ESPROFILER Handbook
Engineering

Production Database

Accessing the production database in rollback situations.

Accessing Production Databases via the AWS Jump Box

Use this process when you need temporary direct access to a production database for investigation, emergency fixes, Prisma migrations, or rollback support.

This method creates an SSH tunnel from your machine to the AWS network through the jump box, so your local tools can connect to a production database as though it were running locally.

When to use this

Use this only when necessary, for example:

  • connecting local tools to a production database
  • running Prisma migrations against production
  • inspecting production data in MySQL Workbench or another client
  • connecting to a restored snapshot during rollback work

This is not the preferred long-term workflow. It is a temporary access path for operational needs.

Prerequisites

You will need:

  • AWS access to the ESPROFILER account with Administrator Access
  • PuTTY installed
  • PuTTYgen installed
  • your SSH public key added to the jump box user
  • your home or office IP address whitelisted in the jump box security group
  • a database client (e.g. MySQL Workbench)

1. Generate an SSH key (if you don’t already have one)

Using PuTTYgen

  1. Open Start menu → search PuTTYgen
  2. Set key size to 4096
  3. Click Generate
  4. Move your mouse to generate entropy
  5. Add a key comment (your name or username)
  6. Set a memorable passphrase
  7. Save:
    • Private key
    • Public key

Store securely (e.g. a personal "Security" folder in Google Drive).

2. Share your public key

  1. Copy the public key text from PuTTYgen
  2. Send it to whoever manages jump box access

Important: send the full key text, not just a file.

3. Get your IP address whitelisted

  1. Google: what's my IP
  2. Copy your IPv4 address
  3. Send it to the AWS admin

You may need:

  • office IP
  • home IP

4. Add IP to AWS security group

  1. Open AWS → ESPROFILER
  2. Go to EC2
  3. Select instance: ESP1 connector
  4. Go to Security
  5. Open security group: DHCP ssh
  6. Edit inbound rules
  7. Add:
    • Port: 22
    • Source: your IP
    • Description: e.g. Joe home

Save.

5. Configure PuTTY connection

Session setup

  • Host: your-username@X.X.X.X
  • Save session as: ESP AWS

Add private key

  • Connection → SSH → Credentials
  • Load your private key
  • Save session again

Open the session.

6. Log in and change password

After login:

Run:

passwd
  • Enter your assigned temporary password
  • Set your own password

Tip: Right-click = paste in PuTTY.

7. Get database endpoint (AWS RDS)

MySQL (services)

  1. AWS → RDS
  2. Region: eu-west-2
  3. DB Instances → select DB (e.g. service8)
  4. Open Endpoints
  5. Copy endpoint
  6. Port: 3306

PostgreSQL (PCX)

  1. Open PostgreSQL instance
  2. Copy endpoint
  3. Port: 5432

8. Configure SSH tunnels in PuTTY

Path:

Connection → SSH → Tunnels

Recommended ports

These map a local port on your machine (e.g. 13306) to the remote port/host

DB TypeLocal PortRemote Port
MySQL133063306
PostgreSQL154325432

Setup

  1. Enter source port
  2. Enter destination: <endpoint>:port
  3. Click Add
  4. Repeat if needed
  5. Go to Session → Save
  6. Open session

Important: tunnel only works while PuTTY is open.

9. Connect via local tools

Example for Platform DB (MySQL Workbench):

  • Host: 127.0.0.1
  • Port: 13306
  • Username: espadministrator

10. Get database password (Secrets Manager)

  1. Open DB in AWS
  2. Go to Configuration
  3. Open linked secret
  4. Click Retrieve secret value

Copy:

  • username
  • password

Note: password rotates regularly — do not store permanently.

11. Using with apps / Prisma

Use:

  • Host: 127.0.0.1
  • Port: forwarded port

Examples:

  • MySQL: 127.0.0.1:13306
  • Postgres: 127.0.0.1:15432

12. Rollback via snapshots

  1. Open snapshot in AWS
  2. Click Restore
  3. Give new DB name

Key behaviour

  • Does NOT overwrite production DB
  • Creates a new cluster

Workflow

  1. Connect to restored DB
  2. Extract required data/schema
  3. Apply to live DB

Operational notes

  • Keep PuTTY open while connected
  • Check IP whitelist if connection fails
  • Check SSH key if auth fails
  • Ensure region is eu-west-2
  • Avoid port clashes with local dev

Standard ports

  • MySQL production: 13306
  • PostgreSQL production: 15432

New starter checklist

Ensure:

  • AWS access granted
  • Correct AWS roles assigned
  • SSH key created + added
  • IP whitelisted
  • PuTTY installed
  • Database access tested
  • Google Cloud access granted (if needed)
  • Remote support tooling installed

Contributing

If you're contributing to ESPROFILER, this section provides you with quick links to tools, resources and best practices to help you in your day-to-day role and work seamlessly with the rest of the engineering team.

Deployment

A comprehensive overview of the deployment process for new ESPROFILER tenants

Copyright © 2026