JournalRelease NotesSupport
Guides
Log inSign upTalk to Us

Push-to-Warehouse Setup: SSH Bastion Server (Azure)

📘

This guide describes how to set up a connection to a data warehouse destination you own. Reach out to your Customer Success Manager or [email protected] to confirm that your Modern Treasury plan includes the Push to Warehouse capability.

Prerequisites

  • A public SSH key to add to the bastion machine to authenticate the SSH connection. Ask your Modern Treasury contact if they have not already provided one to you.
  • Please reference our Push to Warehouse IP Address documentation.

Step 1: Provision a bastion server

If using SSH tunneling to connect to your database, we recommend using a standalone bastion server. This step will walk through provisioning the standalone bastion server. If you are using an existing server, skip to step 2.

  1. Navigate to the Virtual Machines page, and click Create.
  2. Select an image. If your organization doesn't have a preferred flavor of Linux, we suggest choosing a widely-used Linux image, such as Ubuntu Server 20.04 LTS - x64 Gen2.
  3. Select the image size. Because this bastion server will be used exclusively for SSH tunneling, network performance is the primary consideration. B-Series Virtual Machines (e.g. B2ats_v2) should be sufficient for most deployments, and run about $7/mo depending on region and market rates.
  4. On the Networking tab, select a Virtual Network and Subnet that will afford the bastion server access to your database. Assign a Public IP to the Virtual Machine, and ensure it is configured to allow SSH traffic on port 22.
  5. Click Review + Create. Consider modifying the default security group according to your security policies to enable configuration (e.g. creating the moderntreasury user in Step 2). Click Launch. We will further modify the default security group in Step 2. (The remaining default options are sufficient.)

Step 2: Configure the server

Limit public SSH access to traffic from Modern Treasury's IP

📘

The steps below describe one approach to achieving this. Alternatively, depending on your organization's security policies, you may use a Firewall to achieve the same effect.

In the Azure Portal, complete the steps below:

  1. Navigate to your new Virtual Machine.
  2. On the Network Settings tab, find the default SSH rule.
  3. In the rule editor pane, change the allowed Source from "Allow" to IP Addresses. Enter Modern Treasury's static IP address as a /32 CIDR block (52.36.3.49/32), and Save the rule.

Create the SSH user

Login to the bastion server and complete the steps below:

  1. Create group moderntreasury:
sudo groupadd moderntreasury
  1. Create user moderntreasury:
sudo useradd -m -g moderntreasury moderntreasury
  1. Switch to user moderntreasury:
sudo su - moderntreasury
  1. Create .ssh directory:
mkdir ~/.ssh
  1. Set its permissions:
chmod 700 ~/.ssh
  1. Create the authorized_keys file:
touch ~/.ssh/authorized_keys
  1. Set its permissions:
chmod 600 ~/.ssh/authorized_keys
  1. Add the public key to the authorized_keys file. The key - including the "ssh-key" and comment - should be all on one line in the file, without linebreaks.:
echo "ssh-key <ssh_public_key_beginning_with_AAAA> prequel-ssh-tunneling-public-key" > authorized_keys

Updated 2 months ago