Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Database in a Publically Accessible Subnet

The following list is our current availability for Pisaas instances, not where you’re deploying your Bastion host. if you’re unsure as to which region your Pisaas instance is deployed, please contact your CSM.

region

Panintelligence IP

EU-WEST-1

54.216.240.181

US-EAST-1

44.193.187.201

If your database is hosted in a publically accessible subnet, you can whitelist our PiSaas IPv4 address 54.216.240.181. With AWS, this is adding this IP address to the inbound section on the NACLS and security groups. Working with Azure, add this IP address to the inbound firewall settings on the connection security tab on your database.

...

It’s possible to connect to your database using a publically available bastion as a jump host. Use an EC2 instance deployed in a public subnet with inbound rules from our Pisaas IPv4 address 54.216.240.181 address (you can find this IP address from the table above.) and outbound rules to your database. The port for this should be 22. Set the inbound on the database to accept connections from the bastion host security group. The port allocation between the bastion and the database should match that of your database.

...

When connecting to your database from Panintelligence running in Pisaas, you should specify “localhost” as the host, along with your regular database connection details. Be sure the port you specify in Panintelligence is the same as that supplied to the Pisaas administration team.

Creating your Bastion host (AWS Centric)

  • Sign into your AWS account.

  • Create an EC2 instance (a micro instance is ok for this purpose)

  • Specify appropriate security groups or create a security group for the bastion host.

  • Create an inbound rule on your bastion security group that opens port 22 to the IP address given by Panintelligence (found in the table above).

  • Create an inbound rule on your bastion security group that opens port 22 to your IP address.

  • Create an outbound rule on your bastion security group that opens your database port (5432 for Postgres) to your database security group.

  • Create an inbound rule on your database security group that opens your database port (5432 for Postgres) from your new bastion security group.

  • log into your new Bastion host

  • create a new user sudo useradd panintelligence

  • switch to your new user sudo su - panintelligence

  • create the ~/.ssh directory if it does not exist mkdir ~/.ssh

  • change the permissions of this new directory chmod 700 ~/.ssh

  • create a file called authorized_keys in the ~/.ssh directory `touch ~/.ssh/authorized_keys

  • change the permissions of this new file chmod 600 ~/.ssh/authorized_keys

  • edit the authorized_keys file and copy the contents of the panintelligence public key

additional steps

  • Consider hardening the OS, which refers to increasing the security that has been provided by the OS.