> ## Documentation Index
> Fetch the complete documentation index at: https://docs.prequel.co/llms.txt
> Use this file to discover all available pages before exploring further.

# AWS SSH tunneling

> Configure an AWS bastion server to accept an SSH connection from Prequel.

Follow these steps to configure an AWS bastion server to accept an SSH connection from Prequel.

### Prerequisites

* A public SSH key to add to the bastion machine to authenticate the SSH connection. *Ask your contact at Prequel if they have not already provided one to you.*

<Steps>
  <Step title="Provision a bastion server">
    If using SSH tunneling to connect to a source database, we recommend using a standalone bastion server. This step will walk through provisioning the standalone bastion server. If using an existing server, skip to step 2.

    1. Navigate to the EC2 Instances page, and click **Launch instances**.

    <Frame>
      ![](https://storage.googleapis.com/prequel_docs/images/ssh-tunneling-launch-instances.png "launch instances.png")
    </Frame>

    2. Select an image. We recommend a default Amazon Linux image, such as the *64-bit (x86) Amazon Linux 2 AMI* (the default option).

    <Frame>
      ![](https://storage.googleapis.com/prequel_docs/images/ssh-tunneling-select-image.png "image.png")
    </Frame>

    3. Select a type. We recommend the **t3.nano**. *Because this bastion server will be used exclusively for SSH tunneling, Network Performance is the primary consideration. The t3.nano default configuration comes with Network Performance of up to 5 Gigabit, as well as minimal Memory (1 GiB), vCPUs (2) and Storage (8 GB SSD) for about \$5/mo depending on region and market rates.*

    <Frame>
      ![](https://storage.googleapis.com/prequel_docs/images/ssh-tunneling-t3-nano.png "t3nano.png")
    </Frame>

    <Frame>
      ![](https://storage.googleapis.com/prequel_docs/images/ssh-tunneling-t3-nano-cost.png "t3nano cost.png")
    </Frame>

    4. Click **Review and launch**. Consider modifying the default security group according to your security policies to enable configuration (e.g., creating the `prequel` user in **Step 2**). Click **Launch**. We will further modify the default security group in **Step 2**. (The remaining default options are sufficient.)

    <Frame>
      ![](https://storage.googleapis.com/prequel_docs/images/ssh-tunneling-select-launch.png "launch.png")
    </Frame>
  </Step>

  <Step title="Configure the server">
    ### Allow SSH port access

    In the AWS console, complete the steps below

    1. Navigate to the **EC2 Instances** page, and click the **instance ID** of the server to be used as the bastion host.

    <Frame>
      ![](https://storage.googleapis.com/prequel_docs/images/ssh-tunneling-instance-id.png "ec2 instance id 2.png")
    </Frame>

    2. In the **Security** tab, click the link to one of the security groups. (E.g., the **default** security group). Make note of this security group, as you will need to allow inbound access to your source DB as part of **Step 3**.

    <Frame>
      ![](https://storage.googleapis.com/prequel_docs/images/ssh-tunneling-security-tab.png "instance security tab.png")
    </Frame>

    3. In the **Inbound rules** tab, click "Edit inbound rules".

    <Frame>
      ![](https://storage.googleapis.com/prequel_docs/images/ssh-tunneling-inbound-rules.png "ec2 edit inbound rules.png")
    </Frame>

    4. Click **Add rule**. Add an inbound rule of type **SSH** and whitelist the Prequel static IP. Optionally, add a description. For the correct IP, refer to the [Prequel IPs](/export/deployment/prequel-ips) section of the docs. ***Note**: you will not be able to SSH into this machine to configure the `prequel` user unless you also whitelist your machine's IP in the inbound rules. Consider temporarily adding that IP to facilitate the next step.*

    <Frame>
      ![](https://storage.googleapis.com/prequel_docs/images/ssh-tunneling-whitelist-prequel-ip.png "ssh tunnel whitelist.png")
    </Frame>

    ### Create the SSH user

    Log in to the bastion server and complete the steps below.

    1. Create group `prequel`:

    ```shell title="Create group" icon="terminal" theme={null}
    sudo groupadd prequel
    ```

    2. Create user `prequel`:

    ```shell title="Create user" icon="terminal" theme={null}
    sudo useradd -m -g prequel prequel
    ```

    3. Switch to the prequel user:

    ```shell title="Switch user" icon="terminal" theme={null}
    sudo su - prequel
    ```

    4. Create the `.ssh` directory:

    ```shell title="Create .ssh directory" icon="terminal" theme={null}
    mkdir ~/.ssh
    ```

    5. Set permissions:

    ```shell title="Set directory permissions" icon="terminal" theme={null}
    chmod 700 ~/.ssh
    ```

    6. Navigate to the `.ssh` directory:

    ```shell title="Enter .ssh directory" icon="terminal" theme={null}
    cd ~/.ssh
    ```

    7. Create the `authorized_keys` file:

    ```shell title="Create authorized_keys file" icon="terminal" theme={null}
    touch authorized_keys
    ```

    8. Set permissions:

    ```shell title="Set file permissions" icon="terminal" theme={null}
    chmod 600 authorized_keys
    ```

    9. Add the public key to the `authorized_keys` file. *The key, including the "ssh-key" and comment, should be all on one line in the file, without linebreaks.*

    ```shell title="Add public key" icon="terminal" theme={null}
    echo "ssh-key <ssh_public_key_beginning_with_AAAA> prequel-ssh-tunnel-public-key" > authorized_keys
    ```
  </Step>

  <Step title="Grant DB access to the bastion server">
    1. Within the **Inbound rules** of the database security group, click **Add rule**. Add the security group noted in **Step 2**, and click **Save rules**.

    <Frame>
      ![](https://storage.googleapis.com/prequel_docs/images/ssh-tunneling-bastion-rule.png "Screen Shot 2022-01-13 at 2.53.12 PM.png")
    </Frame>
  </Step>
</Steps>
