There are two key ways of connecting your data with a PiSaas deployment that are dependent on the level of risk you’re willing to accept.
Database in a Publically Accessible Subnet
The following list is our current availability for Pisaas instances, not where you’re deploying your Bastion host. if you’re unsure as to which region your Pisaas instance is deployed, please contact your CSM.
region | Panintelligence IP |
---|---|
EU-WEST-1 |
|
US-EAST-1 |
|
If your database is hosted in a publically accessible subnet, you can whitelist our PiSaas IPv4 address 54.216.240.181
. With AWS, this is adding this IP address to the inbound section on the NACLS and security groups. Working with Azure, add this IP address to the inbound firewall settings on the connection security tab on your database.
Bastion Hosts for Private Subnets
It’s possible to connect to your database using a publically available bastion as a jump host. Use an EC2 instance deployed in a public subnet with inbound rules from our Pisaas IPv4 address 54.216.240.181
(you can find this IP address from the table above.) and outbound rules to your database. The port for this should be 22. Set the inbound on the database to accept connections from the bastion host security group. The port allocation between the bastion and the database should match that of your database.
Drawio | ||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Configuration
Pisaas administrators will need:
...
When connecting to your database from Panintelligence running in Pisaas, you should specify “localhost” as the host, along with your regular database connection details. Be sure the port you specify in Panintelligence is the same as that supplied to the Pisaas administration team.
Creating your Bastion host (AWS Centric)
Sign into your AWS account.
Create an EC2 instance (a micro instance is ok for this purpose)
Specify appropriate security groups or create a security group for the bastion host.
Create an inbound rule on your bastion security group that opens port 22 to the IP address given by Panintelligence (found in the table above).
Create an inbound rule on your bastion security group that opens port 22 to your IP address.
Create an outbound rule on your bastion security group that opens your database port (5432 for Postgres) to your database security group.
Create an inbound rule on your database security group that opens your database port (5432 for Postgres) from your new bastion security group.
log into your new Bastion host
create a new user
sudo useradd panintelligence
switch to your new user
sudo su - panintelligence
create the ~/.ssh directory if it does not exist
mkdir ~/.ssh
change the permissions of this new directory
chmod 700 ~/.ssh
create a file called authorized_keys in the ~/.ssh directory `touch ~/.ssh/authorized_keys
change the permissions of this new file
chmod 600 ~/.ssh/authorized_keys
edit the authorized_keys file and copy the contents of the panintelligence public key
additional steps
Consider hardening the OS, which refers to increasing the security that has been provided by the OS.