Using a SSH Tunnel to access your private cloud server(s) — AWS / GCP / Azure
A guide to securely access private database or application servers from your local workstation
What is an SSH Tunnel
SSH tunnel aka SSH port forwarding enables your local development environment, to securely access a Private Server which cannot and should not be accessed directly via the public internet. This is usually facilitated by an intermediate Jump Server. Jump Servers can be accessed via the public internet and usually have hardened security in place which allows access only to specific ports and IP address ranges.
In the picture depicted above, we setup a secure connection or tunnel from the local machine to the Jump Server and configure a port to forward data to the appropriate private server.
Typical Cloud environment setup — AWS
Here’s a simplified AWS configuration, you have a VPC or Virtual Private Cloud which is divided into Public and Private Subnets - the latter being inaccessible via the public internet. The application and database servers are deployed within the private subnet. An HTTP(S) endpoint is exposed to the internet via the Application Load Balancer or ALB which in turn is configured as a reverse proxy to the Application server.
The SSH command
Let’s define some terms before we start
jump-server-ip— The IP address of the publicly accessible server, in the example above it’s the jump server deployed with the public subnet.jump-server-user— Username to log into the server. When using Amazon Linux on AWS , this defaults toec2-userwhen using Ubuntu it defaults toubuntu.private-key.pem— This is the identity file or private key used to login to the server.app-server-ip— The IP address of the private application server you want to access from your local machine. This could well be the database server as you’ll see in the use case below.local-port— A free port on your local machine which will be used to tunnel traffic to the private server. Usually a port number greater than1024is specified.
Let’s start with the command you’re probably familiar with. SSH into a remote machine, in this case it’s our Jump server.
Next, we’ll use the following switches:
-L local-port:app-server-ip:app-server-port— to specify which port on our local machine to use to forward requests to the app server.-N— This prevents the execution of a remote command since we’re only interested in port forwarding.
We’ll put it all together by looking at two use cases.
Use Cases
Assumption: The Jump server is appropriately configured to allow SSH access on port 22 via an identity file or private key.
View application logs
We have our application server running within a private subnet, for example with an IP 100.0.1.101 . To view the application logs, we’ll need to SSH into the server. In order to do this from our local machine, we’ll setup a tunnel via the Jump server. As stated above, the IP of our Jump server is 40.23.32.111 and is configured with default user ec2-user .
Once our tunnel is setup, open another terminal window and SSH into the application server as if it were running on your local machine i.e. 127.0.0.1 .
A few things to note here:
- We assume both the Jump server and remote application server can be accessed with the same identity file i.e.
private-key.pem. This may not always be the case, servers may be configured with different identity files. - The
-pswitch overrides the default SSH port22and uses our forwarding port9090.
Now you should be logged into the application server and can view the logs.
Connect to a remote Database
Now we’ll connect to a Postgres database which runs on port 5432 by default. We’ll assume the same port is free on our local machine and create a SSH tunnel.
Here 10.0.11.120 is the IP address of our database server. Once this is running we can connect to it via our client of choice.
Here’s an example connecting the psql client
A few things to note:
- The database user is
scott - Database name is
ecomm_db - On successful connection you will be prompted to enter a password.
Conclusion
Understanding how to use SSH tunnels is a useful tool to have in todays cloud environments. Do not be tempted to give your database or application server public access just because it’s convenient. With SSH tunnelling you can securely access you private servers.
