Getting started
Add-Ons
SSH Server Add-on

SSH Server Add-on

Overview

The SSH Server add-on provides a lightweight SSH proxy service for secure tunneling to resources within your VPC. It enables secure access to internal services like databases without exposing them to the public internet.

Purpose and Benefits

  • Secure Database Access: Connect to RDS, ElastiCache, or other VPC resources via SSH tunneling
  • Port Forwarding: Forward local ports to internal VPC services
  • SSH Key Authentication: Secure access using your existing SSH public keys
  • Lightweight: Runs on a small standalone container, not an EC2 instance

How It Works

The SSH Server add-on:

  • Deploys a containerized SSH proxy within your VPC
  • Accepts connections authenticated via SSH public keys
  • Supports port forwarding to internal VPC resources (e.g., databases)
  • Does not support interactive shell sessions

Connecting

After provisioning, connect using the address shown on the add-on details page:

ssh user@<address>

Port Forwarding Example

Forward a local port to a database within your VPC:

ssh -L 5432:database.internal:5432 user@<address>

Then connect to the database locally:

psql -h localhost -p 5432 -U myuser mydatabase

CLI Usage

Create SSH Server 

tapit create ssh_server [description=DESCRIPTION] [ssh_keys=KEYS]

Parameters

  • description (optional): A description to help identify this SSH tunnel service
  • ssh_keys (optional): SSH public keys to authorize

Examples 

# Create with default settings
tapit create ssh_server

# Create with a description
tapit create ssh_server description="Database access tunnel"

# Create with authorized keys (single key)
tapit create ssh_server ssh_keys="ssh-rsa AAAAB3... user@host"

Update SSH Server 

tapit set ssh_server name=addon_name [description=DESCRIPTION] [ssh_keys=KEYS]

Required Parameters

  • name: The name of the SSH Server add-on to update

Optional Parameters

  • description: Update the description
  • ssh_keys: Update the authorized SSH public keys

Examples 

# Update description
tapit set ssh_server name=ssh-server-1 description="Production database tunnel"

# Update authorized keys
tapit set ssh_server name=ssh-server-1 ssh_keys="ssh-rsa AAAAB3... user@host"

Delete SSH Server 

tapit delete addon name=ssh-server-1

Web UI

You can also manage SSH Server add-ons through the Tapitalee web interface:

  1. Navigate to your app
  2. Go to the Add-ons section
  3. Click “Add Add-on” and select “SSH Server”
  4. Configure the description and authorized SSH keys
  5. Click Create

Security Considerations

  • Key Management: Only add SSH public keys for users who should have access
  • No Shell Access: The SSH server only supports port forwarding, not interactive shells
  • VPC Isolation: The SSH server runs within your VPC, providing network-level security

Use Cases

Database Administration

Connect to your RDS database securely for administrative tasks:

# Start the tunnel
ssh -L 5432:mydb.cluster-xyz.us-east-1.rds.amazonaws.com:5432 user@<address>

# In another terminal, use your favorite database tool
psql -h localhost -p 5432 -U admin mydb

Redis Access

Connect to ElastiCache Redis for debugging:

# Start the tunnel
ssh -L 6379:my-redis.abc.cache.amazonaws.com:6379 user@<address>

# Connect with redis-cli
redis-cli -h localhost -p 6379
TailscaleIAM Policy Add-On