Database Connection Options

Create SSH user

Log in to your SSH tunnel host and run the following commands:

1. Create group fivetran:

   sudo groupadd fivetran
   

2. Create user fivetran:

   sudo useradd -m -g fivetran fivetran
   

3. Switch to the fivetran user:

   sudo su - fivetran
   

4. Create the .ssh directory:

   mkdir ~/.ssh
   

5. Set permissions:

   chmod 700 ~/.ssh
   

6. Change to the .ssh directory:

   cd ~/.ssh
   

7. Create the authorized_keys file:

   touch authorized_keys
   

8. Set permissions:

   chmod 600 authorized_keys
   

9. Using your favorite text editor, add the public SSH key from the database setup page in your Fivetran dashboard to the authorized_keys file. The key must be all on one line. Make sure that you don’t introduce any line breaks when cutting and pasting. The public SSH key is generated uniquely for each Fivetran destination.

   

IMPORTANT: The SHA-1 signature scheme has been deprecated from OpenSSH. As a result, Fivetran will attempt to connect using an SHA-2 RSA public key signature by default. If that does not work, then we will attempt to connect using an SHA-1 RSA public key signature. Fivetran supports SHA-2 connectivity with all OpenSSH server versions from 7.2 and later. For more details, refer to the OpenSSH documentation.

NOTE: If you encounter SSH connectivity errors even though your configuration is correct, it may be because your version of OpenSSH requires a connection using the SHA-1 signature scheme. You can use the following options to force enable the SHA-1 signature scheme:

• To force an SHA-1 public key signature, you must modify your sshd_config file (in /etc/ssh) and add the following line:

  PubkeyAcceptedAlgorithms=+ssh-rsa,ssh-rsa-cert-v01@openssh.com
  

• To force an SHA-1 host key, you must modify your sshd_config file (in /etc/ssh) and add the following line:

  HostKeyAlgorithms=+ssh-rsa,ssh-rsa-cert-v01@openssh.com
  

  Changing the host key will require you to validate the new fingerprint in your connector and destination after running a setup test. You should expect downtime for connectors within this group during the migration process.

RedHat version 9+ and AWS-hosted SSH servers may need this command if they continue to get an Auth Failed error: sudo update-crypto-policies --set LEGACY.

As an extra layer of security, Fivetran enables TLS on your SSH connection by default. We recommend that you keep TLS enabled unless you know it is safe to forgo it. To disable TLS, set the Require TLS through tunnel toggle to OFF.

IMPORTANT: If you set the Require TLS through tunnel toggle to OFF, Fivetran first attempts to connect over TLS inside the SSH tunnel. If this fails, Fivetran automatically retries the connection in clear text inside the SSH tunnel. You are responsible for configuring this option as per your corporate security policies.

Once the user is created, you'll need to allow port access.

Allow port access

Make sure that port access is allowed from:

1. Fivetran's IP to your tunnel server's SSH port
2. Your SSH tunnel server to your source database port

If your SSH server and database happen to be in AWS, you can follow the instructions below to configure port access.

AWS

1. To configure an SSH server in AWS, open the EC2 console and select Running Instances:

   

2. Select the instance you intend to use as an SSH tunnel:

   

3. Select the Security groups and then select default:

   

4. Select the Inbound tab.

5. Click Edit.

   

6. Fill in Fivetran's IP and your SSH port (do not use a load balancer).

7. For VPC or EC2 classic, add a security rule:

   

8. Select SSH, enter Fivetran's IP, and click Save:

   

9. To complete setting up your database connector, follow the setup instructions for your specific database. You can confirm your server's SSH key by comparing the SHA 256 displayed when running the setup tests.

   

Install OpenSSH

TIP: Learn more in Microsoft's OpenSSH for Windows overview documentation.

1. Install the sshd server.

   Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
   

2. Verify that the OpenSSH server is installed.

   Get-WindowsCapability -Online | ? Name -like 'OpenSSH.Server*'
   

   NOTE: If OpenSSH is installed, you'll see the following message:

   Name : OpenSSH.Server~~~~0.0.1.0
   
   State : Installed
   

3. Set the firewall to allow inbound TCP connections on port 22.

   New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
   

4. Start both the sshd service and the ssh-agent.

   Start-Service sshd
   Set-Service -Name sshd -StartupType 'Automatic'
   Start-Service ‘ssh-agent’
   Set-Service -Name ‘ssh-agent’ -StartupType 'Automatic'
   

Create Fivetran user and group

IMPORTANT: Windows does not allow a user and a group to have the same name.

1. Add a local Fivetran user.

   net user fivetran <password> /add /comment:"User for establishing SSH connection to Fivetran service." /passwordchg:no /passwordreq:no /logonpasswordchg:no
   

2. Add a Fivetran group.

   net localgroup fivetran-group /comment:"Group for establishing SSH connection to Fivetran service." /add
   

3. In Windows command prompt, switch to the SSH server directory.

   cd C:\ProgramData\ssh\ && start notepad .\sshd_config
   

4. Allow password authentication for the Fivetran user.

   PasswordAuthentication yes
   

5. Allow the Fivetran user to connect to the SSH server. Add the following line to the sshd_config file.

   AllowUsers fivetran
   

6. If your Windows build is 1809 or later, comment out the following lines in the sshd_config file:

   # Match Group administrators
   # AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
   

7. Save the sshd_config file.

8. Restart the agent and the sshd service. If the following command fails, you can restart from the Task Manager (Alt + Ctrl + Delete).

   Restart-Service ssh-agent; Restart-Service sshd
   

IMPORTANT: The SHA-1 signature scheme has been deprecated from OpenSSH. As a result, Fivetran will attempt to connect using an SHA-2 RSA public key signature by default. If that does not work, then we will attempt to connect using an SHA-1 RSA public key signature. Fivetran supports SHA-2 connectivity with all OpenSSH server versions from 7.2 and later. For more details, refer to the OpenSSH documentation.

NOTE: If you encounter SSH connectivity errors even though your configuration is correct, it may be because your version of OpenSSH requires a connection using the SHA-1 signature scheme. You can use the following options to force enable the SHA-1 signature scheme:

• To force an SHA-1 public key signature, you must modify your sshd_config file (in /etc/ssh) and add the following line:

  PubkeyAcceptedAlgorithms=+ssh-rsa,ssh-rsa-cert-v01@openssh.com
  

• To force an SHA-1 host key, you must modify your sshd_config file (in /etc/ssh) and add the following line:

  HostKeyAlgorithms=+ssh-rsa,ssh-rsa-cert-v01@openssh.com
  

  Changing the host key will require you to validate the new fingerprint in your connector and destination after running a setup test. You should expect downtime for connectors within this group during the migration process.

