Tailscale VPN

Tailscale provides the secure network mesh that connects the bastion EC2 instance to the StarRocks database without requiring VPC peering or direct network access.

Network Path

Bastion EC2 --[Tailscale]--> Jumper (100.100.118.18) --[SSH tunnel]--> StarRocks (:9030)

The jumper host at 100.100.118.18 (Tailscale IP) / 52.40.248.112 (public IP) acts as the bridge to StarRocks's internal endpoint.

SSH Tunnel Command

ssh -f -N -L 9030:1cogri9tn-internal.cloud-app.celerdata.com:9030 \
    ec2-user@100.100.118.18 -i ~/.ssh/id_ed25519

This binds localhost:9030 to the internal StarRocks endpoint through the jumper.

Connecting to StarRocks

warning

The mysql CLI client does not work with this StarRocks instance due to a protocol mismatch (results in "Access Denied"). Always use Python mysql.connector instead.

import mysql.connector

conn = mysql.connector.connect(
    host="127.0.0.1",
    port=9030,
    user="kk",
    password="Just4Fun1!",
    database="metrics"
)
cursor = conn.cursor(dictionary=True)
cursor.execute("SELECT COUNT(*) AS cnt FROM metrics_table")
print(cursor.fetchone())

Setup on Jumper

ssh ec2-user@52.40.248.112 -i ~/.ssh/id_ed25519

# Install Tailscale
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up --ssh --hostname=byoc-jumper

Troubleshooting

Symptom	Fix
Tunnel won't connect	Check `tailscale status` on both hosts
StarRocks queries timeout	Verify jumper is reachable: `tailscale ping byoc-jumper`
"Access Denied" from mysql CLI	Use Python `mysql.connector` instead
Tailscale not authenticated	Re-auth: `sudo tailscale up --authkey=<key>`

Network Path​

SSH Tunnel Command​

Connecting to StarRocks​

Setup on Jumper​

Troubleshooting​

Network Path

SSH Tunnel Command

Connecting to StarRocks

Setup on Jumper

Troubleshooting