summary: "Aside from SSL and SSH, additional connection options such as reverse SSH, VPN, and Amazon Web Services Private Link, are available as part of an Enterprise plan."
free-trial-available: false

- key: "reverse-ssh-tunnel-setup"
title: "Reverse SSH tunnels"
summary: |
Establish a connection to a database in your private network without opening holes in your network's firewall. A reverse SSH tunnel is an outbound connection from a machine on your network that connects securely over the internet to Stitch.
free-trial-available: false


- category: "Destinations"
Expand Down
1 change: 1 addition & 0 deletions _data/urls.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ security:
compliance: /account-security/compliance

encryption: /account-security/data-encryption
reverse-ssh: /account-security/data-encryption/setting-up-reverse-ssh-tunnel
ssh-generic: /account-security/data-encryption/setting-up-ssh-tunnel-for-database-connection
ssh-amazon: /account-security/data-encryption/setting-up-ssh-tunnel-for-amazon-web-services
ssh-microsoft-azure: /account-security/data-encryption/setting-up-ssh-tunnel-for-microsoft-azure
Expand Down

0 comments on commit 148c55c

Please sign in to comment.