Prerequisites
- A public SSH key to add to the bastion machine to authenticate the SSH connection. Ask your contact at Prequel if they have not already provided one to you.
Provision a bastion server
Selecting your bastion server
If using SSH tunneling to connect to a source database, we recommend using a standalone bastion server. This step will walk through provisioning the standalone bastion server. If using an existing server, skip to the next section about configuring network access.- In the Azure portal, search for “Virtual machines”, and click into the Virtual Machine service. Click Create and then Azure virtual machine.
- Select an image. We recommend a default Ubuntu image, such as the Ubuntu Server 20.04 LTS - x64 Gen2 (the default option).
- Select a type. We recommend a basic & affordable option such as the Standard_B1s. Because this bastion server will be used exclusively for SSH tunneling, memory, compute, and storage are not particularly important. The Standard_B1s default configuration comes with sufficient Memory (1 GiB), vCPUs (2) and Storage (8 GB SSD) for about $7/mo depending on region and market rates.
Configure network access
- Click the Networking tab. Select a Virtual network to associate with the machine. By default, you may be prompted to create a new virtual network. You may suggest the default suggestion.
- In the Subnet field, select the public subnet you want to associate with the virtual machine. By default, you may be prompted to create a new virtual network. You may accept the default suggestion.
- In the Public IP dropdown, verify that a valid selection is selected (do not choose None). By default, you may be prompted to create a new Public IP. You may accept the default suggestion.
- For NIC network security group, select Advanced. This will display the Configure network security group dropdown.
- Click the Create new link under the Configure network security group dropdown to reveal the Create network security group panel. In the panel, click the Add an inbound rule link in the Inbound rules section. This will open the Add inbound security rule panel:
- Fill in the following fields, leaving any unlisted fields as the default:
- Source: Select the IP Addresses option.
- Source IP addresses/CIDR ranges: Add the Prequel static IP. Optionally, add a description. For the correct IP, refer to the Prequel IPs section of the docs. Note: you will not be able to SSH into this machine to configure the
prequeluser unless you also whitelist your machine’s IP in the inbound rules. Consider temporarily adding that IP to facilitate the next step. - Source port ranges: Enter 22.
- Protocol: Select TCP.
- Action: Select Allow.
- Name: Enter a descriptive name, for example:
prequel-inbound. - When finished, click Add to create the inbound rule.
- Click “OK” and then Review + create. Review the details and click Create to create the tunnel.
Make a note of your public and private IP addresses
- In the Azure portal, search for “Virtual machines”, and click into the Virtual Machine service. Click the name of the Virtual machine you just created.
- In the Networking section of the Properties tab, make a note of the Public IP address and Private IP address.
Configure the bastion host
Create the SSH user
Log in to the bastion server and complete the steps below.- Create group
prequel:
Create group
- Create user
prequel:
Create user
- Switch to the prequel user:
Switch user
- Create the
.sshdirectory:
Create .ssh directory
- Set permissions:
Set directory permissions
- Navigate to the
.sshdirectory:
Enter .ssh directory
- Create the
authorized_keysfile:
Create authorized_keys file
- Set permissions:
Set file permissions
- Add the public key to the
authorized_keysfile. The key, including the “ssh-key” and comment, should be all on one line in the file, without linebreaks.
Add public key