Access Your Database Remotely

Through an SSH Tunnel

ENGINE YARD
November 20, 2017 16:28

FOLLOW

Your database instance is not directly accessible from outside the environment. This is a good
thing because a database cannot reliably maintain the security and patch levels like SSH can.
However, it means that to access your database from an external database tool, such as
pgAdmin, MySQL Workbench, or SQLyog, you need to create an SSH tunnel to your database
host/instance.

For example, you want to run pgAdmin or MySQL Workbench on your laptop and you want to
use this tool to examine your application database: You create an SSH tunnel from your laptop
(the local) to your database instance (the remote) on Engine Yard Cloud.

You can also use SSH tunnels to set up offsite replication.

This page describes:

 Prerequisites
 Create an SSH tunnel manually
 Create a SSH tunnel in the background with a custom Chef recipe

About SSH tunnels

An SSH tunnel links a port on your local machine to a port on a remote host. When these ports
are linked, anything communicated to the local port is passed through SSH to the remote port;
likewise, any communication to the remote port is passed back through SSH to the local port.
The added benefit of this setup is that the communications between your local machine and the
remote host is encrypted by the SSH connection.

Use MySQL Workbench to connect to MySQL

Server
As an alternative to setting up an SSH tunnel manually, you can use MySQL Workbench to
connect to a MySQL Server using TCP/IP over an SSH connection. See MySQL Workbench for
more information.

Set-up SSH Keys

 Before you can set up your SSH tunnel, you need to ensure that you have configured and
installed SSH keys on your running environment.

 UNIX-based systems

Set up SSH keys

ENGINE YARD
September 11, 2015 22:26

FOLLOW

If you need to access an instance in your applications environment, you can login via SSH.

Engine Yard enables login access to application instances via SSH. We have standardized on
the secure practice of using key based authentication. This protects our customers’ instances
from brute force attacks against a user/password based authentication. An added benefit of key
based authentication is the ability to login to an instance without a password.

Create a local SSH keypair

In order to SSH into an Engine Yard Cloud slice, you’ll need to create an SSH keypair on your
local machine.

The command you run from a *nix based command line terminal is this:

$ ssh-keygen -t rsa
You should see a similar output to the following:

Generating public/private rsa key pair.

Enter file in which to save the key (/Users/tbird/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/tbird/.ssh/id_rsa.
Your public key has been saved in /Users/tbird/.ssh/id_rsa.pub.
The key fingerprint is:
c9:26:4a:1b:7d:35:9f:c3:c2:b0:b4:5a:7c:8c:65:d9 tbird@jupiter
The key's randomart image is:
+--[ RSA 2048]----+
| |
| o |
| o * E |
| . + % + . |
| o o S = = |
| . + * . . . |
| o . |
| |
| |
+-----------------+
 The command prompt should ask you where to save the key, the default path is fine.
 Entering a passphrase is more secure. You can use an ssh-agent so that you won’t have to type
your passphrase every time you connect.
 The rest of the output will automatically be generated.

Outcome
Upon completion of the key generation command, two files have been generated in the location
you specified to save the key. The default location is in a .ssh directory in your home directory.
You should see the following files in ~/.ssh:

id_rsa
id_rsa.pub
The id_rsa.pub file is the public key file that you’ll upload to Engine Yard Cloud.

Next step
Add your public key to Engine Yard Cloud.

If you have feedback or questions about this page, add a comment below. If you need help,
submit a ticket with Engine Yard Support.


 Windows-based systems

Add SSH keys from Windows

ENGINE YARD
October 05, 2018 08:49

FOLLOW

On Windows, there are a number of ways to create an SSH keypair, including RailsInstaller,
PuTTY, and Cygwin. Engine Yard supports the RailsInstaller method because it is straight-
forward.

This is a two step process:

 Create keys
 Add keys to Engine Yard Cloud

To create keys
 RailsInstaller automatically creates SSH keys in ~/.ssh C:\Users\<user_name>\.ssh. To re-
create them, follow the steps below. This procedure uses unix-style commands and paths
because that is what git-bash uses.

1. Navigate to Start -> Programs -> RailsInstaller -> git-bash.

2. Change directories into your home folder:

cd ~
3. Generate the SSH keys: (make sure to use a strong password or Engine Yard Cloud will reject
it)

ssh-keygen -t rsa
4. Change the permissions of the SSH folder and keys:

chmod -R 644 ~/.ssh

You now have a private and public key: ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub.

To add keys to Engine Yard Cloud

1. Locate and copy the public key on your local machine:

a. Open the public key (~/.ssh/id_rsa.pub) in Notepad.

notepad ~/.ssh/id_rsa.pub
b. Copy the key to the clipboard.

