Skip to main content

SSH Tunneling

SSH tunneling is a networking feature that allows Meroxa to communicate to resources that are not publicly available over the internet.


SSH tunneling cannot be enabled on an existing resource; you must create a new resource.


  1. Create a bastion host
  2. Whitelist Meroxa IPs on bastion host

Configure resource with SSH Tunnel

Use the meroxa resource create command to configure your resource and include the --ssh-url option:

$ meroxa resource create pg_db
--type postgres \
--url postgres://$PG_USER:$PG_PASS@$PG_URL:$PG_PORT/$PG_DB \
--ssh-url ssh://
Resource "pg_db" is successfully created but is pending for validation! Paste the following public key on your host:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8vC5gN+f1cnYXE5ZTTzijSTVzH/sxA7fMaOY8hIudBNYUBk8dHkj9DQjdz+ecqUltNm/QsMkxCpcg0U279ZLcZ3hTSVfgs3I7aLPV
=> Meroxa will try to connect to host for 60 minutes and send email confirmation of resource creation

Add a public key

In the example above, Meroxa returns a public key which you will need to use on your bastion host to validate the connection to your resource within the 60-minutes time period from creation. Meroxa will attempt to connect to your resource for during that time period and will send a confirmation email after establishing a connection.


To use the same Public and Private Key pair across multiple resources you can simply use the same Private key in each resource and Meroxa will not generate additional Public Keys.

Supply a private key

You can provide a private key for the SSH tunnel by using the --ssh-private-key string option while creating the resource. One advantage of doing this is that you can utilize the private key with multiple resources while using the same public key on the Bastion host.

Linux / MacOS

To generate a key pair on Linux or MacOS, you can use the ssh-keygen tool from your terminal and follow the prompts.


To generate a key pair on Windows, verify that you have OpenSSH Client installed. Then, open a command prompt with Administrator priviledges, enter the command ssh-keygen and follow the prompts.

Validate Tunnel Connection

After creating your resource with SSH Tunneling, if you have not added the SSH key to your bastion host within 60 minutes, you will need to validate your resource manually.

$ meroxa resources validate $RESOURCE_NAME

This command is also useful when something changes on your remote server, such as a database password update.

Rotating SSH Keys

In some cases, such as a company policy or a general security practice, you may need to rotate the SSH key used to validate the resource connection.

You can rotate keys with the following command:

$ meroxa resources rotate-tunnel-key $RESOURCE_NAME

The command above will return a new SSH key. Meroxa will attempt to connect to the bastion host for 60 minutes. If unable to connect, you will need to validate the connection again.


When you rotate your key, it will immediately affect the connection to the bastion host, so we recommend that you pause your pipeline before proceeding.

Create a bastion host

To enable SSH Tunneling, you will need a bastion host within your infrastructure.

Here are resources to help you create a host within the various infrastructure providers: