For the strongest encryption between intermix.io and your database, you can create a SSH tunnel to a tunnel server.
When to Use the SSH Tunnel
Use the SSH Tunnel if your data warehouse is not accessible from the public internet. For example if:
1. for security reasons, you are unable to add an inbound firewall rule to your data warehouse, or
2. your data warehouse IP address is on an internal network (no outside network access).
Step 1: Choose a Host on which to terminate the Tunnel
Using a Tunnel Server
Terminating the tunnel on a separate server has the advantage of keeping your database server inaccessible from the Internet. If the tunnel server is compromised it is one step removed from the database server. We recommend that you remove all non-essential software and users from the tunnel server and closely monitor it with tools such as an IDS.
The tunnel server can be any Unix/Linux host that:
- Can be accessed from the Internet via SSH
- Can access the database
Step 2: Create 'intermix' user on Amazon Redshift
Following the steps in this knowledge base article to create an appropriate user in your Amazon Redshift database. You will need this when configuring your database in the intermix.io product.
Step 3: Create IP Whitelist
The second step is to allow network traffic to reach the tunnel server or database host via SSH, which is generally on TCP port 22.
Please allow network traffic from the IP address where intermix.io is hosted:
Step 4: SSH Tunneling
Provide the following information to your intermix.io representative:
- IP address / DNS name of the database server (as seen from the tunnel server)
- Database port number (as seen from the tunnel server)
- IP address or DNS name of the tunnel server (as seen from the public internet)
- SSH port of the tunnel server as seen from the public internet
- Username on the tunnel server for the SSH connection
Step 5: Preparing the Tunnel Host
Your intermix.io representative will provide you with a unique public key, which will be used to authenticate the SSH tunnel session (we do not support logins via password). You will need to prepare your host (either the database server or tunnel server) by creating an
intermix user and adding the intermix.io public key to the
.ssh/authorized_keys file. Here’s how:
sudo groupadd intermix
intermixand its home directory:
sudo useradd -m -g intermix intermix
Switch to the
sudo su - intermix
chmod 700 ~/.ssh
Change to the
chmod 600 authorized_keys
Using your favorite text editor, add the SSH key provided by your intermix.io representative to the
authorized_keys file. The key must be all on one line. In some cases, when you retrieve the key from your email, line breaks will be inserted by your email client. If you do not remove them it will be impossible to establish the SSH tunnel.
Tunnel Security Notes
By default, opening SSH access also allows forwarding of any ports, circumventing any firewalls between intermix.io and the database host that is terminating the SSH tunnel. For better security, limit port forwarding and the ability to log in to your tunnel server. This can be controlled by properly configuring the
.ssh/authorized_keys entry for the intermix.io public key.
For example, the following text could be prepended to the intermix.io SSH key in your authorized_keys file. Please note that this text MUST be customized for your environment.
no-pty,no-X11-forwarding,permitopen="localhost:3306",permitopen="localhost:3307", command="/bin/echo Login Not Permitted"
man ssh and
man authorized_keys pages for examples and full details.
Notify your intermix.io representative when the tunnel server is all set up and we'll confirm that we are able to connect.
After that, simply log back into intermix.io and set up your cluster. In your "Cluster Credentials" section of the sign-up flow, enter the IP / DNS name of the Amazon Redshift server (as seen by the tunnel server) into the Host field.