Skip to main content
Documentation
Troubleshooting
Feature Requests Status

Database Connection Options

Edit on GitHub
  • Updated
Fivetran System User Fivetranner

There are four ways to connect Fivetran to your database:

Whitelist Fivetran’s IPlink

The fastest and easiest way to connect is to allow Fivetran’s IP direct access to your database port. For more information about how to do this, visit the setup guide for your database.

SSH Tunnellink

If it’s not possible to provide direct access to your database port, you can connect to Fivetran via an SSH tunnel. You can also choose this connection method for an added layer of security. To connect via an SSH tunnel, you need to setup an SSH tunnel server that has access to your database port. The tunnel server’s SSH port needs to be accessible from Fivetran’s IP. You’ll also need to create an SSH user for Fivetran.

IMPORTANT: Fivetran generates a unique public SSH key for each destination. We support multiple connectors on a single SSH tunnel depending on the data volume and network bandwidth.

Create SSH userlink

Log in to your SSH tunnel host and run the following commands:

  1. Create group fivetran:

    sudo groupadd fivetran

  2. Create user fivetran:

    sudo useradd -m -g fivetran fivetran

  3. Switch to the fivetran user:

    sudo su - fivetran

  4. Create the .ssh directory:

    mkdir ~/.ssh

  5. Set permissions:

    chmod 700 ~/.ssh

  6. Change to the .ssh directory:

    cd ~/.ssh

  7. Create the authorized_keys file:

    touch authorized_keys

  8. Set permissions:

    chmod 600 authorized_keys

  9. Using your favorite text editor, add the public SSH key from the database setup page in your Fivetran dashboard to the authorized_keys file. The key must be all on one line. Make sure that you don’t introduce any line breaks when cutting and pasting. The public SSH key is generated uniquely for each Fivetran destination.

Warehouse setup page

As an extra layer of security, Fivetran enables TLS on your SSH connection by default. We recommend that you keep TLS enabled unless you know it is safe to forgo it. To disable TLS, set the Require TLS through tunnel toggle to OFF.

IMPORTANT: If you set the Require TLS through tunnel toggle to OFF, Fivetran first attempts to connect over TLS inside the SSH tunnel. If this fails, Fivetran automatically retries the connection in clear text inside the SSH tunnel. You are responsible for configuring this option as per your corporate security policies.

Warehouse setup page TLS tunnel

Once the user is created, you’ll need to allow port access.

Allow port accesslink

Make sure that port access is allowed from:

  1. Fivetran’s IP to your tunnel server’s SSH port
  2. Your SSH tunnel server to your source database port

If your SSH server and database happen to be in AWS, you can follow the instructions below to configure port access.

AWS

  1. To configure an SSH server in AWS, open the EC2 console and select Running Instances:

    MYSQL-RDS-click-running-instances

  2. Select the instance you intend to use as an SSH tunnel:

    MYSQL-RDS-click-ssh-tunnel-instance

  3. Select the Security groups and then select default:

    MYSQL-RDS-click-ssh-tunnel-security-group

  4. Select the Inbound tab.

  5. Click Edit.

    mysql-rds-click-inbound-edit

  6. Fill in Fivetran’s IP and your SSH port (do not use a load balancer).

  7. For VPC or EC2 classic, add a security rule:

    mysql-rds-click-add-rule

  8. Select SSH, enter Fivetran’s IP, and click Save:

    MYSQL-RDSssh-select-ssh-set-ip

  9. To complete setting up your database connector, follow the setup instructions for your specific database. You can confirm your server’s SSH key by comparing the SHA 256 displayed when running the setup tests.

    SSH-TUNNEL-KEY-CONFIRMATION

Reverse SSH Tunnellink

You can also connect Fivetran to your database via a Reverse SSH Tunnel if you are unable to provide direct port access to your instance.

reverse-ssh-graphic

To set up a reverse SSH tunnel to connect to Fivetran, contact Fivetran’s Sales Engineers and provide the following SSH keys:

To generate your SSH public key, do the following on your SSH host:

  1. Generate an SSH key pair.

    ssh-keygen

  2. View the contents of the public key. Copy the public key and send it to Fivetran’s sales engineers along with the Fivetran user’s public key.

    cat ~/.ssh/id_rsa.pub

Once we have both keys, you will need the following information to complete your setup:

  • Username fivetran of the SSH tunnel user you created
  • Reverse SSH IP address (contact Fivetran Support to get this)
  • SSH high port. It should be unique per connector instance and should not be a reserved port number (for instance, port 22 is reserved for SSH connections and port 443 is reserved for HTTPS).