2. In your Dashboard, click SSH Public Keys.

3. Click Add new SSH public key.

4. Enter a name in the Name field to identify the key.

5. Open the public key (~/.ssh/id_rsa.pub) in Notepad.

notepad ~/.ssh/id_rsa.pub
6. Paste the key (copied in Step 1b) into the Public Key field.

7. Select the environments that you want to add this key to. If you don’t have any environments,
this key is automatically added to the ones you create.

8. Click Add Key.

You receive a confirmation that your ssh public key has been created and added to your Engine
Yard account.

Next step
Install your public key to your application environment(s).
 If you have feedback or questions about this page, add a comment below. If you need help,
submit a ticket with Engine Yard Support.

 FACEBOOK
 TWITTER
 LINKEDIN

Was this article helpful?

1 out of 1 found this helpful

Have more questions? Submit a request

Comments
Please sign in to leave a comment.

Related articles
 Access Your Database Remotely Through an SSH Tunnel
 Set up SSH keys
 Add an SSH key to an Environment
 Obtain and Install SSL Certificates for Applications
 Set Up Your Application and Environment


Create the SSH tunnel manually

The syntax for creating the SSH tunnel is ssh -L [local port]:[database host]:[remote
port] \
[username]@[remote host]

 [local port] The local port your database tool connects to.
If you have a MySQL installation on your local machine, it runs on port 3306 by default;
therefore, don’t use 3306 for the local port. For example, use 3307 instead.
If you have a PostgreSQL installation on your local machine, it runs on port 5432 by default;
therefore, don’t use 5432 for the local port. For example, use 5433 instead.

 [database host] The hostname or IP address of the database instance that you are tunneling
to. If the [remote host] is the database instance you will want to set this to 127.0.0.1 (so it refers
to itself). If you used an application instance as [remote host] then you can use the value of
"host:" from your database.yml instead.

 [remote port]The port that your remote database listens for connections on.
For MySQL databases, this is 3306 by default.
For PostgreSQL database, this is 5432 by default.
 [username] the user for the database instance. The default user for the Engine Yard Cloud
database is deploy.

 [remote host] the remote instance your tunnel will connect to the database through. This can
be the database instance itself, or any instance within the database environment.

The tunneling command opens an SSH session with the [remote host] specified. The tunnel
will work as long as that SSH session is active. If the session window is consuming valuable
workspace we recommend minimizing it as running tunnels in the background can lead to
multiple tunnels and port conflicts.

To create and test the SSH tunnel for a MySQL database

1. In a terminal window on your local machine, type:

ssh -L 3307:ec2-172-16-139-19.us-west-1.compute.amazonaws.com:3306 \
deploy@ec2-174-129-17-196.compute-1.amazonaws.com
where
3307 is the local port,
ec2-172-16-139-19.us-west-1.compute.amazonaws.com is the database host,
3306 is the listening port,
deploy is the database username, and
ec2-174-129-17-196.compute-1.amazonaws.com is the remote host.

2. Before connecting the external database tool such as MySQL Workbench or SQLyog, test the
connection with a simple tool such as the database console, mysql.
(Your tunnel needs to be running for this test.)

Type

mysql -udeploy -p -P 3307 -h 127.0.0.1

where
deploy is the database username on the remote host and
3307 is the local port.

You are prompted for your database password.

Note: for the -h argument, it is necessary to use 127.0.0.1 instead of localhost.

To create and test the SSH tunnel for a PostgreSQL

database
1. In a terminal window on your local machine, type

ssh -L 5433:ec2-172-16-139-19.us-west-1.compute.amazonaws.com:5432 \
deploy@ec2-174-129-17-196.compute-1.amazonaws.com
where
5433 is the local port,
ec2-172-16-139-19.us-west-1.compute.amazonaws.com is the database host,
5432 is the listening port,
 deploy is the database username, and
ec2-174-129-17-196.compute-1.amazonaws.com is the remote host.

2. Before connecting the external database tool such as pgAdmin, test the connection with a
simple tool such as the database console psql.
(Your tunnel needs to be running for this test.)

Type

psql -Udeploy -d myapp -p 5433 -h 127.0.0.1

where
deploy is the database username on the remote host and
5433 is the local port.

You are prompted for your database password.

Setting up an SSH tunnel using a custom Chef

recipe
The procedure above explained how to set up the SSH tunnel manually.

An alternate way to set up an SSH tunnel is through this custom

cookbook: //github.com/engineyard/ey-cloud-recipes/tree/master/cookbooks/ssh_tunnel

This recipe installs:

 An init script that sets up the SSH tunnel from the instance in the background
 A config file to have monit watch over the tunnel and keep it open

To create an SSH tunnel using the Engine Yard ssh_tunnel

custom Chef recipe
 Follow the instructions in the recipe and in Customize your environment with Chef recipes.

More information
For more information
See...
about...
Find key information about your
Finding database hostname and password
database.

If you have feedback or questions about this page, add a comment below. If you need help,
submit a ticket with Engine Yard Support.