Jump Servers

Jump servers enable you to securely connect Tree Schema to your database. We highly encourage everyone to connect to your Data Store through a jump-server where possible. The basic data flow for a jump server looks like this:

../_images/jump_server_flow.png

There are two main reasons why this is more secure for you to access your data:

  1. You can enforce authentication to your data through an SSH key or password

  2. You can limit the IP (or CIDR blocks) that can access your Data Store, instead of allowing access from all IP addresses we will provide you with the one IP that Tree Schema will connect from

While it is not required that you use a jump server, when you do set up a jump server we require it to be secured via a password or an SSH key. We encrypt your password or SSH key (whichever is provided) before saving using AWS KMS to ensure that your information is secure.

Note

All users in the Admin and Owner group can view and manage jump servers.


View Jump Servers

You can see all of your jump servers from the admin portal:

../_images/view_jump_servers.png

Add Jump Server

Before you add a jump server it is worth taking note that we have also provided a set of connection details that you may need to enable for Tree Schema to be able to establish an SSH connection with your Data Store. The information contains the IP address (CIDR block) that the traffic will be coming from as well as the specific port and protocol required. This is the only IP we will ever use to connect to your Data Store

The example below shows the IP / CIDR 0.0.0.0/32 but the live app will contain a valid IP.

../_images/add_jump_server_conn_details.png

To add a jump server, select Add Jump Server to bring up the new jump server details:

../_images/add_jump_server.png

The following fields are required:

  • Jump server name: a logical name to use when referring to the jump server throughout Tree Schema

  • Hostname or IP: this must be a publicly available IP address that Tree Schema can connect to

  • Username: the username to connect to the server with

In addition, one of the following fields must be provided:

  • Password

  • SSH Key

Here is an example of a completed jump server:

../_images/add_jump_server_complete.png

In order to save a jump server the connection must be tested first. Select Test Connection once you have added all of the details. If everything goes right you will see this message:

../_images/add_jump_success.png

If there is a problem connecting you will either see an error like this:

../_images/add_jump_error.png

Debugging Jump Server Errors

If we can capture the specific reason why the connection could not occur we will raise that error and present it to you. Otherwise you may see this generic error:

Could not establish session to SSH gateway

This error just means the connection could not be established, here are a few things to check in case this happens:

  • The host or IP address is correct

  • The username is correct

  • The password or SSH key is correct

  • Your firewall rules allow incoming traffic on port 22 for the Tree Schema IP address provided


Connect to a Data Store with a Jump Host

To tunnel traffic through a jump host to your Data Store select the jump host when creating or updating your Data Store:

../_images/jump_server_data_store.png

Make sure you test the connection before saving to ensure that the connection to the Data Store works!

Note

Not all Data Stores are eligible to connect through a jump server, some Data Stores, such as DynamoDB, only support direct connections to the database