Runbook to configure DuploCloud Hosts with a static IP and SSH database tunneling for secure remote access
This setup is useful in scenarios for DuploCloud customers with external users in remote locations who need consistent, secure access to databases Hosted on DuploCloud infrastructure. By configuring a public-facing DuploCloud Host and attaching an Elastic IP, you provide a stable and consistent endpoint for Retool to connect to. SSH tunneling is then used to create a secure, encrypted connection between Retool and the database through the DuploCloud Host. This approach ensures that even over the public internet, data transfers remain protected and private. By combining the static Elastic IP with SSH tunneling, you achieve reliable access and robust security for database interactions.
Use this procedure if you are a DuploCloud customer who needs secure external access to your organization’s cloud resources for:
Public Availability with Security: DuploCloud customers with external clients, vendors, or team members who need to interact with the database but cannot be given direct access for security reasons
Public Host Access with Strict Database Security: Users who need external Host accessibility while maintaining secure strict security controls for databases.
Simplified Development Workflow: Users with remote developers who need to connect to the environment without dealing with dynamic IP change and securely interact with the database for tasks like development, testing, or debugging, as if they were directly connected to the cloud network.
Secure Troubleshooting: System administrators or support teams who need to quickly connect to the Host from anywhere or securely access and troubleshoot the database without exposing it to potential security risks.
A DuploCloud Host with a Public IP and network access to your database.
A Retool account.
Navigate to AWS Management Console.
Log in with your credentials.
In the AWS Console, navigate to the EC2 dashboard.
In the EC2 Dashboard, Allocate an Elastic IP address connected with the appropriate network (VPC).
Once the Elastic IP is allocated, select it from the list.
Associate the Elastic IP address with your DuploCloud Host instance.
An AWS account is needed to allocate and manage Elastic IP addresses because they are an AWS-specific service. If you're using a different cloud provider, create and associate a static IP with your DuploCloud Host using their equivalent static IP addressing service.
Navigate to the Retool login page.
Log in with your credentials.
Follow the instructions to Configure SSH tunneling, being sure to:
Enter the public IP of your DuploCloud Host.
Set the SSH port to 22 and configure it to use the private key you saved earlier.
Navigate to the DuploCloud Platform.
Log in with your credentials.
In the DuploCloud Portal, navigate to Administrator -> Tenant.
Select the Tenant where your host is running from the NAME column.
Select the Security tab and click Add. The Add Tenant Security pane displays.
Add the Retool IP addresses using the following inputs:
Source Type: IP Address
IP CIDR: Custom
IP Address: Enter the Retool CIDR IP Addresses (and individual IP’s as needed).
Protocol: TCP
Port Range: 22
Click Add.
Login to AWS Console
Allocate a New Elastic IP
Associate the Elastic IP with DuploCloud Host
Log in to your Retool
Configure SSH Tunneling
Log in to DuploCloud
Add Tenant Security Settings to Whitelist Retool IP Addresses
This Runbook configures secure SSH access from Retool to a DuploCloud Host by attaching an Elastic IP, setting up SSH tunneling, and whitelisting Retool IP addresses to ensure proper connectivity and security.
Links to resources that may be helpful to users of this Runbook.
Quick Start guides for complex but uncommon use cases
The following documents are DuploCloud versions of Runbooks. DuploCloud Runbooks are similar to Quick Start guides that walk users through specific, edge-case tasks.
Runbook for customers using private networks to configure Egress and Ingress for Azure
DuploCloud Azure Kubernetes Services (AKS) customers who require traffic to be strictly restricted within a private network may encounter cluster communication difficulties when deploying an AKS Ingress controller. This is because the API server uses a private IP address that routes to a firewall, blocking traffic flow to/from the Kubernetes resources. This runbook provides step-by-step instructions to configure egress and ingress traffic, ensuring secure and compliant communication through the firewall.
While transitive peering is not natively supported, you can have a transitive connection using a central firewall. For example, VNet A can peer to VNet B, and VNet B can peer to VNet C. If traffic is routed to a firewall within VNet B as the next hop, you can go from VNet A to VNet C without direct peering between them.
Use this procedure if you are an AKS customer deploying an ASK ingress controller in a private network situation with strict data privacy requirements such as:
Healthcare Organizations: Particularly those adhering to HITRUST compliance requirements, ensuring secure and compliant communication within their infrastructure.
Financial Institutions: Banks, insurance companies, and other financial services that require secure and regulated communication channels within their cloud infrastructure.
Large Enterprises: Companies with complex, private network setups that necessitate strict control over egress and ingress traffic for security and compliance.
Government Agencies: Entities that require stringent security measures and compliance with various regulations.
Any organization using AKS in a Private Network: Businesses running sensitive applications on AKS within a private network and facing communication challenges due to firewall restrictions.
For cases that utilize VPN gateways, the CIDR that is needed to allow traffic through a central firewall for Point to Site (P2S) connections should be the P2S configured CIDR block. NOT the subnet CIDR where the VPN Gateway resides.
An existing AKS cluster deployed with Azure CNI.
A firewall configured to manage traffic.
Route name: Provide a name for the route.
Address prefix: Use a.b.c.d/e to route all traffic, where a, b, c, d, and e are the components for an IPv4 CIDR block; in this case the Application Gateway CIDR.
Next hop type: Select Virtual appliance.
Next hop address: Enter the firewall's private IP address.
Name: Provide a name for the rule.
Priority: Set the priority (lower numbers have higher priority).
Source address: Enter the address range of the AKS subnet.
Destination address: Specify the destination (internet or other services).
Protocol: Select the required protocol (TCP/UDP).
Action: Select Allow.
Route name: Provide a name for the route.
Address prefix: Use the IP address range of the AKS services.
Next hop type: Select Virtual appliance.
Next hop address: Enter the firewall's private IP address.
Name: Provide a name for the rule.
Priority: Set the priority (lower numbers have higher priority).
Source address: Enter the address range of the application gateway subnet.
Destination address: Specify the AKS services.
Protocol: Select the required protocol (TCP/UDP).
Action: Select Allow.
Create a route table and add a route to send egress traffic to the firewall.
Associate this route table with the AKS subnet.
Configure the firewall to allow traffic from the AKS subnet.
Ensure the AKS ingress controller provisions a V2 gateway.
Create a route table for the application gateway subnet to route traffic through the firewall.
Associate this route table with the application gateway subnet.
Configure the firewall to allow traffic from the application gateway subnet to the AKS services.
This Runbook ensures that egress and ingress traffic is securely managed, facilitating secure, compliant communication for users handling sensitive data.
Links to resources that may be helpful to users of this Runbook.
Navigate to the .
In your route table, with the following inputs:
In the Azure portal, created in the previous step.
in the Azure portal.
with the following inputs:
In the DuploCloud Portal, . This will automatically provision a version 2 (V2) gateway for handling ingress traffic.
Navigate to the .
In your route table, with the following inputs:
In the Azure portal, created in the previous step.
in the Azure portal.
with the following inputs:
DuploCloud documentation for .