Skip to main content

Configure SSH Tunnel Connectivity

This section describes how to enable SSH tunneling between the Trifacta Application and your cloud-based database infrastructure. When this feature is enabled and properly configured, users connect to your databases through a more secure manner.

Security concerns:

  • Credentials are stored in a secure database table.

  • Calls through the SSH tunnel happen with each API request to the platform. When the call has been satisfied, the connection is closed.

    • For asynchronous calls to the database, the connection is not left open during the asynchronous execution of the request.

Limitations

  • This feature is not available for some connections.

  • SSH key-pair must be generated in the legacy OpenSSH format. The new OpenSSH format is not supported. Instructions for generating the legacy format are provided below.

Note

For security reasons, the port number in use for SSH tunneling is randomized when the connection is brokered. Connections where the port number is specified in the Connect String Options may need to be modified to use SSH tunneling. For more information, see "Host and port information in Connect String Options" below.

Note

This feature does not work, if In-VPC connectivity to the data service has been enabled in your project. For more information, see Dataprep In-VPC Execution.

Prerequisites

  • You must have credentials to access the SSH tunneling for each connection type.

  • On each database server to which you using SSH tunneling to connect:

    • You must whitelist the SSH host, so that the database server will receive connections from it.

    • For additional security, you can limit access on the SSH host to only the IP address range for Alteryx Service, which prevents access to the database server through the SSH host for any system other than the Dataprep by Trifacta platform.

    • For more information, see Whitelist Platform Service.

Supported Connection Types

The following connection types support SSH Tunneling:

Connection Type

Credential Types

Documentation

Alloy DB

SSH Basic,SSH Key

AlloyDB Connections

SQL Server on Google Cloud SQL

SSH Basic,SSH Key

Microsoft SQL Server Connections

MongoDB

SSH Basic,SSH Key

MongoDB Connections

MySQL

SSH Basic,SSH Key

MySQL Connections

Oracle Database

SSH Basic,SSH Key

Oracle Database Connections

PostgreSQL

SSH Basic,SSH Key

PostgreSQL Connections

Microsoft SQL Server

SSH Basic,SSH Key

Microsoft SQL Server Connections

Teradata

SSH Basic,SSH Key

Teradata Connections

SAP HANA

SSH Basic, SSH Key

SAP HANA Connections

Configure

You can enable the SSH tunneling check box and configure the advanced options.

Note

SSH tunneling is enabled on a per-connection basis. If enabled for a connection type, the SSH options appear under the Advanced options in the connection window.

These properties are available when you create the connection. After you have specified the connection including SSH tunneling options, you should test the connection.

For more information, see Create Connection Window.

Basic Properties

Property

Description

SSH tunneling host

If you are using SSH tunneling, please specify the SSH host for tunneling into your infrastructure.

Advanced Credential Type

Depending on the type, you must specify the properties for the credentials to use to connection. See sections below.

SSH Tunneling Basic

Property

Description

SSH Tunneling User Name

(optional) Username with which to authenticate to the SSH tunnel.

In some environments, a username may be optional.

SSH Tunneling Password

Password for the username

SSH Tunneling with Key

Note

Use of an SSH key that requires a passphrase is not supported.

Property

Description

SSH Tunneling User Name

(optional) Username with which to authenticate to the SSH tunnel.

In some environments, a username may be optional.

SSH Tunneling SSH Key

Key used to access the SSH tunnel.

Note

This key must be generated in legacy OpenSSH format. See below.

Generate SSH key

Please use the following command to generate an SSH key from the node where the database server node:

ssh-keygen -t rsa -m PEM

Host and port information in Connect String Options

For security reasons, port and host information may be randomized as part of brokering the connection. If your Connect String Options for a specific connection reference port and host numbers, you must replace them with the following dynamic references:

Note

Use of these references in the Connect String Options for an SSH-enabled connection is required.

Item

Reference

hostname

${host}

port number

${port}

Example:

(DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = ${host})(PORT = ${port})))(CONNECT_DATA = (SERVICE_NAME = ORCL)))

Use

When you have configured SSH tunneling properly, all users of the connection use the SSH configuration to access the targeted database.

Sharing

When a connection is shared with credentials, the SSH authentication credentials are also shared. For more information, see Share a Connection.