# Secure Access to Flow To protect Flow from unauthorized access, isolate it from public networks and allow access only through controlled entry points. The best setup will depend on the underlying operating system and infrastructure. Two commonly used configurations for securing Flow are: * **Linux Setup**: Mac to Linux Flow server via a bastion host * **Windows Setup**: Windows to Windows Flow server via Remote Desktop Protocol (RDP) ## Linux Setup: Mac to Linux Flow Server via a Bastion Host This setup uses a bastion host - a specialized server used to provide access to a private network from an external network (such as the internet). It is typically placed in a demilitarized zone (DMZ) and serves as a "jump server" or intermediary through which access to a Flow server is granted, usually via SSH or RDP. ## Architecture ![](https://images.contentstack.io/v3/assets/bltac01ee6daa3a1e14/blt5a018293bf7bcc1f/6a3940aa4638f6e56643e052/Linux_Architecture_Secure_Flow-0D7e7W.png) In this setup: * A local machine (e.g., a Mac) connects to a Linux bastion host. * The bastion host has internal network access to the Flow server. * Flow can be accessed either directly from the bastion host or via SSH tunneling. ## Steps 1. **Local Mac Setup** 1. Generate an SSH key pair (if not already created): ```shell ssh-keygen -t rsa -b 2048 -f ~/.ssh/bastion_key ``` This command generates: * A private key (`bastion_key`) to be stored securely * A public key to be copied to the bastion host 2. Install Google Chrome to access Flow. 2. **Bastion Host Setup** The bastion host can be any server exposed to the internet (e.g., a cloud instance or physical server). In cloud environments (AWS, Azure, GCP), the bastion host is typically placed in a public subnet, while the Flow server resides in a private subnet. 1. Install the public SSH key on the bastion host Copy the public key from the local machine to the bastion host, either manually or by running the following command: ```shell ssh-copy-id -i ~/.ssh/bastion_key.pub your-username@bastion-host-ip ``` 2. Disable password-based login on the bastion host ```shell sudo nano /etc/ssh/sshd_config PasswordAuthentication no  # Disable password auth ``` 3. Restrict login to specific users Add the following to `/etc/ssh/sshd_config`: ```shell AllowUsers your-username # Only allow a specific user ``` 4. Restart SSH service to apply changes ```shell sudo systemctl restart ssh ``` 5. Configure firewall / security group SSH access to the bastion host can be restricted to specific IP ranges, such as an office public IP address or VPN endpoints. Tools such as `ufw` (Uncomplicated Firewall) or `iptables` can be used to enforce these restrictions. If using `ufw`, run: ```shell sudo ufw allow from to any port 22 sudo ufw enable ``` If using a cloud provider like AWS, Azure or Google Cloud, set up a Security Group (AWS) or Firewall Rules (GCP) to allow only specific IP addresses to SSH into the bastion host. 3. **Flow Server Setup** The Flow server must only accept connections from the bastion host. To enforce this, configure a firewall or security group. If using `ufw`, run the following commands on the Flow server: ```shell sudo ufw default deny incoming sudo ufw allow from to any port 22 sudo ufw enable ``` If using a cloud provider like AWS, Azure or Google Cloud, modify the Flow server’s security group/firewall rules to only accept inbound connections from the bastion host’s internal IP address. For example, for AWS, allow SSH on port 22 from the IP of the bastion host. 4. **Accessing Flow** **Option 1: Direct SSH from bastion host** On the bastion host, run: ```shell ssh @ ``` **Option 2: SSH Tunneling or Port Forwarding** On the local Mac, create an SSH tunnel: ```shell ssh -i ~/.ssh/bastion_key -L 8081:flow_server_private_ip:8081 @ ``` This command creates a local port that forwards traffic to the Flow server's HTTP ports (e.g., 8081 for Ingest, 8084 for XL Ingest). **Note**: Ensure that network and firewall rules allow the bastion host's private IP to reach the Flow server’s HTTP ports. ## Monitoring and Logging * Enable logging for SSH connections on the bastion host. This can be done by configuring `/etc/ssh/sshd_config`: ```shell LogLevel VERBOSE ``` * Ensure all connections and activities are logged (e.g., via Syslog or CloudTrail in AWS). * Consider setting up two-factor authentication (2FA) for SSH or using a VPN in conjunction with the bastion host for added security. ## Security Best Practices * **Update and Patch Regularly**: Ensure that the bastion host is always up-to-date with security patches. * **Use Intrusion Detection Systems (IDS)**: Tools like Fail2Ban can help detect and block brute force or suspicious login attempts. * **Limit SSH Access**: Limit the number of users who can access the bastion host and configure role-based access for administrative functions. * **Harden SSH Configurations**: Implement other SSH security best practices, such as disabling root login and using strong key-based authentication. ## Windows Setup: Windows to Windows Flow Server via RDP This setup uses Windows Remote Desktop Protocol (RDP) to connect to a Flow server running on Windows. ## Architecture ![](https://images.contentstack.io/v3/assets/bltac01ee6daa3a1e14/blt7e33cf3ed7a4a631/6a3940ab136db4df99d58b0c/Windows_Architecture_Secure_Flow-IZ2nhf.png) In this setup: * A Windows PC on the corporate network or connected via VPN is used to access the Flow server. * Connection to the Windows Flow server is established using RDP over a private network, VPN, or Remote Desktop Gateway (RD Gateway). **Important**: * RDP (TCP 3389) must never be exposed directly to the public internet. * RDP must be restricted in Windows Firewall and any external firewall to VPN address ranges or RD Gateway only. * Enforce strong passwords and multi-factor authentication (MFA) for RDP. ## Steps 1. From the Windows PC, open **Remote Desktop Connection**. 2. Connect to the Windows Server using RDP (port 3389). 3. Once logged in, access Flow on Chrome browser on the server. ## Optional: Enable Direct Access via Firewall Rules Windows Firewall can be configured to allow direct access to Flow from specific IP addresses without using RDP. **Important**: * This option is only for internal or VPN networks. * Do not open Flow’s port (e.g., 8081) to the public internet, even with IP restrictions. * If external access is required, use VPN. On the Windows Flow server: 1. **Configure the Windows Firewall** Add a rule in the Windows Firewall to allow incoming connections on the port where Flow is running. This rule can be configured to allow only one specific IP or a range of IP addresses. To allow incoming connections: 1. Open the **Control Panel** from the **Start** menu and click **Windows Firewall**. 2. In the Windows Firewall window, select **Advanced Settings**. 3. In the Windows Firewall with Advanced Security window, click **Inbound Rules** in the left-hand pane. 4. In the right-hand pane, click **New Rule…**. 5. In the **Rule Type** step, select **Port**, then click **Next**. 6. In the **Protocol and Ports** step, choose **TCP**. Under **Specific local ports**, enter the port number to be enabled - for example, 8081. Click **Next**. 7. In the **Action** step, select **Allow the connection**, then click **Next**. 8. In the **Profile** step, select only **Domain** or **Private** based on the requirement. Click **Next**. 9. In the **Name** step, enter a name for the rule and click **Finish**. The new rule will now appear in the list of inbound rules. 2. **(If applicable) Configure the External Firewall** If an external/physical firewall is in place, add a rule to allow incoming connections on the port where Flow is running. This rule can also be configured to allow only one specific IP or a range of IP addresses. *** Modified at: April 1, 2026 Source: [/db/v9.1/load-data/load-data-with-singlestore-flow/secure-access-to-flow/](https://docs.singlestore.com/db/v9.1/load-data/load-data-with-singlestore-flow/secure-access-to-flow/) (An index of the documentation is available at /llms.txt)