Destination Connection Options

There are four ways to connect Fivetran to your destination:

• Directly by whitelisting Fivetran’s IP
• Using an SSH tunnel
• Using a reverse SSH tunnel
• Using AWS PrivateLink or Azure Private Link (Business Critical only)

Whitelist Fivetran’s IPlink

The fastest and easiest way to connect is to allow Fivetran’s IP direct access to your destination port. For more information about how to do this, visit the setup guide for your destination.

SSH Tunnellink

If it’s not possible to provide direct access to the destination port, you can connect to Fivetran using an SSH tunnel. You can also choose this connection method for an added layer of security. To connect using an SSH tunnel, you need to:

• Set up an SSH tunnel server that has access to your destination port. The tunnel server’s SSH port needs to be accessible from Fivetran’s IP.
• Create an SSH user for Fivetran.

IMPORTANT: Fivetran generates a unique public SSH key for each destination. We support multiple connectors with a single SSH tunnel depending on the data volume and network bandwidth.

Create SSH userlink

To create an SSH user, do the following:

1. Log in to your SSH tunnel host.

2. Create group fivetran. Execute:

   sudo groupadd fivetran
   

3. Create user fivetran. Execute:

   sudo useradd -m -g fivetran fivetran
   

4. Switch to the fivetran user. Execute:

   sudo su - fivetran
   

5. Create the .ssh directory. Execute:

   mkdir ~/.ssh
   

6. Set permissions. Execute:

   chmod 700 ~/.ssh
   

7. Change to the .ssh directory. Execute:

   cd ~/.ssh
   

8. Create the authorized_keys file. Execute:

   touch authorized_keys
   

9. Set permissions. Execute:

   chmod 600 authorized_keys
   

10. Add the public SSH key from the Fivetran destination setup form to the authorized_keys file, using your favorite text editor. The key must be all on one line. Make sure that you don’t introduce any line breaks when cutting and pasting. The public SSH key is generated uniquely for each Fivetran destination.

    

    As an extra layer of security, Fivetran enables TLS on your SSH connection by default. We recommend that you keep TLS enabled unless you know it is safe to forgo it. To disable TLS, set the Require TLS through tunnel toggle to OFF.

    IMPORTANT: If you set the Require TLS through tunnel toggle to OFF, Fivetran first attempts to connect over TLS inside the SSH tunnel. If this fails, Fivetran automatically retries the connection in clear text inside the SSH tunnel. You are responsible for configuring this option as per your corporate security policies.

Once the user is created, you’ll need to allow port access.

Allow port accesslink

Make sure that port access is allowed from:

• Fivetran’s IP to your tunnel server’s SSH port
• Your SSH tunnel server to your destination port

If your SSH server and destination happen to be in AWS, you can follow the instructions below to configure port access.

Reverse SSH tunnellink

You can also connect Fivetran to your destination using a reverse SSH tunnel if you are unable to provide direct port access to your destination instance.

To set up a reverse SSH tunnel to connect to Fivetran:

1. Contact Fivetran’s Sales Engineers and provide the following SSH keys:

   • Fivetran user’s SSH public key

   • Your SSH public key. To generate your SSH public key, do the following on your SSH host:

     i. Generate an SSH key pair. Execute: ssh-keygen.

     ii. View the contents of the public key. Execute: cat ~/.ssh/id_rsa.pub.

   Copy the public key and send it to Fivetran’s sales engineers along with the Fivetran user’s SSH public key.

2. Collect the following information to complete your setup:

   • SSH tunnel username (contact Fivetran Support to get this)
   • Reverse SSH port (contact Fivetran Support to get this)
   • Internal IP address or name of the local destination host machine
   • Internal open port for communication with the destination host
   • File path to the private key on the SSH host machine (this is normally id_rsa.pem or simply id_rsa)

3. Use the values above to replace the placeholder variables in the following script, then run it on the SSH host in a single line:

   autossh -M 0 -f -N -R <SSH_HIGH_PORT>:<LOCAL_DB_MACHINE_NAME_OR_IP>:<LOCAL_DB_MACHINE_PORT> <FIVETRAN_SSH_USERNAME>@<FIVETRAN_SUPPLIED_IP> -g -i <PATH_TO_PRIVATE_KEY> -o ServerAliveInterval=10 -o ServerAliveCountMax=1 -o ExitOnForwardFailure=yes
   

   TIP: To track the progress of this script, remove the -f flag and add the -v flag to enable verbose logging. Without the flag, you will not see confirmation when the script finishes running successfully.

   NOTE: If you use this autossh script again later for the same SSH high port, you need to terminate your original autossh script before proceeding.

4. After establishing a successful Reverse SSH connection, enter the following into the Fivetran setup form for your destination. Replace the fields in { brackets } with your own values.

   Field	Value	Description
   Host	localhost	Allows your SSH host to handle port routing
   Port	{ SSH high port }	e.g., 13306. The port that your SSH host will translate
   User	{ Destination user }
   Password	{ Destination user’s password }
   Database	{ Database name }	The database name you want to replicate to
   Connection Method	Connect using SSH Tunnel
   SSH Host	{ IP Address }	Supplied by Fivetran
   SSH Port	22
   SSH User	fivetran

AWS PrivateLink BETAlink

Fivetran uses AWS PrivateLink to move your data securely between our system and your destination. We support PrivateLink for the following destinations:

• RedshiftBeta
• Snowflake

You can also use PrivateLink with your source.

Azure Private Link BETAlink

Fivetran uses Azure Private Link to move your data securely between our system and your destination. We support Private Link for the following destinations:

• Azure SynapseBETA
• SnowflakeBETA

You can also use Private Link with your source.