Ctrlk
Tonic.ai

Connecting through an SSH bastion

An SSH bastion is a hardened, publicly accessible server that provides a single entry point into a private network.

When you use an SSH bastion, you do not need to allow direct access from Structural to to your database servers. Instead, you only allow access to the bastion. Structural then SSHes through the bastion to reach the servers.

Setting up your SSH bastion

Before you configure a workspace to connect through an SSH bastion, make sure to configure the bastion as follows.

CPU architecture

To offload encryption tasks, the CPU must support the AES-NI instruction set.

For example, on AWS, you would use Generation 4 instances, such as C4 or M4, or newer.

Instance type

Avoid burstable instances, such as AWS t3 and t3a. During high-throughput transfers, these can be throttled, which can lead to dropped connections.

Use instances that have dedicated CPU resources.

Software and cipher compatibility

High-speed ciphers require a modern version of OpenSSH (OpenSSH 6.5+ ).

We recommend that you privilege ChaCha20-Poly1305 and AES-GCM.

Prioritize high-speed encryption

To prioritize high-speed encryption, in /etc/ssh/sshd_config, add or update the Ciphers line:

Allowlist Structural

To allow for high-concurrency and multiplexing, and prevent Structural from being throttled, at the end of /etc/ssh/sshd_config, add this Match block:

Connecting to an SSH bastion from a Structural workspace

In the workspace configuration, to connect to an SSH bastion :

  1. If the data connector supports multiple tunneling options:

    1. Toggle Enable Connection Tunnel to the on position.

    2. From the Tunnel type dropdown list, select SSH Tunnel.

    If the data connector only supports SSH tunneling, then toggle Enable SSH Tunnel to the on position.

  2. In the SSH Host field, provide the host for the SSH bastion.

  3. In the SSH Port field, provide the port for the SSH bastion.

  4. In the SSH User field, provide the name of the user to use to connect to the SSH bastion.

  5. If you do not use a private key, then in the SSH Passphrase field, provide the passphrase to use for authentication. If secrets managers are available, you can instead select a secret name from a secrets manager.

  6. If you do use a private key, then in the SSH Private Key field, provide the private key. If secrets managers are available, you can instead select a secret name from a secrets manager. If the private key uses a passphrase, then in the SSH Passphrase field, provide the passphrase for the private key.

Last updated

Was this helpful?