Set up client

1. In your command line, go into the SSH server using Windows VM.

   ssh fivetran@<Public IPv4 DNS>
   

2. Enter your password.

3. Create an .ssh folder in your home directory.

   mkdir .ssh
   

4. Add an authorized_keys file.

   If your client is Windows PowerShell:

   type nul > authorized_keys
   echo <fivetran-ui-public-key> >> authorized_keys
   icacls C:\Users\fivetran\.ssh\authorized_keys /inheritance:r
   

   If your client is Linux:

   touch authorized_keys
   chmod 600 authorized_keys
   echo <fivetran-ui-public-key> >> authorized_keys
   

If you're running PowerShell in elevated mode, your setup is complete. If you're not running PowerShell in elevated mode, follow the instructions below.

TIP: An elevated PowerShell prompt displays Administrator: Windows PowerShell on the top of the prompt's border.

Finish setup (non-elevated PowerShell only)

1. Allow public key authentication.

   PubkeyAuthentication yes
   

2. Remove password authentication.

   PasswordAuthentication no
   PermitEmptyPasswords no
   

3. Save the sshd_config file.

4. Verify that inheritance has been disabled and remove Administrator.
   a. Right click on the authorized_keys file.
   b. Select Properties.
   c. Select the Security tab.
   d. Select Advanced.
   e. Verify that the bottom left reads Enable Inheritance, which means that inheritance is disabled.
   f. Remove Administrator from the file security permissions.
   

5. Restart the agent and the sshd service.

   Restart-Service ssh-agent; Restart-Service sshd
   

Perform the following steps to set up the reverse SSH tunnel on Linux:

Create an SSH user and generate key pair

Log in to your SSH tunnel host and run the following commands:

1. Create group fivetran:

   sudo groupadd fivetran
   

2. Create user fivetran:

   sudo useradd -m -g fivetran fivetran
   

3. Switch to the fivetran user:

   sudo su - fivetran
   

4. Create the .ssh directory:

   mkdir ~/.ssh
   

5. Set permissions:

   chmod 700 ~/.ssh
   

6. Generate an SSH key pair. Make a note of the key path - you will need it to complete your setup.

   ssh-keygen
   

   IMPORTANT: Do not enter a password for the key file. When prompted to provide a password, hit Enter instead.

7. View the contents of the public key.

   cat ~/.ssh/id_rsa.pub
   

8. Send the public key along with the SSH server's IP address and SSH username (fivetran) to Fivetran Support.

Once we create the Reverse SSH host and complete the setup on our side, we will provide you with the Reverse SSH host IP address and username. Then, proceed to the next step to initiate the SSH connection between your SSH server and Fivetran's Reverse SSH host.

Initiate SSH connection

To set up a secure tunnel between your local database and Fivetran's server, run the autossh command on your SSH server.

autossh -M 0 -f -N -R <SSH_HIGH_PORT>:<LOCAL_DB_MACHINE_NAME_OR_IP>:<LOCAL_DB_MACHINE_PORT> <FIVETRAN_SSH_USERNAME>@<FIVETRAN_SUPPLIED_IP> -g -i <PATH_TO_PRIVATE_KEY> -o ServerAliveInterval=10 -o ServerAliveCountMax=1 -o ExitOnForwardFailure=yes

Replace the placeholder variables with the actual values:

• SSH_HIGH_PORT: It should be unique per connector instance and should not be a reserved port number (for instance, port 22 is reserved for SSH connections and port 443 is reserved for HTTPS).

  TIP: For the SSH high port number, we recommend adding a single digit - usually 1 - as a prefix to the source database port. For example, if you connect SQL Server, your database's default port is 1433. Therefore, we recommend using port 11433 as the SSH high port for your first SQL Server connector, port 11434 for your second connector, and so on.

• LOCAL_DB_MACHINE_NAME_OR_IP: Internal IP address or name of the local database host machine

• LOCAL_DB_MACHINE_PORT: Internal port for communication with the database host. For High-Volume Agent connectors, this is the Agent Listener Port (for example, 4343).

• FIVETRAN_SSH_USERNAME: SSH username for Fivetran's Reverse SSH host - fivetran

• FIVETRAN_SUPPLIED_IP: Reverse SSH host IP address provided by Fivetran (contact Fivetran Support or your Fivetran Technical Team to get this)

• PATH_TO_PRIVATE_KEY: File path to the private key on the SSH host machine (this is normally id_rsa.pem or simply id_rsa)

TIP: To track the progress of the autossh connection process, replace the -f flag with the -v flag to enable verbose logging. Without the -v flag, you will not see detailed logs of the connection process or confirmation when the script finishes running successfully. However, autossh will still run in the background if the -f flag is used.

NOTE: If you want to rerun the autossh command using the same SSH high port number that you used previously, you must first stop or terminate the existing autossh process that is currently using that port. This is necessary to avoid conflicts and ensure that the port is free for the new connection.

Enter values into connector setup form

After establishing a successful reverse SSH tunnel connection, enter the following values in the Fivetran connector setup form for your database:

All fields in { brackets } must be replaced with your actual values.

To set up a reverse SSH tunnel on Windows, you need to install PuTTY (an SSH and Telnet client) and PuTTYgen (a key generation tool) on your Windows machine. You can download the standalone binaries (EXE) or the installer package (MSI) for these tools from the official PuTTY download page.

TIP: If you choose to install using the MSI installer, it typically includes the entire PuTTY suite, which consists of PuTTY, PuTTYgen, and other tools.

Perform the following steps to set up a reverse SSH tunnel on Windows:

Generate key pair

1. Launch PuTTYgen.

2. Under Parameters, in the Type of key to generate field, select RSA.

3. In the Number of bits in a generated key field, enter 2048.

4. Under Actions, click Generate to create a public/private key pair.

5. Click Save public key to save the public key file to your local computer.

6. Click Save private key to save the private key file (.ppk) to your local computer.

   TIP: Do not save the key with a passphrase.

