# Accessing Private Azure Resource via a Jumpbox ### Overview This guide explains how to set up a secure Azure Jumpbox that allows Stacksync to connect to your private resources, such as your database. ### 1. Create Static Public IP 1. In the Azure Portal, search **Public IP addresses**. 2. Click **Create**. 3. Configure: * **Name:** `stacksync-jumpbox-ip` * **SKU:** **Standard** (the Basic SKU is deprecated and not recommended) * **Assignment:** **Static** * **Tier:** Regional 4. Click **Review + Create**, then **Create.**

### 2. Create a Network Security Group Create a Network Security Group (NSG) to tightly control access to the jumpbox so that only Stacksync can connect to it, and the jumpbox can only reach the private resources you authorize. 1. Search “**Network security groups**”. 2. Click **Create**. 3. Name it: `stacksync-jumpbox-nsg`. 4. Create. #### Add SSH Allow Rule 1. Open the NSG. 2. Click **Inbound security rules** → **Add**. 3. Fill: * **Source:** IP Addresses * **Source IPs:** Stacksync’s IP ([Stacksync IP](https://docs.stacksync.com/connectors/setup-options/ip-whitelisting)) * **Destination port:** `22` * **Protocol:** TCP * **Action:** Allow * **Priority:** **100** * **Name:** `Allow-SSH-From-Stacksync` 4. Click **Add**.

The default Azure rule already blocks everything else. ### 3. Create the Jumpbox VM 1. Search **Virtual Machines** → **Create**. 2. Under **Basics**: * **Name:** `stacksync-jumpbox` * **Image:** `Ubuntu LTS` * **Size:** `B1ms` (recommended) * **Authentication:** SSH key only

3. Under **Networking**: * **Virtual network:** choose your Virtual Network * **Subnet:** choose the subnet where the jumpbox will be created * **Public IP:** select the static Public IP you created earlier * **NIC network security group:** Select the **NSG** you created earlier

4. Create the VM. This VM will serve as the outbound access point to your systems. ### 4. Harden the Jumpbox To harden the jumpbox, you must **log in to the VM** using SSH. This means you run the following SSH command **in your terminal**: SSH into the VM using your allowed IP. `ssh stacksync@` #### 1. Add the Stacksync Public SSH Key ``` echo '' >> ~/.ssh/authorized_keys ``` This allows Stacksync to log in securely. **Find the SSH Public Key here:** \ **app.stacksync.com → Add Connection → SSH Tunnel → Public Key**

#### 2. Enable auto‑security updates ``` sudo apt install unattended-upgrades sudo dpkg-reconfigure --priority=low unattended-upgrades ``` #### 3. Disable root login ``` sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config sudo systemctl restart ssh ``` ### 5. Test SSH Connectivity From a Stacksync-approved IP: ``` ssh azureuser@ ``` If the connection fails, verify: * The Public IP address you created is using the Standard SKU (not Basic) * The Network Security Group (NSG) is attached to the subnet, not the network interface * The network interface (NIC) for the virtual machine does not have its own NSG applied * Your company firewall or VPN is not blocking outbound SSH connections Example: Tunnel to a private Azure PostgreSQL instance. ``` ssh -i ~/.ssh/key \ -N -L 5433:database.private.azure.com:5432 \ azureuser@ ``` Then access locally at: ``` localhost:5433 ``` From the jumpbox, verify it can reach your private resources: If `nc` (netcat) is not installed, install it first: ``` sudo apt install netcat -y ``` Then test connectivity: ``` nc -zv 5432 ```