Metabase can connect to some databases by first establishing a connection to a server in between Metabase and a data warehouse, then connecting to the data warehouse using that connection as a bridge. This makes connecting to some data warehouses possible in situations that would otherwise prevent the use of Metabase.
In general, prefer a Virtual Private Network (VPN) to SSH tunneling, but there are two basic use cases for an SSH tunnel:
Sometimes when a data warehouse is inside an enterprise environment, direct connections are blocked by security devices such as firewalls and intrusion prevention systems. To grant access to this environment, many enterprises offer a VPN, a bastion host, or both. VPNs are the more convenient and reliable option, though bastion hosts are used frequently, especially with cloud providers such as Amazon Web Services where VPC (Virtual Private Clouds) prohibit direct connections. Bastion hosts offer the option to first connect to a computer on the edge of the protected network, then from that bastion host computer establish a second connection to the data warehouse on the internal network, essentially patching these two connections together. Using the SSH tunneling feature, Metabase can automate this process.
When connecting though a bastion host:
Host
Port
SSH tunnel host
SSH tunnel port
SSH tunnel username
SSH tunnel password
If you’re unable to connect test your SSH credentials by connecting to the SSH server/Bastion Host using ssh directly:
ssh <SSH tunnel username>@<SSH tunnel host> -p <SSH tunnel port>
Another common case where direct connections are impossible is when connecting to a data warehouse that is only accessible locally and does not allow remote connections. In this case you will be opening an SSH connection to the data warehouse, then from there connecting back to the same computer.
localhost
If you have problems connecting, verify the SSH host port and password by connecting manually using ssh or PuTTY on older windows systems.
While using an SSH tunnel makes it possible to use a data warehouse that is otherwise inaccessible, it’s almost always preferable to use a direct connection when possible.
There are several inherent limitations to connecting through a tunnel:
The SSH tunneling feature in Metabase exists as a convenient wrapper around SSH, and automates the common cases of connecting through a tunnel. It also makes connections possible with systems that don’t give shell access. Metabase uses a built-in SSH client that doesn’t depend on the installed system’s SSH client. This allows connections from systems where you can’t run SSH manually. It also means that Metabase can’t take advantage of authentication services provided by the system, such as Windows Domain Authentication or Kerberos Authentication.
If you need to connect using a method not enabled by Metabase, you can often accomplish this by running SSH directly:
ssh -Nf -L input-port:internal-server-name:port-on-server username@bastion-host.domain.com
This allows you to use the full array of features included in SSH. If you find yourself doing this often, please let us know so we can see about making your process more convenient through Metabase.
For more on connecting a database to Metabase, see Adding and managing databases.