    TIP: For the SSH high port number, we recommend adding a single digit - usually 1 - as a prefix to the source database port. For example, if you connect SQL Server, your database’s default port is 1433. Therefore, we recommend using port 11433 as the SSH high port for your first SQL Server connector, port 11434 for your second connector, and so on.

  • Internal IP address or name of the local database host machine
  • Internal open port for communication with the database host
  • File path to the private key on the SSH host machine (this is normally id_rsa.pem or simply id_rsa)

Use the values above to replace the placeholder variables in the following script, then run it on the SSH host in a single line:

TIP: To track the progress of this script, remove the -f flag and add the -v flag to enable verbose logging. Without the flag, you will not see confirmation when the script finishes running successfully.

autossh -M 0 -f -N -R <SSH_HIGH_PORT>:<LOCAL_DB_MACHINE_NAME_OR_IP>:<LOCAL_DB_MACHINE_PORT> <FIVETRAN_SSH_USERNAME>@<FIVETRAN_SUPPLIED_IP> -g -i <PATH_TO_PRIVATE_KEY> -o ServerAliveInterval=10 -o ServerAliveCountMax=1 -o ExitOnForwardFailure=yes

If you use this autossh script again later for the same SSH high port, you need to terminate your original autossh script before proceeding.

After establishing a successful Reverse SSH connection, enter the following into the Fivetran setup form for your database:

Field Value Description
Host localhost Allows your SSH host to handle port routing
Port { SSH high port } e.g., 13306. The port that your SSH host will translate
User { Database user }
Password { Database user’s password }
Database { Database name } The name of the database you want to replicate
Connection Method Connect via an SSH Tunnel
SSH Host { IP Address } Supplied by Fivetran
SSH Port 22
SSH User fivetran

All fields in { brackets } must be replaced with your own values.

AWS PrivateLink BETAlink

AWS PrivateLink allows VPCs and AWS-hosted or on-premises services to communicate with one another without exposing traffic to the public internet. Learn more in AWS’ PrivateLink documentation.

Fivetran uses PrivateLink to move your data securely between our system and your AWS-hosted or on-premises source. PrivateLink works differently depending on your source type:

  • If your data source is hosted in AWS, Fivetran can connect to your source using a PrivateLink connection. We query and process the data from the source into our system.
  • If your data source is hosted on-premises, Fivetran can use AWS Direct Connect to access your source data. AWS Direct Connect establishes a private network connection between your premises and an AWS VPC. We connect to that AWS VPC using a PrivateLink connection, then query and process the data from the source into our system. Learn more in AWS’ Direct Connect documentation.

You can also use PrivateLink with the following destinations:

Prerequisiteslink

To set up AWS PrivateLink, you need:

  • A Fivetran instance configured to run in AWS
  • An AWS-hosted (EC2, RDS, or S3 only) or on-premises* source in one of our supported regions

* Your on-premises source must be one of our supported databases. See a complete list in our Databases documentation.

How you connect AWS PrivateLink to your source depends on whether your source is hosted in AWS or on-premises. Follow the setup instructions for your source type below.

Configure PrivateLink for AWS-hosted sourcelink

We support connecting to the following AWS-hosted sources using PrivateLink:

  • Amazon EC2
  • Amazon RDS
  • Amazon S3
  • Amazon Aurora

NOTE: Amazon S3 does not require any configuration. If your S3 bucket is in the same region as your Fivetran account, your network traffic does not traverse the public Internet. The Amazon S3 Gateway Endpoints ensures that regional traffic stays within the AWS network.

You must have an AWS endpoint service configured for your source before you set up a PrivateLink connection with Fivetran. AWS endpoint services only work with network load balancers (NLB), so you must create an NLB inside your VPC if you do not already have one. The NLB receives requests from Fivetran and routes it to your source.

