# SSH Tunneling

You may opt to choose SSH Tunneling as well through a bastion host within your VPC to allow decube collectors access to your data source.

### SSH Bastion Host Setup

Setting up a SSH Bastion host differs based on the Cloud provider you are on. Here's some reference for the different providers:

* [AWS](https://aws.amazon.com/premiumsupport/knowledge-center/rds-connect-ec2-bastion-host/)
* [GCP](https://cloud.google.com/kubernetes-engine/docs/tutorials/private-cluster-bastion#create-bastion)
* [Azure](https://learn.microsoft.com/en-us/azure/bastion/bastion-overview)

### Getting your Public Key

When connecting to your data source for the first time, you can enable the "Enable SSH" toggle to get your organization-wide public key. Copy or download the file for later.

<figure><img src="https://1779874722-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTw0qpCVzfrIXqS4FEg4T%2Fuploads%2Fgit-blob-3bf6e4a5fa3bf193c30a4fb302ab473cd73ac8e4%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

### Create A SSH User

We recommend creating a unique SSH User just for decube purposes. This lets you separate all configuration to only this unique user. To do so, access your own SSH host server as a privileged user or through sudo and run

```
sudo useradd -m [DECUBE_USERNAME] # choose any username (you'll need to pass this to us)
sudo passwd [DECUBE_USERNAME]     # you'll be prompted to input a password
                                  # this password is for your login only, do not share
                                  # with us
```

### Add Key to SSH Host

Access your own SSH host server as the previously created user and add the previously mentioned SSH Public Key to the `authorized_key` file. Usually this will be located at `/home/YOURUSER/.ssh/authorized_key`.

{% hint style="info" %}
You'd need to share with us the SSH username, SSH host and SSH port later
{% endhint %}