Agreed! Not having to proxy through a jump host would reduce some infrastructure spend/maintenance for us.

I understand the inherent risks around having to upload client credentials to an external source, but with a combination of IP whitelisting + the ability to revoke client certificates should they be compromised, the low maintenance aspect of the setup offsets the risks. 

Just wanted to mention that lack of client certificate authentication support was the deciding factor in abandoning Fivetran for the project I am working on.  We instead used another data pipeline service which does have client certificate auth support.  We are not willing to disable client certificate auth for security reasons, but we also felt that spinning up a new SSH Tunnel server just to make this connection was not a good idea for multiple reasons (security/maintenance/etc).  It's too bad since if Fivetran supported client cert auth this would have been the ideal tool in this situation.

Nat Johnson -- which data pipeline service did you go with for this?