7. Send the public key, along with the SSH server's (Windows machine) IP address and SSH username (local Windows user running PuTTY) to Fivetran Support.

Once we create the Reverse SSH host and complete the setup on our side, we will provide you with the Reverse SSH host IP address and user name. Then proceed to the next step to configure and initiate the SSH connection between your SSH server and Fivetran's Reverse SSH Host.

Configure and initiate SSH connection

NOTE: These instructions use PuTTY v0.78.

1. Launch PuTTY.

2. In the Session category, configure your session:

   • In the Host Name field, enter the user name and IP address of the Reverse SSH Host provided by the Fivetran team in the format {ssh_user}@{ssh_host_ip} (e.g., fivetran@35.230.100.17).
   • In the Port field, enter 22.
   • Under Connection type, select the SSH option.

3. In the Connection category, set the Seconds between keepalives to 5.

4. In the Connection > SSH category, select the Don’t start a shell or command at all checkbox.

5. In the Connection > SSH > Auth > Credentials category, go to the Private key file for authentication field. Click Browse and select the private key file (.ppk) you created in the previous step (Generate key pair).

6. In the Connection > SSH > TTY category, select the Don’t allocate a pseudo-terminal checkbox.

7. In the Connection > SSH > Tunnels category, configure port forwarding:

   • Select the Local ports accept connections from other hosts checkbox.
   • Select the Remote ports do the same checkbox.
   • Under Add new forwarded port:
     • In the Source port field, enter a high port number (e.g., 55432). The high port can be any non-reserved and unused port.
     • In the Destination field, enter your destination IP address and the database's port (e.g., localhost:5432 for a server hosted on the same computer).
     • Select the Remote option.
     • Select the Auto option.
     • Click Add to add this entry to the list of Forwarded ports.

8. In the Session category, save the configuration and initiate the SSH session:

   • In the Saved Sessions field, enter a name for this configuration (e.g., fivetran-outbound).
   • Click Save to save your configuration.
   • In the saved sessions list, select the newly saved session (e.g., fivetran-outbound).
   • Click Open to start the SSH session. This will open a terminal window and establish the SSH connection based on your configuration.

We support connecting to the following AWS-hosted sources using PrivateLink:

NOTE: Third-party managed database services, such as MongoDB Atlas, may not be supported. Contact your Fivetran account manager to confirm if your managed database service is supported.

NOTE: Amazon S3 does not require any configuration. If your S3 bucket is in the same region as your Fivetran account, your network traffic does not traverse the public Internet. The Amazon S3 Gateway Endpoints ensures that regional traffic stays within the AWS network.

You must have an AWS endpoint service configured for your source before you set up a PrivateLink connection with Fivetran. AWS endpoint services only work with network load balancers (NLB), so you must create an NLB inside your VPC if you do not already have one. The NLB receives requests from Fivetran and routes it to your source.

The following graphic illustrates how Fivetran connects to the customer database using AWS Private Link:

Since endpoint service configurations are out of Fivetran’s control, we recommend that you contact your AWS representatives for help setting up PrivateLink. However, we do provide the following high-level instructions based on how customers typically configure their data sources:

1. In your VPC, create an NLB for your data source and configure it for each subnet (availability zone) in which the service should be available. For help, see the Create an NLB section.

   IMPORTANT: Skip this step if your data source is already running behind an NLB.

   If you chose to use security groups with your NLB, you must allow the following Fivetran's internal CIDR range on the security groups: 10.0.0.0/8.

2. Create a VPC endpoint service configuration and specify your NLB.

   IMPORTANT: Make sure that you are familiar with the endpoint service considerations and have met its prerequisites.

3. Safelist Fivetran’s AWS VPC Account ID (arn:aws:iam::834469178297:root) to allow access to your VPC endpoint service. Send the service name (VPCe) to your Fivetran account manager. For example, com.amazonaws.vpce.<region_id>.vpce-svc-xxxxxxxxxxxxxxxxx.

   TIP: To learn how to safelist the Fivetran account ID, see AWS’ endpoint service permission documentation.

4. Send the host name of the service/source to your Fivetran account manager. Fivetran will finish the setup on our side.

5. To activate the connection, accept the interface endpoint connection request from Fivetran. By default, connection requests must be manually accepted. However, you can configure the acceptance settings for your endpoint service so that any connection requests are automatically accepted.

Create an NLB

On a single static IP service (EC2, non-RDS database, etc.)

To create an NLB on a single static IP service, follow the instructions in AWS’ creating a network load balancer documentation. Either ensure that the NLB availability zones match the target availability zones or enable cross-zone load balancing.

On a dynamic IP service (Amazon Aurora database, RDS database, etc.)

NLB can only route traffic to an EC2 instance, an IP address, or a Lambda function through target groups. Since Aurora and RDS databases don’t have a dedicated IP address or EC2 instance ID, there are two different ways to configure an NLB to route traffic to these databases - using a port forwarding instance or using the IP address (dynamic IP address) of the database. Follow the instructions below for your chosen method.

Using a port forwarding instance

1. You must deploy an EC2 instance that is configured to do port forwarding (accepting requests from the NLB and forwarding those requests to the RDS database). Here is a sample script that you can use to set up the EC2 port forwarding instance:

   #!/bin/bash
   PREVLOGFILE=/root/ip.txt # Note the below section of the code is important in the event of a server restart.
   if test -f "$PREVLOGFILE"; then
     truncate -s 0 $PREVLOGFILE
     echo "State file $PREVLOGFILE has been emptied"
   fi
   python -m SimpleHTTPServer 801 & # NOTE: USE PORT 801 FOR <HEALTH_CHECKS> PARAMETER BELOW
   echo 1 -> /proc/sys/net/ipv4/ip_forward
   export RDS_ENDPOINT=<<PROSPECT RDS INSTANCE ENDPOINT>> #NOTE: DO NOT INCLUDE THE <<>> CHARACTERS, NO QUOTATION MARKS.
   export RDS_PORT=<<PROSPECTS RDS INSTANCE PORT>> #NOTE: DO NOT INCLUDE THE <<>> CHARACTERS, NO QUOTATION MARKS.
   iptables -t nat -A POSTROUTING -j MASQUERADE
   while true
   do
   LOGFILE=/root/ip.txt
   Current_IP=$(dig +short $RDS_ENDPOINT | tail -n1) #NOTE: THE "/ TAIL -n1" piece is critical to ensure only the IP address of the RDS instnce is picked.
   if [ $LOGFILE = "" ] ; then
     iptables -I INPUT -i eth1 -s $Current_IP -j ACCEPT
     echo $Current_IP > $LOGFILE
   else
     Old_IP=$(cat $LOGFILE)
     if [ "$Current_IP" = "$Old_IP" ] ; then
       echo "IP address has not changed ($Old_IP -> $Current_IP)"
     else
       iptables -t nat -D PREROUTING -p tcp --dport 80 -j DNAT --to-destination $Old_IP:$RDS_PORT
       iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination $Current_IP:$RDS_PORT
       sysctl net.ipv4.ip_forward=1
       iptables-save
       echo $Current_IP > $LOGFILE
       echo "IP address has changed ($Old_IP -> $Current_IP)"
     fi
   fi
   sleep 5
   done
   

