Skip to main content

SSH Tunneling

SSH tunneling is a networking feature that allows Meroxa to communicate to resources that are not publicly available over the Internet.

Meroxa SSH Tunneling Diagram

Creating a resource with an SSH Tunnel#

SSH tunneling cannot be enabled on an existing resource; you must create a new resource.

To create a resource with SSH Tunneling via the CLI:

  1. Whitelist Meroxa IP addresses on your bastion host.

  2. Use the meroxa resource create command and provide the --ssh-url option:

--ssh-url $BASTION_URL

Replace $BASTION_URL with the URL of your bastion host. For example:

$ meroxa resource create tunnel324  --type postgres \  --url postgres:// \  --ssh-url ssh://
Resource "tunnel324" is successfully created but is pending for validation! Paste the following public key on your host:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8vC5gN+f1cnYXE5ZTTzijSTVzH/sxA7fMaOY8hIudBNYUBk8dHkj9DQjdz+ecqUltNm/QsMkxCpcg0U279ZLcZ3hTSVfgs3I7aLPV=> Meroxa will try to connect to host for 60 minutes and send email confirmation of resource creation
  1. Step 2 will return a Public key which you will then need to use on your bastion host to validate the connection to your resource. Meroxa will attempt to connect to your resource for 60 minutes and will send a confirmation email after establishing a connection.

Validate Tunnel Connection#

After creating your resource with SSH Tunneling, if you have not added the SSH key to your bastion host within 60 minutes, you will need to validate your resource manually.

$ meroxa resources validate $RESOURCE_NAME

This command is also useful in case something changes on your remote server, such as a database password was updated.

Rotating SSH Keys#

In some cases, such as a company policy or a general security practice, you may need to rotate the SSH key used to validate the resource connection.

You can can rotate keys with the following command:

$ meroxa resources rotate-tunnel-key $RESOURCE_NAME

This will return a new SSH key. Meroxa will try to connect to the bastion host for 60 minutes. If it cannot connect, you will need to validate the connection again.


When you rotate your key, it will immediately affect the connection to the bastion host, so we recommend that you pause your pipeline before proceeding.


You will have 60 minutes to update the new key on your bastion host or you will need to revalidate the connection again.

Creating a Bastion Host#

To enable SSH Tunneling, you will need a bastion host within your infrastructure.

Here are resources to help you create a host within the various infrastructure providers: