Secure Tunnel FAQ
What is the FlyData Secure Tunnel feature?
While we already secure the data transit using standard SSL based security, many users will also place their data store that is not publicly accessible. What this provides is a site-to-site VPN based tunnel and by the use of the tunnel, we enable a bastion host that is completely in the control of the user on what access they provide to FlyData.
What is required to use the FlyData Secure Tunnel feature?
AWS account with these privileges:
– Able to launch an EC2 instance
– Able to create Security Groups
– Able to assign an Elastic IP (EIP)
These should be already setup and prepared in advance:
– AWS VPC
– AWS public subnet (subnet with an Internet Gateway (IGW) attached)
Is this feature secure?
Yes, we use standard 2048-bit shared keys between the user and FlyData. Each key is only used once per Application. FlyData will connect on pre-set ports to access the resources that the user allows.
How do I use this feature?
For AWS users, the method we provide using a CloudFormation JSON template makes it incredibly easy to use. We have details on how to set the Stack up here:
You can get the template for that Application from the Setup Wizard.
What does the CloudFormation Stack entail?
The CloudFormation template will create these resources:
– EC2 instance
– Security Group that is associated with this Stack and assigned to this EC2 instance
– Elastic IP will be created and assigned to this EC2 instance
Can I use this even though my Redshift cluster is publicly accessible?
Yes. Within the Cloudformation setup, you can enter a fake domain like ie. localhost for the Redshift cluster. Enter the other information, as needed, for the data source.
Is the CloudFormation Stack reversible?
Yes. The CloudFormation Stack will be neatly packaged into one Stack under AWS Console -> Services -> CloudFormation. It can be easily deleted (and even recreated) anytime.
Can I use the same Secure Tunnel instance for all my FlyData Applications (data sources)?
You will need to create a new Secure Tunnel instance per Application. Since we use a specific point-to-point connection for each tunnel instance, we require a separate instance per Application.