   NOTE: If you are using Amazon Linux 2023, this doesn't support python2. You need to change the following part of Line 6 of the script above from:

   python -m SimpleHTTPServer 801
   

   to:

   python3 -m http.server 801
   

2. Once you’ve finished setting up the port forwarding instance, configure the NLB listener and target group to route traffic to the portforwarder EC2 instance.

Using the dynamic IP address

Aurora and RDS databases provide an endpoint to access your database when you set them up. This endpoint resolves to an IP address. AWS doesn’t recommend using this IP address, since it can change without notice. To work around this limitation, you can deploy a lambda function to periodically check the IP address and update the NLB target group when it changes.

To use the IP address of the RDS or Aurora database in your NLB target group, do the following:

1. Run the nslookup or dig command with the domain name of RDS endpoint as the input to find the IP address:

   dig +short <YOUR_RDS_DNS_ENDPOINT>

2. Set up your NLB target group with the IP address.

3. Deploy a lambda function to periodically perform nslookup on the RDS endpoint to see if the IP address has changed and update the target group with the new IP address.

Contact your account manager for help setting up PrivateLink for your on-premises source. Our team will help you set up AWS Direct Connect to an AWS VPC, which Fivetran can connect to using PrivateLink.

The self-service functionality is not available by default. Contact your Fivetran account manager to enable this functionality for you.

With self-service, you can enable AWS PrivateLink on the following connectors:

• HVA Oracle
• MySQL
• Oracle
• PostgreSQL
• SQL Server

Find connection service name

1. Log in to your AWS account.

2. Configure the NLB for each subnet (availability zone) where you want the service to be available.

3. Create a VPC endpoint service configuration and specify your NLB.

   IMPORTANT: Make sure that you are familiar with the endpoint service considerations and you have met its prerequisites.

4. Safelist Fivetran’s AWS VPC Account ID (arn:aws:iam::834469178297:root) to allow access to your VPC endpoint service.

   TIP: To learn how to safelist the Fivetran account ID, see AWS' documentation.

5. Make a note of your service name (VPCe) (for example, com.amazonaws.vpce.<region_id>.vpce-svc-xxxxxxxxxxxxxxxxx). You will need it to configure Fivetran.

Configure PrivateLink connection

1. In your connector setup form, select Connect via Private Networking in the Connection Method drop-down menu.

2. Click + Configure a new PrivateLink connection.

3. Enter a Name for your PrivateLink connection.

4. In the PrivateLink connection service name field, enter the service name you found in Step 1.

5. Click Create and save. Fivetran will raise a connection request in AWS.

   NOTE: It might take up to 10 minutes for us to raise the connection request.

Accept connection request

1. Go to your AWS account.

2. In the top left corner, click Services, then select VPC.

3. In the VPC dashboard, click Endpoint services.

4. Refresh the Endpoint services page to see the new connection request from Fivetran. The new connection request is in Pending acceptance state.

   NOTE: It might take some time for the new connection request to appear on the list.

5. Select the new connection request.

6. Go the Endpoint connections tab.

7. In the Actions drop-down menu, select Accept endpoint connection request.

8. In the Accept endpoint connection request pop-up window, enter accept in the text box, then click Accept. The status of the request will change to Pending. After a few minutes, the status will change to Accepted and a Connection created message will appear in your source setup form.

We support connecting to the following Azure-hosted sources using Private Link:

• Azure Blob Storage
• Azure Cosmos DB
• Azure Functions
• Azure Database for MariaDB
• Azure Database for MySQL
• Azure Database for PostgreSQL
• Azure SQL Database
• Azure SQL Managed Instance

The following graphic illustrates how Azure Private Link establishes a connection between the Fivetran network and the customer network. Fivetran uses Private Endpoints to establish a Private Link with the Azure Database for MySQL and Snowflake.

To establish a Private Link connection, do the following:

1. Verify that your Azure-hosted source supports Private Endpoint in Microsoft’s Private Endpoint documentation.
2. Contact your Fivetran account manager and provide your Azure-hosted service’s fully-qualified resource ID, including the resource name and resource type of your Azure-hosted source.
3. Wait to receive Private Endpoint request details from Fivetran. We create a Private Endpoint using your resource ID, type, and subresource. We then initiate a Private Link connection request as part of the Private Endpoint setup and share the details of that request with you.
4. In the Azure Portal or CLI, verify and approve the Private Link connection request from Fivetran. Fivetran then finishes setting up Private Link for your Azure-hosted service on our side.

How you set up Private Link for your Azure Virtual Machine-hosted or on-premises source depends on whether or not your source already has an Azure Private Link Service.

If your source is already configured with a Private Link Service, follow the setup instructions for Azure-hosted sources to complete your Fivetran setup.

If you do not have a Private Link Service yet, you will need to configure one before establishing a Private Link connection by following the steps below:

NOTE:

• You must have a VNet with access to your sources.
• If you are configuring your on-premises sources and they aren't connected to Azure yet, either follow the instructions in the Azure ExpressRoute documentation (recommended) or Azure VPN Gateway documentation to connect them to Azure.
  • Azure ExpressRoute provides a dedicated, high-bandwidth connection between the on-premise network and Azure, bypassing the public internet.
  • Azure VPN Gateway establishes a secure, encrypted VPN tunnel over the public internet between the on-premise network and Azure.
• If you are configuring your Azure Virtual Machine-based sources, ensure that they are accessible from the VNet where the Private Link Service Load Balancer will be running.
• A single Azure Private Link Service can support one or multiple sources at the same time with different ports mapped to corresponding data source IP addresses. You will need to enter these ports in the Fivetran connector setup form.

