> ## Documentation Index
> Fetch the complete documentation index at: https://docs.prequel.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Azure SSH tunneling

> Configure an Azure bastion server to accept an SSH connection from our service.

Follow these steps to configure an Azure bastion server to accept an SSH connection from our service.

## Prerequisites

* A public SSH key to add to the bastion machine to authenticate the SSH connection. *Ask your contact at our service if they have not already provided one to you.*

<Steps>
  <Step title="Provision a bastion server">
    ### Selecting your bastion server

    If using SSH tunneling to connect to a destination database, we recommend using a standalone bastion server. This step will walk through provisioning the standalone bastion server. If using an existing server, skip to the next section about configuring network access.

    1. In the Azure portal, search for "Virtual machines", and click into the **Virtual Machine** service. Click **Create** and then **Azure virtual machine**.
    2. Select an image. We recommend a default Ubuntu image, such as the *Ubuntu Server 20.04 LTS - x64 Gen2* (the default option).
    3. Select a type. We recommend a basic & affordable option such as the **Standard\_B1s**. *Because this bastion server will be used exclusively for SSH tunneling, memory, compute, and storage are not particularly important. The Standard\_B1s default configuration comes with sufficient Memory (1 GiB), vCPUs (2) and Storage (8 GB SSD) for about \$7/mo depending on region and market rates.*

    ### Configure network access

    3. Click the **Networking** tab. Select a **Virtual network** to associate with the machine. *By default, you may be prompted to create a new virtual network, you may suggest the default suggestion.*
    4. In the **Subnet** field, select the public subnet you want to associate with the virtual machine. *By default, you may be prompted to create a new virtual network, you may accept the default suggestion.*
    5. In the **Public IP** dropdown, verify that a valid selection is selected (*do not choose None*). *By default, you may be prompted to create a new Public IP, you may accept the default suggestion.*
    6. For NIC network security group, select **Advanced**. This will display the **Configure network security group** dropdown.
    7. Click the **Create new** link under the **Configure network security group** dropdown to reveal the Create network security group panel. In the panel, click the **Add an inbound rule** link in the Inbound rules section. This will open the Add inbound security rule panel:
    8. Fill in the following fields, leaving any unlisted fields as the default:
       1. **Source:** Select the **IP Addresses** option.
       2. **Source IP addresses/CIDR ranges:** Add our static IP. Optionally, add a description. For the correct IP, refer to the [IPs](/export/deployment/prequel-ips) section of the docs. \_ **Note**: you will not be able to SSH into this machine to configure the SSH user unless you also whitelist your machine's IP in the inbound rules. Consider temporarily adding that IP to facilitate the next step.\_
       3. **Source port ranges:** Enter **22**.
       4. **Protocol:** Select **TCP**.
       5. **Action:** Select **Allow**.
       6. **Name:** Enter a descriptive name, for example: `ssh-tunnel-inbound`.
       7. When finished, click **Add** to create the inbound rule.
    9. Click "OK" and then **Review + create**. Review the details and click **Create** to create the tunnel.

    ### Make a note of your public and private IP addresses

    1. In the Azure portal, search for "Virtual machines", and click into the **Virtual Machine** service. Click the name of the Virtual machine you just created.
    2. In the **Networking** section of the **Properties** tab, make a note of the **Public IP address** and **Private IP address**.
  </Step>

  <Step title="Configure the bastion host">
    ### Create the SSH user

    Login to the bastion server and complete the steps below.

    1. Create group `<ssh_group>`:

    ```shell title="Create group" icon="terminal" theme={null}
    sudo groupadd <ssh_group>
    ```

    2. Create user `<ssh_user>`:

    ```shell title="Create user" icon="terminal" theme={null}
    sudo useradd -m -g <ssh_group> <ssh_user>
    ```

    3. Switch to the SSH user:

    ```shell title="Switch to SSH user" icon="terminal" theme={null}
    sudo su - <ssh_user>
    ```

    4. Create the `.ssh` directory:

    ```shell title="Create .ssh directory" icon="terminal" theme={null}
    mkdir ~/.ssh
    ```

    5. Set permissions:

    ```shell title="Set directory permissions" icon="terminal" theme={null}
    chmod 700 ~/.ssh
    ```

    6. Navigate to the `.ssh` directory:

    ```shell title="Navigate to .ssh directory" icon="terminal" theme={null}
    cd ~/.ssh
    ```

    7. Create the `authorized_keys` file:

    ```shell title="Create authorized_keys file" icon="terminal" theme={null}
    touch authorized_keys
    ```

    8. Set permissions:

    ```shell title="Set file permissions" icon="terminal" theme={null}
    chmod 600 authorized_keys
    ```

    9. Add the public key to the `authorized_keys` file. *The key, including the "ssh-key" and comment, should be all on one line in the file, without linebreaks.*

    ```shell title="Add public key" icon="terminal" theme={null}
    echo "<provided_ssh_public_key>" > authorized_keys
    ```
  </Step>

  <Step title="Grant DB access to the bastion server">
    1. Find the database you'd like to connect to in your cloud console.
    2. Find the **Connection security** section, and add a new rule.
    3. If using an **Azure database**, add a new rule with the **Private IP** noted in Step 1 as the **Start IP** and **End IP**. Choose a name and click **Save**.
  </Step>
</Steps>
