SSH Proxy Local Port Chaining to connect to an Isolated Server

Saturday, 25 Apr 2020

There you are with Internet access to an AWS EC2 instance, Azure Virtual Machine or VPS (Virtual Private Server) as we called them in the good old days, but beyond that - on a Private LAN of some sort (could be an AWS VPC, Azure VNET or Physical LAN) - there is another Server, which only has a Private IP Address. This pesky Server is what you'd like to access SQL Developer on, from your own PC. Hmm...

Diagram time

Here's a more descriptive Network Diagram, showing more specifics around the issue, namely:

  • Your PC/Mac/Laptop
    • Private IP doesn't matter
    • Public IP is
  • Internet-accessible VM
    • Public IP is
    • This is allowed through an Internal Firewall to SSH to (sourced from it's LAN Private IP of
    • This is not allowed to connect on SQL Database (TCP/3306) to your Database Server
  • Database VM
    • No Public IP (not directly accessible from the Internet)
    • Private IP is
    • Has SSH Daemon/Server and SQL Server installed on it

SSH Proxy Local Port Chaining Topology

The ultimate goal is to enable SQL Developer on your PC to somehow speak to SQL Server (TCP/3306) on

SSH Tunnels - Local Port Proxy

Which is where a handy feature of SSH comes in, where it has the ability to Tunnel.

Dynamic Port Tunneling (SOCKS Proxy)

You may have used this prior with Dynamic Port Tunneling, where you do something like this:

ssh -D 1080 user@

Then configure as a SOCKS4 or SOCKS5 Proxy in your Firefox Browser like this:

Firefox SSH SOCKS Proxy Options Screen

And then you can browse some http://internalserver in your Firefox Browser as if you're controlling/appear to be the Internet-connected VM to upstream Servers/Systems. That won't help you here, mind.

Local Port Tunneling

Instead, we're going to use Local Port tunneling, which looks a bit like this:

ssh user@ -L 999:

It's worth breaking down what this does, with some notes:

  • 999
    • This is the port that will be listening on your PC (i.e. or localhost, from your perspective)
    • Any traffic sent to this port is chucked through the Tunnel, for the other side (SSH Server on to deal with
    • This is where you want the other side ( to send your Tunneled traffic to (Destination IP Address)
    • Note in this case, it is itself; the here refers to going to itself, not your PC
    • Think of stuff after the first -L colon as "remote-side stuff"
  • 3306
    • This is where you want the other side ( to send your Tunneled traffic to (Destination TCP Port)
    • This is the TCP-using process (in our case, it'll be another SSH not SQL, as you might think) on the other side (`

In our case, this wouldn't do much - as there is no Database Server (TCP/3306) running on our first Jump Box ( - so the next bit is where the chaining comes in.

Local Port Chaining

Leaving this SSH session (above) open, we open a fresh Terminal/Command Prompt/SSH session from our PC to, with no Tunnels requested (bog standard SSH):

ssh user@

Using this, we now tell to SSH to our target Database (, but this time we want the traffic to pop out at the actual Database Port (3306):

ssh user@ -L 3306:

Finally, we can now connect to on the PC, and it will traverse the two SSH Tunnels and pop out as being - even though that destination doesn't have Internet access.

Note in the above that the choice of using -L 3306 on the PC is irrelevant; this could have been 998; but then the SSH command run against would have had to read -L 998 instead of -L 3306. All you are doing here is setting up listeners, and matching that number up between the two SSH Commands.

What it achieves

SSH Proxy Local Port Chaining Resulting Topology

Which gets you out of a hole, and able to access a "Bastion" Server on a Private LAN or VNET somewhere, as long as you've got SSH access throughout the chain.

Have fun tinkering!