1. Inside the VNet, create a Standard Load Balancer with a NIC-based backend pool that has access to your data sources. Configure a health probe and a load balancer rule with the ports that your connectors will use. Learn how in Azure's Create a load balancer guide.
2. Create a Private Link Service associated with the load balancer that you created in step 1. Learn how in Azure's Create a private link service guide.
3. Create one or more Virtual Machines and place them in the backend pool of the load balancer you created in step 1.
4. Enable IP forwarding on each of the backend Virtual Machine network interfaces. Learn how to enable IP forwarding in Azure's Enable IP forwarding documentation.
5. For security purposes, ensure that no public IP addresses are configured for the Virtual Machines. Private Link connections use only private IP addresses.
6. Log in into each Load Balancer-backend Virtual Machine and run the script below. The script configures Network Address Translation (NAT), which forwards network packets from SLB-backend Virtual Machines to your data sources. The script below configures a single port forwarding, but feel free to add additional sets of iptables PREROUTING and POSTROUTING rules for additional ports:

#!/bin/bash

# This script configures Network Address Translation to forward incoming packets
# from the Azure Standard Load Balancer to IP-based destinations and route them
# back. In this script, "destination" means a data source server that Fivetran connects to.

# local port where Load Balancer sends traffic to
SOURCE_PORT=<local_port>
# destination server inside internal network
DESTINATION_IP=<destination_server_ip_address>
DESTINATION_PORT=<destination_server_port>

# enable IP forwarding on host
echo 1 > /proc/sys/net/ipv4/ip_forward

# clear existing iptables rules and chains
iptables -F
iptables -t nat -F
iptables -X

# change the packet recipient from local to destination socket (host & port)
iptables -t nat -A PREROUTING -p tcp --dport ${SOURCE_PORT} -j DNAT --to-destination ${DESTINATION_IP}:${DESTINATION_PORT}

# change the source IP address from the LB NAT IP address to the IP of this LB-backend host
iptables -t nat -A POSTROUTING -p tcp -d ${DESTINATION_IP} --dport ${DESTINATION_PORT} -j SNAT --to-source $(hostname -i)

For additional help, read Microsoft’s Private Link Service documentation or contact your Fivetran account manager.

The self-service functionality is not available by default. Contact your Fivetran account manager to enable this functionality for you.

With self-service, you can enable Azure Private Link on the following sources:

• SQL Server
• Cosmos

Find resource ID

1. Verify that your source supports Private Endpoint. For more information, see Microsoft’s documentation.
2. Log in to the Azure portal and then go to your Azure-hosted service.
3. Select your workspace and then go to Properties.
4. Make a note of the Resource ID. You will need it to create the Private Link connection.

Configure Private Link connection

1. In your connector setup form, select Connect via Private Networking in the Connection Method drop-down menu.

2. Click + Configure a new PrivateLink connection.

3. Enter a Name for your Private Link connection.

4. In the PrivateLink Resource ID field, enter the resource ID you found in Step 1.

5. In the PrivateLink Subresource name drop-down menu, select the subresource corresponding to your resource type. The following table lists the subresources corresponding to each resource type:

   Resource Type	Subresource
   Azure SQL Database	sqlServer
   Azure Cosmos DB	sql

6. Click Create and save. Fivetran will raise a connection request in Azure.

   NOTE: It might take up to 10 minutes for us to raise the connection request.

Accept connection request

1. Go to your Azure account.
2. Go to Private Link Center > Pending connections.
3. Select the connection request from Fivetran, then click Approve.
4. In the pop-up window, confirm that you want to approve the connection request. Once Azure processes the request, a Connection created will appear in your source setup form.
5. Update your username to <username>@dbname.

We support connecting to any GCP-hosted resource as long as it's supported by Fivetran and exposed through a Private Service Connect producer.

In the following example, we publish a service that runs on a specific instance. However, there are several other ways to expose your service. To learn more, ask your administrators for help or read Google's Publish managed services using Private Service Connect documentation.

You'll need the following in Inputs for commands used in steps below:

• <NETWORK>- the VPC network in which the exposed resource exists
• <SUBNET>- the subnetwork where the exposed resource exists
• <ILB_SUBNET> - the subnetwork used for allocation of internal load balancers addresses (forwarding rules)
• <PSC_NAT_SUBNET> - the subnetwork used for allocation IPs for each customer endpoint address
• <REGION> - the region where the exposed resource exists
• <ZONE> - the zone where the exposed resource exists
• <VM_NAME> - the VM on which the exposed resource runs
• <VM_IP> - the private IP on which the exposed resource is available
• <RESOURCE_PORT> - the port on which the exposed resource is available in a VM
• <NETWORK_ENDPOINT_GROUP> - the network endpoint group
• <HEALTH_CHECKS> - the port health checks
• <BACKEND_SERVICES> - the backend services
• <FORWARDING_RULE> - the forwarding rule
• <SERVICE_ATTACHMENT> - the service attachment

IMPORTANT: If you already have a regional internal load balancer for your resource, proceed to step 8 of this section.

1. Create a network endpoint group.

   gcloud compute network-endpoint-groups create --network <NETWORK> --subnet <SUBNET> \
    --network-endpoint-type gce-vm-ip --zone <ZONE> <NETWORK_ENDPOINT_GROUP>
   

2. Add an instance with the running resource as an endpoint to the network endpoint group.

   gcloud compute network-endpoint-groups update --zone <ZONE> <NETWORK_ENDPOINT_GROUP> \
    --add-endpoint='instance=<VM_NAME>
   

3. Create health checks to automatically enable and disable the instance. In this example, we use port checks.

   gcloud compute health-checks create tcp --region <REGION> --check-interval=60s 
    --port=<RESOURCE_PORT> <HEALTH_CHECKS>
   

4. Create backend services.

   gcloud compute backend-services create --region=<REGION> --health-checks=<HEALTH_CHECKS> \
       --health-checks-region=<REGION> --load-balancing-scheme=INTERNAL <BACKEND_SERVICES>
   

5. Assign the network endpoint group you created as a backend.

   gcloud compute backend-services add-backend <BACKEND_SERVICES> --network-endpoint-group=<NETWORK_ENDPOINT_GROUP> \
       --network-endpoint-group-zone=<ZONE>
   

