I have a Postgres instance under the private subnet, I don't have VPN configured to connect, even it's not allowed with my Bastion ( jump node ).
Is there any way to connect it through my local machine to testing for development?
The default port is 5432.
and I have ssh access to my application server through Bastion node.
Port Forwarding is a process where you can establish a connection from your computer (on the Internet) into the Bastion server, and then forward traffic to the database.
ssh -i key.pem ec2-user#BATION-IP -L 5432:DATABASE-DNS-NAME:5432
Then, in your SQL client, connect to the database via:
localhost:5432
When the SQL client goes to port 5432 on your local computer, the SSH connection will forward that traffic to the bastion server, which will then send it to: DATABASE-DNS-NAME:5432
(You can actually use any port number locally. For example, you could create multiple forwarding connections to different databases, each on a different port.)
As you have ssh access to your application server through Bastion.
Then you may create two-level ssh tunnel proxy. As Postgres is not allowed even though Bastion node, only allowed through the application server.
1: Create a tunnel from the Application Server to the bastion node.
ssh-add ~/.ssh/id_rsa ;ssh -oStrictHostKeyChecking=no -Att -l USER_NAME BASTION IP ssh -oStrictHostKeyChecking=no -Att -l USER_NAME APP_SERVER_IP -L 5432:AWS_POSTGRESS_END_POINT:5432
(keep open this terminal)
2: Create another tunnel from Bastion to local computer:
(open new terminal )
ssh-add ~/.ssh/id_rsa ;ssh -oStrictHostKeyChecking=no -Att -l USER_NAME BASTION_IP -L 5432:localhost:5432
(keep open this terminal)
3: use localhost or 127.0.0.1 with 5432 port in the connection string (to connect from local machine) instead of Postgress endpoint.
Note: replace correct ssh key path and your user name with boldly highlighted text. and keep open both terminal open to maintain the session.
Related
Trying to understand how this works, documentation isn't very clear. Using AWS quickstart-mongo, I am making a VPN for 3 Mongo nodes, with a bastion server. I can log into my bastion server via SSH and my key. Then I can copy the key to bastion server and SSH into the primary replica node. This node is running mongo and shows via rs.status() that all 3 nodes are running correctly.
Once logged into bastion server, I try to do curl primary-mongo-node-ip:27017, and it seems to hang.
Local Computer -> Bastion Server -> Replica Node 1 / 2 / 3
I think I understand I need to somehow connect to Bastion server, then set up a ssh forwarding to primary-mongo-node-ip:27017, sec1-mongo-node-ip:27017, sec2-mongo-node-ip:27017, so that my mongo URI connection looks like this:
SSH into bastion-dns
mongodb://user:pass#localhost:1000,localhost:1001,localhost:1002/database
How do I do this when I cant event connect to the server on bastion servers without SSH?
Assuming that the Mongo instances allow traffic from Bastion Host (in security groups) for required ports, you can use SSH tunnelling mechanism to access the cluster/instance from your local host:
ssh -N -L <local_port_x>:<mongoDB instance ip>:<mongo_port_y> <ssh_username>#<bastion_host_ip> -i <ssh_key_path>
Local_Port_X : Port on your local machine where you want to access remote Mongo instance
MongoDB Instance IP : ip address for ec2 instance hosting MongoDB
Mongo_Port_Y : Port that MongoDB is listening on (seems 27017 from your question - please do verify that you can talk to Mongo Instance from within Bastion host on this port)
Bastion_Host_Ip : IP address on bastion host which should directly be reachable from your local machine
I have one server machine where PostgreSQL and SSH server is installed. I have another client machine from where i want to connect to the PostgreSQL on the server machine in a secure way. I used SSH tunnel which is working.
I tried to connect the client with server using:
$ ssh -L 3307:localhost:3306 user#Host -N -f
It is working. But now I am thinking whether it is possible to start the ssh tunneling from the server side. It means run a ssh command on server machine so that I get a more secure connection
I am attempting to tunnel from my localhost (on port 24000) via a Bastion box to my mongo instance (on 27017) that is only available via the VPC private subnet so that I may develop locally whilst connected to the staging db. Using this tunnel command on my OSX box:
ssh -A -L 24000:ip-10-0-11-11.ec2.internal:27017 ec2-3-211-555-333.compute-1.amazonaws.com -N -v
"ip-10-0-11-11.ec2.internal" is the mongo box.
"ec2-3-211-555-333.compute-1.amazonaws.com" is the bastion box.
Aiming to bind local port 24000 to the bastion then from there to the mongo box on 27017.
However upon trying to connect via the tunnel from my local box with:
mongo -u dbUser localhost:24000/db-name
The connection is timing out. Below is the verbose output from ssh tunnel command (presumably from the bastion?).
debug1: channel 3: free: direct-tcpip: listening port 24000 for ip-10-0-11-11.ec2.internal port 27017, connect from 127.0.0.1 port 63451 to 127.0.0.1 port 24000, nchannels 4
channel 4: open failed: connect failed: Connection timed out
Seems to try to be working but it is just not. Any and all help would be appreciated! I do have ssh forwarding enabled on the bastion via the sshd config. I can also connect to the mongo instance while on the bastion no problem.
Circling back... not sure how I got it working or why it wasn't working, but for those looking forward the ssh command to open a tunnel forwarding the keys in your ssh-agent this command is indeed the way todo.
ssh -A -L 24000:ip-10-0-20-141.ec2.internal:27017 ec2-54-165-159-177.compute-1.amazonaws.com -N -v
I have a local zeppelin instance running on my mac at localhost:8080 and I am trying to connect to a postgres database that is remote. I can access it via ssh and have set up a key pair for my computer but I can't figure out how to have zeppelin query the db directly
I don't think Zeppelin currently support database connection via ssh.
But you can still use a ssh tunnel and connect to your database.
1/ Start a tunnel by running this in a console :
ssh -i PATH_TO_KEY -L 5432:localhost:5432 USER#HOST -N
Where USER is the username associated the key pair and HOST is the ip address of your postgres host
2/ Create the zeppelin interpreter as if postgres was running locally
(this means default.url = jdbc:postgresql://localhost:5432/ )
Our production databases are only accessible from the production application servers. I am able to login to production app servers and psql to the db, but I would like to setup a ssh tunnel to allow me to access the production db from my work box.
Ideally, it would be a single command that I could run from my workbox that would set up the tunnel/proxy on the production app server
Here is what I have come up with, but it doesnt work.
user#workbox $ ssh -fNT -L 55555:db.projectX.company.com:5432 app.projectX.company.com
user#workbox $ psql -h app.projectX.company.com -p 55555
psql: could not connect to server: No route to host
Is the server running on host "app.projectX.company.com" (10.1.1.55) and accepting
TCP/IP connections on port 55555?
The reported IP address is incorrect.
When connecting to the tunnel endpoint, the hostname is your local host, since that's where the forwarded port is exposed.
ssh -fNT -L 55555:db.projectX.company.com:5432 app.projectX.company.com
psql -h localhost -p 55555
BTW, PgAdmin-III provides ssh tunnel automation. On the other hand, it's a big GUI app without psql's handy \commands.
It's pretty trivial to write a sshpsql bash script that fires up the ssh tunnel, stores the pid of the ssh process, launches psql, lets you do what you want, and on exit kills the ssh tunnel. You'll also want to TRAP "kill $sshpid" EXIT so you kill the tunnel on unclean exits.