Configure SSH Tunnel Connectivity
This section describes how to enable SSH tunneling between the Trifacta Application and your cloud-based database infrastructure. When this feature is enabled and properly configured, users connect to your databases through a more secure manner.
Security concerns:
Credentials are stored in a secure database table.
Calls through the SSH tunnel happen with each API request to the platform. When the call has been satisfied, the connection is closed.
For asynchronous calls to the database, the connection is not left open during the asynchronous execution of the request.
Limitations
This feature is not available for some connections.
SSH key-pair must be generated in the legacy OpenSSH format. The new OpenSSH format is not supported. Instructions for generating the legacy format are provided below.
Note
For security reasons, the port number in use for SSH tunneling is randomized when the connection is brokered. Connections where the port number is specified in the Connect String Options may need to be modified to use SSH tunneling. For more information, see "Host and port information in Connect String Options" below.
Note
This feature does not work, if In-VPC connectivity to the data service has been enabled in your project. For more information, see Dataprep In-VPC Execution.
Prerequisites
You must have credentials to access the SSH tunneling for each connection type.
On each database server to which you using SSH tunneling to connect:
You must whitelist the SSH host, so that the database server will receive connections from it.
For additional security, you can limit access on the SSH host to only the IP address range for Alteryx Service, which prevents access to the database server through the SSH host for any system other than the Dataprep by Trifacta platform.
For more information, see Whitelist Platform Service.
Supported Connection Types
The following connection types support SSH Tunneling:
Connection Type | Credential Types | Documentation |
---|---|---|
Alloy DB | SSH Basic,SSH Key | |
SQL Server on Google Cloud SQL | SSH Basic,SSH Key | |
MongoDB | SSH Basic,SSH Key | |
MySQL | SSH Basic,SSH Key | |
Oracle Database | SSH Basic,SSH Key | |
PostgreSQL | SSH Basic,SSH Key | |
Microsoft SQL Server | SSH Basic,SSH Key | |
Teradata | SSH Basic,SSH Key | |
SAP HANA | SSH Basic, SSH Key |
Configure
You can enable the SSH tunneling check box and configure the advanced options.
Note
SSH tunneling is enabled on a per-connection basis. If enabled for a connection type, the SSH options appear under the Advanced options in the connection window.
These properties are available when you create the connection. After you have specified the connection including SSH tunneling options, you should test the connection.
For more information, see Create Connection Window.
Basic Properties
Property | Description |
---|---|
SSH tunneling host | If you are using SSH tunneling, please specify the SSH host for tunneling into your infrastructure. |
Advanced Credential Type | Depending on the type, you must specify the properties for the credentials to use to connection. See sections below. |
SSH Tunneling Basic
Property | Description |
---|---|
SSH Tunneling User Name | (optional) Username with which to authenticate to the SSH tunnel. In some environments, a username may be optional. |
SSH Tunneling Password | Password for the username |
SSH Tunneling with Key
Note
Use of an SSH key that requires a passphrase is not supported.
Property | Description |
---|---|
SSH Tunneling User Name | (optional) Username with which to authenticate to the SSH tunnel. In some environments, a username may be optional. |
SSH Tunneling SSH Key | Key used to access the SSH tunnel. Note This key must be generated in legacy OpenSSH format. See below. |
Please use the following command to generate an SSH key from the node where the database server node:
ssh-keygen -t rsa -m PEM
Host and port information in Connect String Options
For security reasons, port and host information may be randomized as part of brokering the connection. If your Connect String Options for a specific connection reference port and host numbers, you must replace them with the following dynamic references:
Note
Use of these references in the Connect String Options for an SSH-enabled connection is required.
Item | Reference |
---|---|
hostname |
|
port number |
|
Example:
(DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = ${host})(PORT = ${port})))(CONNECT_DATA = (SERVICE_NAME = ORCL)))
Use
When you have configured SSH tunneling properly, all users of the connection use the SSH configuration to access the targeted database.
Sharing
When a connection is shared with credentials, the SSH authentication credentials are also shared. For more information, see Share a Connection.