6. (Optional) Allocate a subnetwork dedicated to forwarding rules.

   cloud compute networks subnets create --network <_NETWORK_> --region <REGION> 
       --range=10.0.X.0/24 <ILB_SUBNET>
   

7. Create a forwarding rule for the internal load balancer. It points to <BACKEND_SERVICES> and allocates the IP address from <ILB_SUBNET> in <NETWORK>.

   gcloud compute forwarding-rules create --backend-service=<BACKEND_SERVICES> --region <REGION> \
       --load-balancing-scheme=INTERNAL --ports=ALL --subnet=<ILB_SUBNET> --network=<NETWORK> <FORWARDING_RULE>
   

8. Allocate a NAT subnetwork dedicated to creating endpoints for each connected customer.

   cloud compute networks subnets create --network <NETWORK> --region <REGION> --range=10.0.X.0/24  \
    --purpose=PRIVATE_SERVICE_CONNECT <_PSC_NAT_SUBNET_>
   

9. Open traffic from the ILB and NAT networks to a VM or port using the corresponding ranges specified in previous steps.

   gcloud compute firewall-rules create --direction=INGRESS --priority=1000 --network=<_NETWORK_> --action=ALLOW \
       --rules=tcp:_RESOURCE_PORT_ --source-ranges=10.0.X.0/24 --destination-ranges=<_VM_IP_>/32 db-demo-allow-psc-nats
   
   gcloud compute firewall-rules create --direction=INGRESS --priority=1000 --network=<_NETWORK_> --action=ALLOW \
       --rules=tcp:_RESOURCE_PORT_ --source-ranges=10.0.X.0/24 --destination-ranges=<_VM_IP_>/32 db-demo-allow-ilb-nats
   

10. Create a service attachment and point it to the internal load balancer you created above (FORWARDING_RULE) with manual accepting mode.

    gcloud compute service-attachments create --producer-forwarding-rule=<FORWARDING_RULE> --connection-preference=ACCEPT_MANUAL \
        --region=<REGION> --description='Producer for my resource in region' --nat-subnets <_PSC_NAT_SUBNET_> <SERVICE_ATTACHMENT>
    

11. Contact Fivetran to set up a Private Service Connect link on the Fivetran side. Fivetran will provide a PSC_CONNECTION_ID, which allows you to identify which connections come from Fivetran before you approve them.

NOTE:

• If you want to auto-approve the Fivetran project, use the --consumer-accept-list=fivetran_donkeys=2 parameter for gcloud.
• The instructions above use network endpoint groups, since it's easy to attach them to existing VMs. However, if a VM is already a part of the instance groups, you can use it directly as a backend services target.
• You can test a newly-created producer in another VPC by allocating an IP and creating a forwarding rule, as described in Google Cloud's Configure Private Service Connect Services documentation.

When setting up access for CloudSQL databases using private IP, you need an additional VM to act as a forwarding proxy. You can use your solution like HAProxy or iptables.

NOTE: If you use the following vm script, make sure to persist iptables rules and consider using instance groups instead of standalone VMs.

#!/bin/bash

# This script configures Network Address Translation to forward incoming packets
# from the Load Balancer to IP-based destinations and route them
# back. In this script, "destination" means a data source server that Fivetran connects to.

# local port where the Load Balancer sends traffic to
SOURCE_PORT=<local_port>
# destination server inside internal network
DESTINATION_IP=<destination_server_ip_address>
DESTINATION_PORT=<destination_server_port>

# enable IP forwarding on host
echo 1 > /proc/sys/net/ipv4/ip_forward

# clear existing iptables rules and chains
iptables -F
iptables -t nat -F
iptables -X

# change the packet recipient from local to destination socket (host & port)
iptables -t nat -A PREROUTING -p tcp --dport ${SOURCE_PORT} -j DNAT --to-destination ${DESTINATION_IP}:${DESTINATION_PORT}

# change the source IP address from the LB NAT IP address to the IP of this LB-backend host
iptables -t nat -A POSTROUTING -p tcp -d ${DESTINATION_IP} --dport ${DESTINATION_PORT} -j SNAT --to-source $(hostname -i)

Once you have the VMs properly set up, follow the standard setup instructions for Google Cloud Private Service Connect.

To connect your on-premises source to Fivetran, you must first use Dedicated Interconnect to connect a VPC to your on-premises source, then use Private Service Connect to connect that VPC to Fivetran.

1. Follow the instructions in Google's Dedicated Interconnect provisioning overview to set up Dedicated Interconnect and use it to connect a VPC to your on-premises source.

2. When setting up access for on-premises databases using private IP, you need an additional VM to act as a forwarding proxy. You can use your solution like HAProxy or iptables.

   NOTE: If you use the following vm script, make sure to persist iptables rules and consider using instance groups instead of standalone VMs.

   #!/bin/bash
   
   # This script configures Network Address Translation to forward incoming packets
   # from the Load Balancer to IP-based destinations and route them
   # back. In this script, "destination" means a data source server that Fivetran connects to.
   
   # local port where the Load Balancer sends traffic to
   SOURCE_PORT=<local_port>
   # destination server inside internal network
   DESTINATION_IP=<destination_server_ip_address>
   DESTINATION_PORT=<destination_server_port>
   
   # enable IP forwarding on host
   echo 1 > /proc/sys/net/ipv4/ip_forward
   
   # clear existing iptables rules and chains
   iptables -F
   iptables -t nat -F
   iptables -X
   
   # change the packet recipient from local to destination socket (host & port)
   iptables -t nat -A PREROUTING -p tcp --dport ${SOURCE_PORT} -j DNAT --to-destination ${DESTINATION_IP}:${DESTINATION_PORT}
   
   # change the source IP address from the LB NAT IP address to the IP of this LB-backend host
   iptables -t nat -A POSTROUTING -p tcp -d ${DESTINATION_IP} --dport ${DESTINATION_PORT} -j SNAT --to-source $(hostname -i)
   

3. Once you have the VMs properly set up, follow the standard setup instructions for Google Cloud Private Service Connect.

When installing the Proxy Agent as a service, the user who installs the Proxy Agent must have permission to manage Windows services. We recommend that you install the Proxy Agent as an Administrator user.

