When working with private cloud infrastructure, databases are often not directly accessible from the internet. Instead, access is allowed through a bastion host (jump server).
A common solution is to create an SSH tunnel that securely forwards a local port to the remote database.
However, running the tunnel manually every time can be inconvenient. A better approach is to run the tunnel as a Windows service, so it automatically starts and runs in the background.
This guide explains how to create a persistent database tunnel on Windows using:
- 🔹 SSH client
- 🔹 Plink (PuTTY command-line tool)
- 🔹 Windows Service Control (
sc)
🧠 Understanding SSH Tunneling
An SSH tunnel securely forwards network traffic through an encrypted SSH connection.
Example architecture:
Local Application
│
│ localhost:1522
▼
SSH Tunnel
│
▼
Bastion Server
│
▼
Remote Database (database.internal:1521)
Your application connects to localhost, while the SSH tunnel securely forwards traffic to the remote database.
🖥 Example SSH Tunnel Command
ssh -N -i key.pem -L localhost:1522:database.internal:1521 -o ServerAliveInterval=15 -o ServerAliveCountMax=3 user@bastion-host
Parameter Explanation
ssh
🔹 Secure Shell client used to establish encrypted connections.
-N
🔹 Do not execute remote commands.
Useful when SSH is used only for tunneling.
-i key.pem
🔹 Specifies the private key file used for authentication.
-L localhost:1522:database.internal:1521
🔹 Creates a local port forwarding rule.
Breakdown:
localhost
🔹 Bind the tunnel to the local machine.
1522
🔹 Local port used by applications.
database.internal
🔹 Remote database host reachable from the SSH server.
1521
🔹 Database service port.
-o ServerAliveInterval=15
🔹 Sends keep-alive packets every 15 seconds.
-o ServerAliveCountMax=3
🔹 SSH closes the connection after 3 failed keep-alive checks.
user@bastion-host
🔹 SSH login user and bastion host address.
⚙ Creating a Windows Service for the Tunnel
Windows includes a built-in tool called Service Control (sc) that allows you to create and manage services.
To create a service that runs the SSH tunnel:
sc create DatabaseTunnel binPath= "cmd.exe /c ssh -N -i C:\keys\key.pem -L localhost:1522:database.internal:1521 -o ServerAliveInterval=15 -o ServerAliveCountMax=3 user@bastion-host" start= auto
Explanation
sc create
🔹 Creates a new Windows service.
DatabaseTunnel
🔹 Service name.
binPath=
🔹 The command executed by the service.
cmd.exe /c
🔹 Runs the command through the Windows command interpreter.
start= auto
🔹 Starts the service automatically when Windows boots.
⚠ Important rule:
There must always be a space after = in sc commands.
🔧 Starting and Managing the Service
Start the tunnel service:
sc start DatabaseTunnel
Stop the service:
sc stop DatabaseTunnel
Delete the service:
sc delete DatabaseTunnel
🔌 Connecting to the Database
After the service starts, applications can connect using the local port.
Example connection:
Host
localhost
Port
1522
The SSH tunnel automatically forwards the connection to the remote database.
🧰 Alternative Method Using Plink (PuTTY)
Another common approach on Windows is using PuTTY's command-line tool called **Plink.
Plink is lightweight and widely used in automation scripts.
Example Plink Tunnel Command
plink -ssh -i key.ppk -N -L localhost:1522:database.internal:1521 user@bastion-host
Parameter Explanation
plink
🔹 Command-line SSH client from PuTTY.
-ssh
🔹 Specifies that the connection should use SSH.
-i key.ppk
🔹 Private key file in PuTTY .ppk format.
-N
🔹 Do not start a remote shell.
-L localhost:1522:database.internal:1521
🔹 Local port forwarding configuration.
user@bastion-host
🔹 SSH login credentials.
Creating a Windows Service Using Plink
sc create DatabaseTunnel binPath= "cmd.exe /c plink -ssh -i C:\keys\key.ppk -N -L localhost:1522:database.internal:1521 user@bastion-host" start= auto
This will start the tunnel automatically when the system boots.
🚀 Advantages of Running the Tunnel as a Service
Running the tunnel as a Windows service provides several benefits:
✔ Automatic startup after system reboot
✔ No manual SSH commands required
✔ Stable persistent database connection
✔ Easy management using Windows tools
✔ Works well for CI/CD and automation servers
📌 Final Thoughts
SSH tunnels provide a secure and flexible way to access private databases without exposing them to the public internet.
By running the tunnel as a Windows service, you can ensure the connection remains available even after system restarts.
This technique is especially useful for:
🔹 Development environments
🔹 Secure database access
🔹 DevOps automation
🔹 Cloud infrastructure management
With just a few commands, you can transform a simple SSH tunnel into a reliable background service on Windows.
Top comments (0)