Skip to main content
Support Articles
Feature Requests Documentation Status Dashboard

Destination Connection Options

  • Updated
Fivetran System User Fivetranner

There are three ways to connect Fivetran to your destination:

Whitelist Fivetran’s IPlink

The fastest and easiest way to connect is to allow Fivetran’s IP direct access to your destination port. For more information about how to do this, visit the setup guide for your destination.

SSH Tunnellink

If it’s not possible to provide direct access to the destination port, you can connect to Fivetran using an SSH tunnel. You can also choose this connection method for an added layer of security. To connect using an SSH tunnel, you need to:

  • Set up an SSH tunnel server that has access to your destination port. The tunnel server’s SSH port needs to be accessible from Fivetran’s IP.
  • Create an SSH user for Fivetran.

IMPORTANT: Fivetran generates a unique public SSH key for each destination. We support multiple connectors with a single SSH tunnel depending on the data volume and network bandwidth.

Create SSH userlink

Log in to your SSH tunnel host and run the following commands:

Create group fivetran

sudo groupadd fivetran

Create user fivetran

sudo useradd -m -g fivetran fivetran

Switch to the fivetran user

sudo su - fivetran

Create the .ssh directory

mkdir ~/.ssh

Set permissions

chmod 700 ~/.ssh

Change to the .ssh directory

cd ~/.ssh

Create the authorized_keys file:

touch authorized_keys

Set permissions

chmod 600 authorized_keys

Using your favorite text editor, add the public SSH key from the destination setup page in your Fivetran dashboard to the authorized_keys file. The key must be all on one line. Make sure that you don’t introduce any line breaks when cutting and pasting. The public SSH key is generated uniquely for each Fivetran destination.

Warehouse setup page

Once the user is created, you’ll need to allow port access.

Allow port accesslink

Make sure that port access is allowed from:

  1. Fivetran’s IP to your tunnel server’s SSH port
  2. Your SSH tunnel server to your destination port

If your SSH server and destination happen to be in AWS, you can follow the instructions below to configure port access.

AWS

  1. To configure an SSH server in AWS, open the EC2 console and select Running Instances:

    MYSQL-RDS-click-running-instances

  2. Select the instance you intend to use as an SSH tunnel:

    MYSQL-RDS-click-ssh-tunnel-instance

  3. Select the Security groups and then select default:

    MYSQL-RDS-click-ssh-tunnel-security-group

  4. Select the Inbound tab.

  5. Click Edit.

    mysql-rds-click-inbound-edit

  6. Fill in Fivetran’s IP and your SSH port (do not use a load balancer).

  7. For VPC or EC2 classic, add a security rule:

    mysql-rds-click-add-rule

  8. Select SSH, enter Fivetran’s IP, and click Save:

    MYSQL-RDSssh-select-ssh-set-ip

  9. To complete setting up your destination connector, follow the setup instructions for your specific destination. You can confirm your server’s SSH key by comparing the SHA 256 displayed when running the setup tests.

    SSH-TUNNEL-KEY-CONFIRMATION

Reverse SSH tunnellink

You can also connect Fivetran to your destination using a reverse SSH tunnel if you are unable to provide direct port access to your destination instance.

reverse-ssh-graphic

To set up a reverse SSH tunnel to connect to Fivetran, contact Fivetran’s Sales Engineers and provide the following SSH keys:

To generate your SSH public key, do the following on your SSH host:

  1. Generate an SSH key pair.

    ssh-keygen

  2. View the contents of the public key. Copy the public key and send it to Fivetran’s sales engineers along with the Fivetran user’s SSH public key.

    cat ~/.ssh/id_rsa.pub

Once we have both keys, you will need the following information to complete your setup:

  • SSH tunnel username (contact Fivetran Support to get this)
  • Reverse SSH port (contact Fivetran Support to get this)
  • Internal IP address or name of the local destination host machine
  • Internal open port for communication with the destination host
  • File path to the private key on the SSH host machine (this is normally id_rsa.pem or simply id_rsa)

Use the values above to replace the placeholder variables in the following script, then run it on the SSH host in a single line:

TIP: To track the progress of this script, remove the -f flag and add the -v flag to enable verbose logging. Without the flag, you will not see confirmation when the script finishes running successfully.

autossh -M 0 -f -N -R <SSH_HIGH_PORT>:<LOCAL_DB_MACHINE_NAME_OR_IP>:<LOCAL_DB_MACHINE_PORT> <FIVETRAN_SSH_USERNAME>@<FIVETRAN_SUPPLIED_IP> -g -i <PATH_TO_PRIVATE_KEY> -o ServerAliveInterval=10 -o ServerAliveCountMax=1 -o ExitOnForwardFailure=yes

If you use this autossh script again later for the same SSH high port, you need to terminate your original autossh script before proceeding.

After establishing a successful Reverse SSH connection, enter the following into the Fivetran setup form for your destination:

Field Value Description
Host localhost Allows your SSH host to handle port routing
Port { SSH high port } e.g., 13306. The port that your SSH host will translate
User { Warehouse user }
Password { Warehouse user’s password }
Warehouse { Warehouse name } The name of the warehouse you want to replicate
Connection Method Connect using SSH Tunnel
SSH Host { IP Address } Supplied by Fivetran
SSH Port 22
SSH User fivetran

All fields in { brackets } must be replaced with your own values.

Related articles

Didn’t find what you need?

Contact support