1. Run the downloaded .exe file (e.g. fivetran-6.1.0_23-hub_and_agent-windows-x64-64bit_ga_patch-setup.exe).

2. In the installation wizard dialog, click Next.

3. Read the License Agreement, select I accept the agreement and click Next.

4. Specify the installation directories and click Next.

   NOTE: If this is a first-time installation, the High-Volume Agent (HVA) and Proxy Agent can be installed in the same directory. Otherwise, you can either install the Proxy Agent in a different directory than the HVA or manually install the Proxy Agent using a ZIP file.

   

5. Specify the name for the program folder and click Next.

   

6. Select the role of the installation:

   • Proxy Agent to install only the Proxy Agent or
   • High-Volume Agent (HVA) and Proxy Agent to install both the Proxy Agent and HVA.

7. If you selected High-Volume Agent (HVA) and Proxy Agent in the previous step, enter value for the High-Volume Agent Listener Port and click Next.

   

8. Paste the Proxy Agent settings generated in step 6 and click Next.

   

9. Select the user account for running the Proxy Agent service.

   • If Specified user is selected, enter values for User, Password, Confirm Password and click Next.

     

   • If Local System account is selected, click Next.

     

10. Select Add HVR_HOME, HVR_CONFIG, and HVR_TMP (if required) and click Next. If you are only installing the Proxy Agent, we recommend that you skip this step.

    This is to set the environment variables HVR_HOME, HVR_CONFIG, and HVR_TMP in your operating system. These variables point to the corresponding installation directories created in step 4 above.

    

11. Click Next to initiate the installation.

    NOTE: If you selected High-Volume Agent (HVA) and Proxy Agent in step 6, this will install both the Proxy Agent and High-Volume Agent under the same installation directory.

    

12. Click Finish to start the Proxy Agent. Once installed, the Proxy Agent service appears running in Windows Services.

    NOTE: If you selected High-Volume Agent (HVA) and Proxy Agent in step 6, this will start both the Proxy Agent and High-Volume Agent services.

    

Perform the following steps in the user account that will be used for operating the Proxy Agent:

1. Configure the environment variables HVR_HOME, HVR_CONFIG, and HVR_TMP for your operating system using command setx or set. Each of these environment variables should be pointed to the installation directories - hvr_home, hvr_config, and hvr_tmp:

   Environment variables set using setx command are available in the future command windows only and the environment variables set using set command are available in the current command window only.

   setx HVR_HOME C:\fivetran\hvr_home
   setx HVR_CONFIG C:\fivetran\hvr_config
   setx HVR_TMP C:\fivetran\hvr_tmp
   

   set HVR_HOME=C:\fivetran\hvr_home
   set HVR_CONFIG=C:\fivetran\hvr_config
   set HVR_TMP=C:\fivetran\hvr_tmp
   

   Also, add the executable directory path (e.g C:\fivetran\hvr_home\bin) to the environment variable PATH.

   setx PATH "%PATH%C:\fivetran\hvr_home\bin"
   

   set PATH=%PATH%;C:\fivetran\hvr_home\bin
   

   Alternatively, environment variables can be configured using Windows GUI.

   1. Navigate to Control Panel ▶ System and Security ▶ System ▶ Advanced system settings

      Alternatively, use the command sysdm.cpl to open System Properties.

   2. In the Advanced tab, click Environment Variables...

   3. In section System variables or User Variables for user_name, click New.

      1. Enter Variable name (e.g, HVR_HOME) and Variable value (e.g, C:\fivetran\hvr_home).
         
      2. Click OK.
      3. Repeated the above steps for each environment variable.

   4. Add the executable directory path to the environment variable Path.

      1. In section System variables or User Variables for user_name, from the list of variables, select Path and click Edit....
      2. Click New and enter the path for the Proxy Agent executable.
         
      3. Click OK.

2. Create the installation directory - hvr_home (e.g. C:\fivetran\hvr_home):

   md %HVR_HOME%
   

   • Other directories (hvr_config and hvr_tmp) will be created automatically as needed.
   • hvr_home is regarded a read-only directory.

3. Uncompress (unzip) the installation file (e.g. fivetran-6.1.0_23-hub_and_agent-windows-x64-64bit_ga_patch.zip) into the hvr_home directory:

   cd %HVR_HOME%
   C:\fivetran\hvr_home>tar -xf C:\Users\Admin\Downloads\fivetran-6.1.0_23-hub_and_agent-windows-x64-64bit_ga_patch.zip
   

   Alternatively, files can be uncompressed using the 'Extract All' option in Windows GUI.

   

4. Paste the Proxy Agent settings generated in Step 6 to the proxyagent.conf file located in the HVR_CONFIG/proxy directory.

   NOTE: If missing, create the file manually.

5. Run the following command to validate the Proxy Agent settings:

   %HVR_HOME%/jre/bin/java -jar %HVR_HOME%/proxy/proxyagent.jar -v %HVR_CONFIG%/proxy/proxyagent.conf
   

6. Create a .bat file (e.g. install_and_run_proxy_service.bat) with the following contents.

    FOR /F "delims=" %%i IN ('CALL "%HVR_HOME%/bin/hvr" hvrhubserversvc -s') DO SET HvrHubServerSvcOutput=%%i
    REM We use a normalized HVR_CONFIG path hash to guarantee a unique service name
    SET HubConfigHash=%HvrHubServerSvcOutput:~13,8%
   
    REM In the CLI below use "DomainName\UserName" for --ServiceUser and specify --ServicePassword parameter if needed
    REM Adjust the other parameters as necessary
    REM Ensure to have unique service name (in //IS//<ServiceName>) and display name 
    %HVR_HOME%/proxy/prunsrv.exe //IS//FivetranProxy_%HubConfigHash% ^
       --StartParams "%HVR_CONFIG%/proxy/proxyagent.conf" ^
       --ServiceUser "LocalSystem" ^
       --DisplayName "Fivetran Proxy Agent [%HubConfigHash%]" ^
       --Description "Fivetran Proxy Agent installed into %HVR_HOME%\proxy" ^
       --Jvm "%HVR_HOME%/jre/bin/server/jvm.dll" ^
       --JavaHome "%HVR_HOME%/jre" ^
       --Classpath "%HVR_HOME%/proxy/proxyagent.jar" ^
       --StartPath "%HVR_HOME%/proxy/" ^
       --Startup=auto ^
       --StartMode=jvm ^
       --StartClass=com.fivetran.proxy.agent.ProxyAgent ^
       --StartMethod=main ^
       --StopMode=jvm ^
       --StopClass=com.fivetran.proxy.agent.ProxyAgent ^
       --StopMethod=stop ^
       --JvmOptions "-XX:+HeapDumpOnOutOfMemoryError" ^
       --StdOutput "%HVR_CONFIG%/proxy/logs/agent-out.log" ^
       ++Environment "HVR_CONFIG=%HVR_CONFIG%" ^
       ++Environment "HVR_HOME=%HVR_HOME%" ^
       ++Environment "HVR_TMP=%HVR_TMP%"
   
