Tunneling lets Hightouch securely open a connection to a data warehouse in your private network or Virtual Private Cloud (VPC) without exposing it to the internet. SSH tunnels are secure, authenticated, encrypted, and dedicated to your workspace. To learn more about SSH tunneling, check out this introductory article.
This feature is supported for the following sources:
Both Standard and Reverse tunnels open a secure port connection between Hightouch and your data warehouse. However, they differ in implementation, and you may prefer one based on your network specifications.
Standard tunnels require you to run sshd on a bastion host accessible from the public internet. Our systems open an SSH connection to your bastion, then open a port forwarding connection from your bastion to the private service you specify.
Reverse tunnels let you forward a port by connecting as a client to an SSH server managed by Hightouch. This removes the necessity for a bastion host in your infrastructure but requires you to maintain that connection. That means if your connection goes down for whatever reason, your systems automatically re-open the connection. You can use programs like `autossh``, Docker container restart policies, or process supervisors like supervisord to help maintain your connection.
You need to allowlist Hightouch's IP addresses to let our systems contact your bastion host. Reference our networking docs to determine which IPs you need to allowlist.
These are the connection details for your public-facing bastion server host.
The port is most likely 22, standard for sshd.
Fill out the Service Host and Service Port.
These are the connection details for the data warehouse you are connecting to Hightouch.
Think of your bastion server as a jump host. Hightouch jumps through it to connect to your warehouse using these details.
Select Create.
Copy or download the generated SSH public key. Add this to the ~/.ssh/authorized_keys file for the hightouch user on your bastion server. You can use ssh-copy-id to help with this.
The tunnel Status turns green when the connection is established. Your tunnel is now ready for use.
This command includes the remote Hightouch sshd host and port, and remote forwarding port.
Set or replace the $SERVICE_HOST and $SERVICE_PORT variables with your internal warehouse service host and port.
Upload the private key to your SSH client server, store it securely, and ensure its permissions are set to 0400.
From your SSH client server, run the modified ssh command.
Ensure the -i flag is pointing to the correct path of the private key.
You most likely want to wrap this ssh command with a process manager to restart in case of failure. Consider autossh.
The tunnel Status turns green when the connection is established. Your tunnel is now ready for use.
Hightouch Reverse SSH Host Key
If you prefer, you can check that Hightouch's hostname is correctly set to either tunnel.aws-us-east-1.hightouch.com, tunnel.aws-eu-west-1.hightouch.com, tunnel.aws-ap-south-1.hightouch.com, or tunnel.gcp-us-east4.production.hightouch.com depending on your workspace region and that the Host Key is correctly included in ~/.ssh/known_hosts as follows: