Skip to content

Connect via Bastion

In the previous guide, Add Bastion User, we configured a user with access to the Bastion. In this guide, we are going to use the same SSH access to connect to resources on the private network using an SSH Tunnel.

TIP

An SSH Tunnel is a technique where your local machine forwards a local port to a remote resource through an SSH connection.

Open SSH Tunnel

To open an SSH Tunnel, we're going to use the -L flag to forward a port on a remote host to our local machine. Here is the format of the command we're going to use:

shell
ssh -L <local-port>:<remote-host>:<remote-port> -i <private-key> <bastion-user>@<bastion-ip>

Let's use that format to connect to an AWS RDS Postgres database. In the following example, our configuration looks like this:

  • Local Port: 4432
  • Database Endpoint: postgres0.cs4cyqrf5rxq.us-west-1.rds.amazonaws.com:5432
  • Private Key: ~/.ssh/id_ed25519
  • Bastion User: ubuntu
  • Bastion IP: 1.2.3.4
shell
ssh -L 4432:postgres0.cs4cyqrf5rxq.us-west-1.rds.amazonaws.com:5432 -i ~/.ssh/id_ed25519 ubuntu@1.2.3.4

TIP

Your database endpoint is viewable on the Datastore "Overview" tab listed in "Connect to Private Endpoint".

Store config for repeat use

It's common to connect to the database every day, so let's use ~/.ssh/config to make life easier when we want to connect. Add the following stanza to ~/.ssh/config.

Host dev-bastion
  User ubuntu
  Hostname 1.2.3.4
  IdentityFile ~/.ssh/id_ed25519
  LocalForward 0.0.0.0:4432 postgres0.cs4cyqrf5rxq.us-west-1.rds.amazonaws.com:5432

Now, you are able to connect to the dev bastion with all the configuration and the SSH Tunnel.

shell
ssh dev-bastion