Building a tunnel to access databases


Databases hosted on Scalingo are not directly available on the Internet. By default access to most databases are unencrypted, so unsecured. To access them remotely from your workstation you need to setup an encrypted connection.

Since we don’t want unencrypted network traffic from/to your databases, the DB tunnel provides an encrypted way to access them. However, it does not provide any additional security layer. We will only verify that your public key is registered on our platform. The DB tunnel is just an encrypted bridge between your laptop and our infrastructure.

Another possibility is to make your database accessible from internet.


You need to have Scalingo’s command line interface to achieve this action.

Build the tunnel

By running the following command, an encrypted SSH tunnel will be built between you and your database.

$ scalingo --app my-app db-tunnel MONGO_URL
Building tunnel to <dbhost>:<dbport>
You can access your database on '<localport>'

We use MONGO_URL in the example, but it can be REDIS_URL or DATABASE_URL according to the database you’re using.

Use any client to read, import or export your data

Once the tunnel has been built, you can use any tool you need by connecting it to the<localport> host.

Credentials to connect to the database are still the same, so read them from scalingo --app my-app env


$ scalingo --app my-app db-tunnel MONGO_URL
Building tunnel to <dbhost>:<dbport>
You can access your database on ''

# In another terminal
$ scalingo --app my-app env | grep MONGO_URL

$ mongo -u user -p secret localhost:10000/database
$ mongodump -u user -p secret -h localhost:10000 -d database

If you activated the force TLS option, you should add both options --ssl and --sslAllowInvalidCertificates to the mongo command.

Build the tunnel with the OpenSSH client

Our command line tool handles it in a simple command, but you might want to use the tunnel without it. With the standard OpenSSH client, the way to build the tunnel is:

ssh -L <local port>:<database host>:<database port> -N

The database host and database port can be found in the environment variable representing the connection string of your database instance. Get it from the dashboard or with the env command of the CLI. It should look like:


The value of this variable is an URL which represents:


As stated previously, you need to get the host and port from the URL.


If the environment variable is the following:


The command to run is:

ssh -L -N

Then you connect on localhost:10000 to reach your Scalingo database. (You’ll still need to authenticate to the database with the credential you can get from the connection string)

schedule 18 Sep 2017