Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 
Product and Topic Expert
Product and Topic Expert
SSH tunneling, also known as SSH port forwarding, provides a secure method for client applications to communicate with remote servers. By encrypting traffic, SSH tunnels ensure data protection during transmission. This article explores the significance of SSH tunneling, its advantages, how it works, and its various use cases.

What is an SSH Tunnel?

An SSH tunnel (also known as SSH port forwarding) is a method by which client applications can securely communicate with remote servers. The SSH client and server provide the SSH tunnel and encrypt traffic, providing security during the transmission of data. When using an SSH tunnel to interact with remote services, if any of the data were intercepted in transit, it would be securely encrypted.


Why Do You Need SSH Tunneling?

SSH tunneling is a method used to connect a client application on a local machine to services on remote machines. However, there are other ways to accomplish the same goal. Many services that you might wish to connect to on remote servers, such as a database, can have ports open externally to accept connections directly from over the internet. You can also limit these kinds of connections to devices that exist on your private network, or on a virtual private network (VPN). This kind of perimeter-based security, which automatically rejected external connections and gave at least some implicit trust to on-premise connections was a very common security practice prior to the popularization of cloud computing.

for more information

How Do SSH Tunnels Work?

SSH tunneling is a fairly straightforward process. On the server in question, the remote service (for example, a database) listens on a local port, but does not open ports for that service to the internet.

Your SSH client connects to the SSH service on the remote server and establishes a secure tunnel. You will need to configure your SSH client to forward traffic to a local port to the remote port that you desire (for example, port 3306 for MySQL), or if you are using the command line only, specify that, in this format:
cf enable-ssh <YOUR-HOST-APP>
cf restage <YOUR-HOST-APP>

cf create-service-key MY-DB EXTERNAL-ACCESS-KEY

cf ssh -L 63306:<hostname>:<port> YOUR-HOST-APP

psql -d <dbname> -U <username> -p 63306 -h localhost


For example:

At that point, when you use your local application (such as a database client, or the command line) to attempt to connect to the remote service, you start the connection using your chosen port for that application locally (for example, `localhost:8000`) and traffic that is sent to that port is forwarded over the SSH tunnel to the specified local port (`63306`) that is open on the server.

SSH reverse tunneling is a similar, but opposite, effect. To forward local traffic from a port on the remote machine to one of the client’s local ports over the SSH tunnel, you can replace the `-L` flag with a `-R` flag. In the example above, this would now forward traffic from the server’s local 8000 port to the client’s port 63306, via the SSH tunnel.

SAP BTP Security groups shows the Port is disabled


The use of SSH tunnels is extremely useful when interacting with services that require higher security for traffic that is external to a secure perimeter without requiring a VPN or exposing them directly to the internet. But they don’t solve every access problem facing an organization. Individual credentials must be managed, or shared credentials doled out insecurely. SSH tunnels provide secure access, but at the cost of decreased visibility and auditability.