Azure SSH Tunneling
Follow these steps to configure an Azure bastion server to accept an SSH connection from Prequel.
Prerequisites
- A public SSH key to add to the bastion machine to authenticate the SSH connection. Ask your contact at Prequel if they have not already provided one to you.
Step 1: Provision a bastion server
Selecting your bastion server
If using SSH tunneling to connect to a source database, we recommend using a standalone bastion server. This step will walk through provisioning the standalone bastion server. If using an existing server, skip to the next section about configuring network access.
- In the Azure portal, search for "Virtual machines", and click into the Virtual Machine service. Click Create and then Azure virtual machine.
- Select an image. We recommend a default Ubuntu image, such as the Ubuntu Server 20.04 LTS - x64 Gen2 (the default option).
- Select a type. We recommend a basic & affordable option such as the Standard_B1s. Because this bastion server will be used exclusively for SSH tunneling, memory, compute, and storage are not particularly important. The Standard_B1s default configuration comes with sufficient Memory (1 GiB), vCPUs (2) and Storage (8 GB SSD) for about $7/mo depending on region and market rates.
Configure network access
- Click the Networking tab. Select a Virtual network to associate with the machine. By default, you may be prompted to create a new virtual network -- you may suggest the default suggestion.
- In the Subnet field, select the public subnet you want to associate with the virtual machine. By default, you may be prompted to create a new virtual network -- you may accept the default suggestion.
- In the Public IP dropdown, verify that a valid selection is selected (do not choose None). By default, you may be prompted to create a new Public IP -- you may accept the default suggestion.
- For NIC network security group, select Advanced. This will display the Configure network security group dropdown.
- Click the Create new link under the Configure network security group dropdown to reveal the Create network security group panel. In the panel, click the Add an inbound rule link in the Inbound rules section. This will open the Add inbound security rule panel:
- Fill in the following fields, leaving any unlisted fields as the default:
- Source: Select the IP Addresses option.
- Source IP addresses/CIDR ranges: Add the Prequel static IP. Optionally, add a description. For the correct IP, refer to the Prequel IPs section of the docs. Note: you will not be able to SSH into this machine to configure the
prequel
user unless you also whitelist your machine's IP in the inbound rules. Consider temporarily adding that IP to facilitate the next step. - Source port ranges: Enter 22.
- Protocol: Select TCP.
- Action: Select Allow.
- Name: Enter a descriptive name, for example:
prequel-inbound
. - When finished, click Add to create the inbound rule.
- Click "OK" and then Review + create. Review the details and click Create to create the tunnel.
Make a note of your public and private IP addresses
- In the Azure portal, search for "Virtual machines", and click into the Virtual Machine service. Click the name of the Virtual machine you just created.
- In the Networking section of the Properties tab, make a note of the Public IP address and Private IP address.
Step 2: Configure the bastion host
Create the SSH user
Login to the bastion server and complete the steps below.
- Create group
prequel
:
sudo groupadd prequel
- Create user
prequel
:
sudo useradd -m -g prequel prequel
- Switch to the prequel user:
sudo su - prequel
- Create the
.ssh
directory:
mkdir ~/.ssh
- Set permissions:
chmod 700 ~/.ssh
- Navigate to the
.ssh
directory:
cd ~/.ssh
- Create the
authorized_keys
file:
touch authorized_keys
- Set permissions:
chmod 600 authorized_keys
- Add the public key to the
authorized_keys
file. The key -- including the "ssh-key" and comment -- should be all on one line in the file, without linebreaks.
echo "ssh-key <ssh_public_key_beginning_with_AAAA> prequel-ssh-tunnel-public-key" > authorized_keys
Step 3: Grant DB access to the bastion server
- Find the database you'd like to connect to in your cloud console.
- Find the Connection security section, and add a new rule.
- If using an Azure database, add a new rule with the Private IP noted in Step 1 as the Start IP and End IP. Choose a name and click Save.
Updated about 1 year ago