ht
Documentation
WelcomeConcepts

Get Started

OverviewCreate a sourceCreate a modelCreate a destinationCreate a sync

Security

Storing data in your cloudTunnels
Documentation/Security/Tunnel
ht
Documentation

Tunnels

Table of Contents
Why use a tunnel?
Connect to your data warehouse securely. Hightouch supports the ability to self-serve set up an SSH tunnel connection, either standard or reverse.
Note: You cannot reuse tunnels for more than one source at a time for security purposes.

Why use a tunnel?

Tunneling allows Hightouch to securely open a connection to a data warehouse in your private network or VPC, without exposing it to the internet. SSH tunnels are secure, authenticated, encrypted, and dedicated to your workspace. To learn more about SSH tunneling, try this helpful article.

Standard vs Reverse

At the end of the day, both Standard and Reverse tunnels accomplish the same goal of opening a secure port connection between Hightouch, and your data warehouse. However, they differ in implementation, and one may be more preferable than the other due to the specifics of your network.Standard tunnels require you to run sshd on a Bastion host accessible from the public internet. Our systems will open an SSH connection to your Bastion, then open a port forwarding connection to the private service that you specify.Reverse tunnels allow you to forward a port by connecting as a client to a SSH server managed by Hightouch. This removes the necessity for a Bastion host in your infrastructure, but requires you to maintain that connection.

Standard

Requirements

  • Allow inbound connections from the following IPs to your Bastion host. All connections from Hightouch will come from these.
    54.196.30.169
    52.72.201.213
  • Allow connections from the Bastion host to your warehouse.
  • Set up a user on the Bastion host named hightouch.

Setup

To get started, navigate to Settings > Tunnel.
  1. Click on Create Tunnel
  2. Enter a name for your tunnel.
  3. Fill out the SSH Host and SSH Port.
    • These are the connection details for your publicly-facing Bastion server host.
    • Port will most likely be 22, standard for sshd.
  4. Fill out the Service Host and Service Port.
    • These are the connection details for the data warehouse you are connecting to Hightouch.
    • Think of your Bastion server as a "jump host". Hightouch will jump through it to connect to your warehouse using these details.
  5. Click Create.
  6. Copy or download the generated SSH public key.
    • You will need to add this to the ~/.ssh/authorized_keys file for the hightouch user on your Bastion server. You can use ssh-copy-id to help with this.
  7. Tunnel status will turn green when connection is established. Your tunnel is now ready for use.

Troubleshooting

If you're having trouble establishing a connection with a standard tunnel, check the following:
  • Check that the Hightouch IPs are whitelisted on your Bastion host. See Requirements
  • Check that the hightouch user exists, and the Hightouch public key is in their ~/.ssh/authorized_keys file.
  • Check permissions on the hightouch user's SSH files.
    • ~/.ssh directory should be 0700
    • ~/.ssh/authorized_keys file should be 0644
  • Check that the Bastion host can network to your warehouse.
    • nc -z $warehouse_host $warehouse_port
  • If all else fails, reach out to our Customer Success team via Slack or Intercom.

Reverse

Requirements

  • You'll need a server within your VPC to act as the SSH client.
  • SSH client server must be able to connect to both the public internet and your warehouse.

Setup

  1. Click Create reverse tunnel
  2. Enter a name for your tunnel.
  3. Click Create
  4. Copy the example ssh command and save it. You'll need to run it later.
    • This command includes the remote Hightouch sshd host and port, and remote forwarding port.
    • Set or replace the $SERVICE_HOST and $SERVICE_PORT variables with the host and port of your internal warehouse service.
    • Example
      ssh -i path/to/key.pem \
      -R 0.0.0.0:56000:$SERVICE_HOST:$SERVICE_PORT \
      tunnel.hightouch.io -p 49100 \
      -o ExitOnForwardFailure=yes
      ```
  5. Download the private key to your machine.
    We do not store the private key anywhere in our backend. As a result, we have no ability to recover a lost key. Please make a local copy of this key and store in a secure location.
  6. Upload the private key to your SSH client server, store it in a safe location, and ensure its permissions are set to 0400.
  7. From your SSH client server, run the modified ssh command.
    • Ensure the -i flag is pointing to the correct path of the private key.
    • You'll most likely want to wrap this ssh command with a process manager in order to restart in case of failures. Consider autossh.
  8. Tunnel status will turn green when connection is established. Your tunnel is now ready for use.

Troubleshooting

If you're having trouble establishing a connection with a reverse tunnel, check the following:
  • Check that your SSH client server is running and can access the public internet.
  • Check that you've uploaded the private key, and it is only readable by the user initiating the SSH connection (chmod 0400)
  • Add the -v (verbose) flag to your SSH command to see more detailed error output.
  • If all else fails, reach out to our Customer Success team via Slack or Intercom.
    • Include any errors found in the SSH output.