> ## Documentation Index
> Fetch the complete documentation index at: https://docs.maia.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# SSH tunneling

export const m_runner = "Maia runner";

export const maia = "Maia";

[Matillion-hosted {m_runner}s](/docs/guides/runner-overview#matillion-full-saas) in {maia} can connect to network-secured databases using an intermediate SSH server that is part of the same network as the target database.

<img src="https://mintcdn.com/matillion/s5upYKal8lZFb4ps/images/security/ssh-tunnelling-01.png?fit=max&auto=format&n=s5upYKal8lZFb4ps&q=85&s=ba124863ee305138f590914a5043140e" alt="SSH tunnel architecture overview" width="580" height="1020" data-path="images/security/ssh-tunnelling-01.png" />

***

## Why use it?

* Use Full SaaS {maia} without exposing your databases to the public Internet.
* Enables you to restrict database access to only those who can authenticate via SSH.
* Reduces the need for complex VPN setups by providing a straightforward way to secure connections to protected databases.

***

## How to use it?

This feature is available on a component-by-component basis. Customers using a Full SaaS {maia} solution can use the [Database Query](/docs/components/database-query) and [RDS Query](/docs/components/rds-query) components to access data sources within their infrastructure using a configured SSH tunnel. This is accessed via the **Networks** tab. Read [Networks](/docs/guides/networks) to get started.

To use SSH tunnels, environments must inherit project defaults. If environments don't use project defaults, the SSH tunnel doesn't work.

### Connection URL and SSH tunnel behavior

The component's connection URL specifies the database endpoint that the {m_runner} connects to after establishing an SSH tunnel.

The specific parameter that defines where the SSH tunnel should connect varies by component. Refer to the relevant component documentation for details.

#### Example connection URL

In this example, `my.postgres` is a database server that is only accessible through an SSH tunnel:

```json theme={null}
{
"connectionUrl": "jdbc:postgresql://my.postgres:5432/test?loggerLevel=OFF"
}
```

#### How it works

1. The component runs and automatically establishes an SSH tunnel.
2. Local port forwarding is configured to route traffic through the tunnel to `my.postgres:5432`.
3. The application then connects to the database using the provided `connectionUrl`, ensuring secure access to the database.

This setup enables seamless database connections over an SSH-protected network.