Since endpoint service configurations are out of Fivetran’s control, we recommend that you contact your AWS representatives for help setting up PrivateLink. However, we do provide the following high-level instructions based on how customers typically configure their data sources:

  1. In your VPC, create an NLB for your data source and configure it for each subnet (availability zone) in which the service should be available. For help, see the Create an NLB section.

    IMPORTANT: Skip this step if your data source is already running behind an NLB.

  2. Create a VPC endpoint service configuration and specify your NLB.

  3. Whitelist Fivetran’s AWS VPC Account ID (arn:aws:iam::834469178297:root) to allow access to your VPC endpoint service. Send the service name (VPCe) to your Fivetran account manager. For example, com.amazonaws.vpce.<region_id>.vpce-svc-xxxxxxxxxxxxxxxxx.

    TIP: To learn how to whitelist the Fivetran account ID, see AWS’ endpoint service permission documentation.

  4. Whitelist the Fivetran VPC network for your network firewalls’ region (NACLs, Security Groups) to allow access to the service/source/destination.

    Cluster VPC Network
    AWS Donkey/Services
    us-east-1
    North Virginia, USA    		 10.128.0.0/18
    AWS Donkey/Services
    us-west-2
    Oregon, USA    		 10.129.0.0/18
    AWS Donkey/Services
    ap-southeast-2
    Sydney, Australia    		 10.130.0.0/18
    AWS Donkey/Services
    eu-west-2
    London    		 10.131.0.0/18
    AWS Donkey/Services
    eu-central-1
    Frankfurt    		 10.132.0.0/18

  5. Send the host name of the service/source to your Fivetran account manager. Fivetran will finish the setup on our side.

  6. To activate the connection, accept the interface endpoint connection request from Fivetran. By default, connection requests must be manually accepted. However, you can configure the acceptance settings for your endpoint service so that any connection requests are automatically accepted.

Create an NLB

On a single IP service (EC2, non-RDS database, etc.)

To create an NLB on a single IP service, follow the instructions in AWS’ creating a network load balancer documentation.

On RDS

NLB can only route traffic to an EC2 instance, an IP address, or a Lambda function through target groups. Since RDS doesn’t have a dedicated IP address or EC2 instance ID, there are three different ways to configure an NLB to route traffic to an RDS database - using a port forwarding instance, using an RDS IP address, or using RDS Proxy. Follow the instructions below for your chosen method.

Using a port forwarding instance

  1. You must deploy an EC2 instance that is configured to do port forwarding (accepting requests from the NLB and forwarding those requests to the RDS database). Here is a sample script that you can use to set up the EC2 port forwarding instance:

    ec2-port-forwarding

  2. Once you’ve finished setting up the port forwarding instance, configure the NLB listener and target group to route traffic to the portforwarder EC2 instance.

Using an RDS IP address

RDS provides an endpoint to access your database when you set up an RDS. This endpoint resolves to an IP address. AWS doesn’t recommend using this IP address, since it can change without notice. To work around this limitation, you can deploy a lambda function to periodically check the IP address and update the NLB target group when it changes.

To use the RDS IP address in your NLB target group, do the following:

  1. Run the nslookup or dig command with the domain name of RDS endpoint as the input to find the IP address:

    dig +short YOUR_RDS_DNS_ENDPOINT

  2. Setup your NLB target group with the IP address.

  3. Deploy a lambda function to periodically perform nslookup on the RDS endpoint to see if the IP address has changed and update the target group with the new IP address.

Using an RDS Proxy

Amazon RDS Proxy is a fully-managed, highly available database proxy for RDS. RDS proxy endpoint’s IP address remains the same, even during DB fail-overs (as seen in RDS’ failover documentation).

  1. Once the RDS proxy is created on your RDS database, run the nslookup or dig command with the domain name of RDS endpoint as the input to find the RDS proxy’s IP address:

    dig +short YOUR_RDS_PROXY_DNS_ENDPOINT

  2. Set up your NLB target group with the IP address.

Configure PrivateLink for on-premises sourcelink

Contact your account manager for help setting up PrivateLink for your on-premises source. Our team will help you set up AWS Direct Connect to an AWS VPC, which Fivetran can connect to using PrivateLink.

Related articles

Didn’t find what you need?

Contact support