     %HVR_HOME%/proxy/prunsrv.exe //ES//FivetranProxy_%HubConfigHash%
   

7. Run the .bat file to configure and start the Proxy Agent:

   install_and_run_proxy_service.bat
   

Perform the following steps as the user that will be used for operating Proxy Agent:

The commands to set the environment variables depend on the shell you use to interface with the operating system. This procedure lists examples that can be used in Bourne Shell (sh) and KornShell (ksh).

1. Configure the environment variables HVR_HOME, HVR_CONFIG, and HVR_TMP for your operating system. Each of these environment variables should be pointed to the installation directories - hvr_home, hvr_config, and hvr_tmp.

   export HVR_HOME=/home/fivetran/hvr_home 
   export HVR_CONFIG=/home/fivetran/hvr_config
   export HVR_TMP=/home/fivetran/hvr_tmp
   

   Also, add the executable directory path to the environment variable PATH.

   PATH=$PATH:$HVR_HOME/bin
   

2. Add the environment and the executable directory path into the startup file (e.g. .profile).

   export HVR_HOME=/home/fivetran/hvr_home
   export HVR_CONFIG=/home/fivetran/hvr_config
   export HVR_TMP=/home/fivetran/hvr_tmp
   export PATH=$PATH:$HVR_HOME/bin
   

3. Create the installation directory - hvr_home using the following commands:

   umask 022
   

   mkdir $HVR_HOME
   

   TIP: umask 022 is used so that the files and directories created in the following commands are readable by everyone (other Linux users and groups), but only writable by the owner. Other directories (HVR_CONFIG and HVR_TMP) will be created automatically as needed. The HVR_HOME directory is regarded as read-only.

4. Uncompress the installation file (e.g. fivetran-6.1.0_23-hub_and_agent-linux_glibc2.17-x64-64bit_ga.tar.gz) into the HVR_HOME directory:

   cd $HVR_HOME
   

   tar xzf /tmp/hvr-6.1.0_23-hub_and_agent-linux_glibc2.17-x64-64bit_ga.tar.gz
   

   Once installed, the jre and proxy folders are created in your HVR_HOME directory.

5. Create a new directory for the proxyagent.conf file in hvr_config (/home/fivetran/hvr_config/proxy). Paste the Proxy Agent settings generated in step 6 to the proxyagent.conf file located in the newly created directory.

6. Run the following command to verify if the Linux machine is ready for the setup. The output of the command should be systemd.

   ps -p 1 -o comm=
   

7. Update the fivetran_proxy.service file in the /etc/systemd/system directory with the correct path to java.jar, proxyagent.jar, and proxyagent.conf files.

   If missing, create the fivetran_proxy.service file manually. The contents of the file should be as follows:

   [unit]
   Description=Fivetran Proxy Agent #<agent_id>
   
   [Service]
   
   Type=simple
   
   ExecStart=/home/fivetran/hvr_home/jre/bin/java -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/home/fivetran/hvr_config/proxy/ -jar /home/fivetran/hvr_home/proxy/proxyagent.jar /home/fivetran/hvr_config/proxy/proxyagent.conf
   
   # Restart this service to after a crash
   Restart=always
   
   # The number of seconds to wait before attempting a restart
   RestartSec=5s
   
   [Install]
   WantedBy=multi-user.target
   

8. Execute the following commands as the root user to start the Proxy Agent service.

   a. Enable the service:

   systemctl enable fivetran_proxy.service
   

   b. Start the service:

   systemctl start fivetran_proxy.service
   

   c. Verify the status of the service:

   systemctl status fivetran_proxy.service
   

If your Proxy Agent is installed on a Windows system, you can set up a recovery configuration for the agent by performing the following steps:

NOTE: This process is not required on Linux systems.

1. Go to Control Panel > Administrative Tools > Computer Management > Services and Applications > Services or use the services.msc command to open the Services console.

2. In the Services console, locate the Fivetran Proxy Agent service. Ensure the service description matches the installation directory.

3. Right-click the service and select Properties.

4. Go to the Recovery tab.

5. Set your preferred recovery options for the failure scenario.

   

TIP: The SC failure command-line utility is also available for more advanced configurations. This tool allows you to automate recovery actions directly through the command line.

The steps to uninstall the Proxy Agent depend on whether you used an EXE file (Installer) or a ZIP file to install it.

IMPORTANT: Ensure that no Windows Services management console applications (opened via services.msc) are running.

Uninstall Proxy Agent that was installed using an EXE file

1. Navigate to the uninstall folder in the Proxy Agent installation directory %HVR_HOME% (for example, C:\fivetran\hvr_home\uninstall).

2. Double-click the uninstall.exe file to initiate the uninstallation process.

Uninstall Proxy Agent that was installed using a ZIP file

1. Create a .bat file (for example, delete_proxy_agent_service.bat) with the following contents:

      FOR /F "delims=" %%i IN ('CALL "%HVR_HOME%/bin/hvr" hvrhubserversvc -s') DO SET HvrHubServerSvcOutput=%%i
      REM We use a normalized HVR_CONFIG path hash to guarantee a unique service name
      SET HubConfigHash=%HvrHubServerSvcOutput:~13,8%
   
      %HVR_HOME%/proxy/prunsrv.exe //DS//FivetranProxy_%HubConfigHash%
   

2. Run the .bat file as an Administrator to remove all Proxy Agent service entries.

1. Stop the Proxy Agent service:

    sudo systemctl stop fivetran_proxy.service
   

2. Disable the service from auto-starting at boot:

    sudo systemctl disable fivetran_proxy.service 
   

3. Remove the service configuration file:

    sudo rm /etc/systemd/system/fivetran_proxy.service
   

4. Reload the systemd manager configuration:

    sudo systemctl daemon-reload
   

5. Clear the systemd state for any failed services:

    sudo systemctl reset-failed