# Connecting through an SSH bastion An SSH bastion is a hardened, publicly accessible server that provides a single entry point into a private network. When you use an SSH bastion, you do not need to allow direct access from Structural to to your database servers. Instead, you only allow access to the bastion. Structural then SSHes through the bastion to reach the servers. ## Setting up your SSH bastion Before you configure a workspace to connect through an SSH bastion, make sure to configure the bastion as follows. ### **CPU architecture** To offload encryption tasks, the CPU must support the AES-NI instruction set. For example, on AWS, you would use Generation 4 instances, such as C4 or M4, or newer. ### **Instance type** Avoid burstable instances, such as AWS t3 and t3a. During high-throughput transfers, these can be throttled, which can lead to dropped connections. Use instances that have dedicated CPU resources. ### **Software and cipher compatibility** High-speed ciphers require a modern version of OpenSSH (OpenSSH 6.5+ ). We recommend that you privilege ChaCha20-Poly1305 and AES-GCM. ### **Prioritize high-speed encryption** To prioritize high-speed encryption, in `/etc/ssh/sshd_config`, add or update the `Ciphers` line: {% code overflow="wrap" %} ``` Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com ``` {% endcode %} ### **Allowlist Structural** To allow for high-concurrency and multiplexing, and prevent Structural from being throttled, at the end of `/etc/ssh/sshd_config`, add this `Match` block: {% code overflow="wrap" %} ``` # Global setting for unauthenticated connections MaxStartups 100:30:200 # Specific limits for Structural Source IP Match Address MaxAuthTries 100 MaxSessions 1000 ``` {% endcode %} ## **Connecting to an SSH bastion from a Structural workspace** In the workspace configuration, to connect to an SSH bastion : 1. If the data connector supports multiple tunneling options: 1. Toggle **Enable Connection Tunnel** to the on position. 2. From the **Tunnel type** dropdown list, select **SSH Tunnel**. If the data connector only supports SSH tunneling, then toggle **Enable SSH Tunnel** to the on position. 2. In the **SSH Host** field, provide the host for the SSH bastion. 3. In the **SSH Port** field, provide the port for the SSH bastion. 4. In the **SSH User** field, provide the name of the user to use to connect to the SSH bastion. 5. If you do not use a private key, then in the **SSH Passphrase** field, provide the passphrase to use for authentication.\ \ If secrets managers are available, you can instead [select a secret name from a secrets manager](/app/workspace/workspace-configuration-settings/secrets-manager/selecting-a-secrets-manager-secret.md). 6. If you do use a private key, then in the **SSH Private Key** field, provide the private key.\ \ If secrets managers are available, you can instead [select a secret name from a secrets manager](/app/workspace/workspace-configuration-settings/secrets-manager/selecting-a-secrets-manager-secret.md).\ \ If the private key uses a passphrase, then in the **SSH Passphrase** field, provide the passphrase for the private key. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.tonic.ai/app/workspace/workspace-configuration-settings/data-connection-settings/using-a-connection-tunneling-option/connecting-through-an-ssh-bastion.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.