Versions Compared

Old Version 2

changes.mady.by.user blake.wilkinson

Saved on

compared with

New Version 3

changes.mady.by.user blake.wilkinson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Database in a Publically Accessible Subnet

The following list is our current availability for Pisaas instances, not where you’re deploying your Bastion host. if you’re unsure as to which region your Pisaas instance is deployed, please contact your CSM.

region

Panintelligence IP

EU-WEST-1

54.216.240.181

US-EAST-1

44.193.187.201

If your database is hosted in a publically accessible subnet, you can whitelist our PiSaas IPv4 address 54.216.240.181. With AWS, this is adding this IP address to the inbound section on the NACLS and security groups. Working with Azure, add this IP address to the inbound firewall settings on the connection security tab on your database.

...

When connecting to your database from Panintelligence running in Pisaas, you should specify “localhost” as the host, along with your regular database connection details. Be sure the port you specify in Panintelligence is the same as that supplied to the Pisaas administration team.

Creating your Bastion host (AWS Centric)

  • Sign into your AWS account.

  • Create an EC2 instance (a micro instance is ok for this purpose)

  • Specify appropriate security groups or create a security group for the bastion host.

  • Create an inbound rule on your bastion security group that opens port 22 to the IP address given by Panintelligence.

  • Create an inbound rule on your bastion security group that opens port 22 to your IP address.

  • Create an outbound rule on your bastion security group that opens your database port (5432 for Postgres) to your database security group.

  • Create an inbound rule on your database security group that opens your database port (5432 for Postgres) from your new bastion security group.

  • log into your new Bastion host

  • create a new user sudo useradd panintelligence

  • switch to your new user sudo su - panintelligence

  • create the ~/.ssh directory if it does not exist mkdir ~/.ssh

  • change the permissions of this new directory chmod 700 ~/.ssh

  • create a file called authorized_keys in the ~/.ssh directory `touch ~/.ssh/authorized_keys

  • change the permissions of this new file chmod 600 ~/.ssh/authorized_keys

  • edit the authorized_keys file and copy the contents of the panintelligence public key

additional steps

  • Consider hardening the OS, which refers to increasing the security that has been provided by the OS.