Connect to services via SSH

Edit on GitHub

We add your SSH public key to the bastion host during the onboarding, so you can access your environments’ internal networks via SSH right after.

You can use SSH in two ways:

  1. Connect directly to the bastion host and, subsequently, connect to any internal service like RDS.
  2. Set up SSH port forwarding through bastion host to access a specific service from your computer.
Connecting to instances

Bastion is the only instance you can connect to via SSH.


For security purposes, SSH access is available only for the IP addresses in the security group. To get SSH access, provide the following details via support:

  • Public IPs
  • Public SSH keys

Connect to a service

Exemplary services

In the following instructions:

  • We use the RDS service as an example. The steps to find the endpoints of other services may be slightly different.
  • We use the Jenkins service as an example. Adjust the service name per your requirements.

To connect to a service:

  1. Connect to the bastion host:

    1. In the AWS Management Console, go to Services > EC2 > Instances.
    2. Select {environment_name}-bastion. This opens a pane at the bottom of the page.
    3. Copy the value of the Public IPv4 address field.
    4. Connect to the copied IP address via SSH.
  2. In the AWS Management Console, find the endpoint to connect to:

    • For an AWS service endpoint:
      1. Go to Services > RDS > Databases.
      2. Select the desired database.
      3. Copy the Endpoint value.
    • For a non-AWS service endpoint:
      1. Go to Services > Route53 > Hosted Zones.
      2. Select the desired hosted zone.
      3. Enter jenkins in the search field and press Enter.
      4. Copy the value of the Value/Route traffic to field.
  3. Connect to the VPN.

  4. Connect to the copied endpoint via SSH.

  5. Optional: Set up SSH port forwarding:

    1. In the bastion host, get the IP address of the endpoint by resolving the copied endpoint:
    dig +short
    1. Set up SSH port forwarding using the IP address. For example:
    ssh -A ubuntu@<private_bastion_ip> -L<private_scheduler_ip>:80