There are three ways to connect Fivetran to your database:
- Directly by whitelisting Fivetran’s IP
- Via an SSH tunnel
- Via a reverse SSH tunnel
Whitelist Fivetran’s IPlink
The fastest and easiest way to connect is to allow Fivetran’s IP direct access to your database port. For more information about how to do this, visit the setup guide for your database.
SSH Tunnellink
If it’s not possible to provide direct access to your database port, you can connect to Fivetran via an SSH tunnel. You can also choose this connection method for an added layer of security. To connect via an SSH tunnel, you need to setup an SSH tunnel server that has access to your database port. The tunnel server’s SSH port needs to be accessible from Fivetran’s IP. You’ll also need to create an SSH user for Fivetran.
IMPORTANT: Fivetran generates a unique public SSH key for each destination. We support multiple connectors on a single SSH tunnel depending on the data volume and network bandwidth.
Create SSH userlink
Log in to your SSH tunnel host and run the following commands:
-
Create group
fivetran:sudo groupadd fivetran -
Create user
fivetran:sudo useradd -m -g fivetran fivetran -
Switch to the
fivetranuser:sudo su - fivetran -
Create the
.sshdirectory:mkdir ~/.ssh -
Set permissions:
chmod 700 ~/.ssh -
Change to the
.sshdirectory:cd ~/.ssh -
Create the
authorized_keysfile:touch authorized_keys -
Set permissions:
chmod 600 authorized_keys -
Using your favorite text editor, add the public SSH key from the database setup page in your Fivetran dashboard to the
authorized_keysfile. The key must be all on one line. Make sure that you don’t introduce any line breaks when cutting and pasting. The public SSH key is generated uniquely for each Fivetran destination.
As an extra layer of security, Fivetran enables TLS on your SSH connection by default. We recommend that you keep TLS enabled unless you know it is safe to forgo it. To disable TLS, set the Require TLS through tunnel toggle to OFF.
Once the user is created, you’ll need to allow port access.
Allow port accesslink
Make sure that port access is allowed from:
- Fivetran’s IP to your tunnel server’s SSH port
- Your SSH tunnel server to your source database port
If your SSH server and database happen to be in AWS, you can follow the instructions below to configure port access.
AWS
-
To configure an SSH server in AWS, open the EC2 console and select Running Instances:
-
Select the instance you intend to use as an SSH tunnel:
-
Select the Security groups and then select default:
-
Select the Inbound tab.
-
Click Edit.
-
Fill in Fivetran’s IP and your SSH port (do not use a load balancer).
-
For VPC or EC2 classic, add a security rule:
-
Select SSH, enter Fivetran’s IP, and click Save:
-
To complete setting up your database connector, follow the setup instructions for your specific database. You can confirm your server’s SSH key by comparing the SHA 256 displayed when running the setup tests.
Reverse SSH Tunnellink
You can also connect Fivetran to your database via a Reverse SSH Tunnel if you are unable to provide direct port access to your instance.
To set up a reverse SSH tunnel to connect to Fivetran, contact Fivetran’s Sales Engineers and provide the following SSH keys:
- Fivetran user’s SSH public key
- Your SSH public key
To generate your SSH public key, do the following on your SSH host:
-
Generate an SSH key pair.
ssh-keygen -
View the contents of the public key. Copy the public key and send it to Fivetran’s sales engineers along with the Fivetran user’s public key.
cat ~/.ssh/id_rsa.pub
Once we have both keys, you will need the following information to complete your setup:
- Username
fivetranof the SSH tunnel user you created - Reverse SSH IP address (contact Fivetran Support to get this)
- SSH high port. It should be unique per connector instance and should not be a reserved port number (for instance, port
22is reserved for SSH connections and port443is reserved for HTTPS).TIP: For the SSH high port number, we recommend adding a single digit - usually
1- as a prefix to the source database port. For example, if you connect SQL Server, your database’s default port is1433. Therefore, we recommend using port11433as the SSH high port for your first SQL Server connector, port11434for your second connector, and so on. - Internal IP address or name of the local database host machine
- Internal open port for communication with the database host
- File path to the private key on the SSH host machine (this is normally
id_rsa.pemor simplyid_rsa)
Use the values above to replace the placeholder variables in the following script, then run it on the SSH host in a single line:
TIP: To track the progress of this script, remove the
-fflag and add the-vflag to enable verbose logging. Without the flag, you will not see confirmation when the script finishes running successfully.
autossh -M 0 -f -N -R <SSH_HIGH_PORT>:<LOCAL_DB_MACHINE_NAME_OR_IP>:<LOCAL_DB_MACHINE_PORT> <FIVETRAN_SSH_USERNAME>@<FIVETRAN_SUPPLIED_IP> -g -i <PATH_TO_PRIVATE_KEY> -o ServerAliveInterval=10 -o ServerAliveCountMax=1 -o ExitOnForwardFailure=yes
If you use this autossh script again later for the same SSH high port, you need to terminate your original autossh script before proceeding.
After establishing a successful Reverse SSH connection, enter the following into the Fivetran setup form for your database:
| Field | Value | Description |
|---|---|---|
| Host | localhost | Allows your SSH host to handle port routing |
| Port | { SSH high port } | e.g., 13306. The port that your SSH host will translate |
| User | { Database user } | |
| Password | { Database user’s password } | |
| Database | { Database name } | The name of the database you want to replicate |
| Connection Method | Connect via an SSH Tunnel | |
| SSH Host | { IP Address } | Supplied by Fivetran |
| SSH Port | 22 | |
| SSH User | fivetran |
All fields in { brackets } must be replaced with your own values.