SSH Tunnel Data Jump Host

Access from engineer workspaces to various MCaaS database instances, such as RDS, must be done via ssh proxy.

Each MCaaS tenant will be given a single linux based data jump box which will be configured following least access methodologies.

• GSA firewall request is completed to allow access from GSA resources (Such as GFE or VDI) to the data jump box hosted in AWS.
• Data jump box is configured to only allow tunnel mode (no shell access) for authorized FCS users and limited to the specific database instance endpoint/port
• AWS Security group is configured to allow specific network connection from the data jump box (IP/port) to the data resource.

Requirements

• Engineer must have an FCS account
• FCS account must be in the proper Active Directory group to allow tenant proxy ssh connections to the jumpbox
• FCS account must have an ssh key associated with it for the purpose of connecting to the jump box

Please see FCS Account Request.

SSH key

MCaaS has no specific guidance or requirements regarding naming convention or management of the ssh key.

It is tested and confirmed working for both use in GitHub and SSH connections to use encryption type rsa with byte length of 4096 in PEM format. (if using putty for the ssh proxy connection, the PEM key can be converted to the needed PPK format)

Please refer to online tutorials, there is plenty of material already documented about this process.

Documentation from GitHub: GitHub Docs

Documentation from ssh academy: SSH Academy

Convert PEM to PPK for putty: PuttyGen