Skip to content

SSH Tunnel

If it's not possible to provide direct access to your database port, you can connect to ETLrobot via an SSH tunnel. You may also choose this connection method for an added layer of security.

To connect via an SSH tunnel, you need to set up an SSH server that has access to your database port. The SSH server's port needs to be publicly accessible or accessible from ETLrobot's IPs.

What is an SSH server?

An SSH server acts like a secure bridge that stands between ETLrobot and your private database to ensure strict, protected, and encrypted access to your private database. Once the connectivity is established, the SSH server allows ETLrobot to access your database in private subnets via SSH. An SSH server is also known as a bastion host or jump host.

SSH Server


There are a few steps to setting up an SSH tunnel to communicate with a private database.

  1. Setup an SSH server (bastion host). Skip this if you already have an SSH server.

  2. Create an SSH user on your SSH server for use by ETLrobot (see instructions below).

  3. Add your ETLrobot Account public key to your SSH server's authorized keys file (usually $user/.ssh/authorized_keys) for the user created above. This key can be accessed in your ETLrobot destination configuration.


    ETLrobot generates a unique SSH public key that is specific to your ETLrobot account. Make sure that you don’t introduce any line breaks when cutting and pasting. If this public key isn't installed properly, the ETLrobot will be unable to access your database.

  4. If IP whitelisting is required, allow ETLrobot's IPs to your SSH server's port (typically 22).

  5. Configure security group of your private database. Allow the SSH server's Private IP to access the database port (important: be sure to use the Private IP address).

  6. Complete the destination setup steps in ETLrobot. This will test connection access and reveal any connection issues.

Create an SSH User

These are the step to create an SSH user on your SSH server for ETLrobot (if you don't already have an SSH user that you want to use).

Log in to your SSH tunnel host and run the following commands:

  1. Create group etlrobot:

    sudo groupadd etlrobot

  2. Create user etlrobot:

    sudo useradd -m -g etlrobot etlrobot

  3. Switch to the etlrobot user:

    sudo su - etlrobot

  4. Create the .ssh directory (if not already created):

    mkdir ~/.ssh

  5. Set permissions:

    chmod 700 ~/.ssh

  6. Change to the .ssh directory:

    cd ~/.ssh

  7. Create the authorized_keys file (if not already created):

    touch authorized_keys

  8. Set permissions:

    chmod 600 authorized_keys