AWS Big Data Blog
Use custom domain names with Amazon Redshift
Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud. With Amazon Redshift, you can analyze all your data to derive holistic insights about your business and your customers.
Amazon Redshift now supports custom URLs or custom domain names for your data warehouse. You might want to use a custom domain name or CNAME (Canonical Name) for the following reasons:
- A custom domain name is straightforward to recall and use.
- Routing connections is less disruptive. The connections from the client are pointed to the DNS record and not the server name. This lets you easily route connections to new clusters in failover or disaster recovery scenarios.
- You can now obfuscate your server names with a friendly custom domain name.
- It helps you avoid application code or connectivity changes in case the underlying data warehouse is migrated to a different Region or the endpoint is changed.
In this post, we discuss how you can modify your data warehouse to use custom domain names and how to connect to a data warehouse that has been configured with a custom URL.
Pre-requisites
To get started, you need a registered domain name. You can use Amazon Route 53 or a third-party domain registrar to register a domain.
You also need a validated Secure Sockets Layer (SSL) certificate for your custom endpoints. This is to verify ownership of the domain name and secure communication. You can use AWS Certificate Manager (ACM) to provision, manage, and deploy public SSL/TLS certificates. You need to use verify-full mode, which ensures that the connections are encrypted and verifies that the hostname of the server matches the hostname in the certificate.
Lastly, you need to attach the necessary permissions to the AWS Identity and Access Management (IAM) role that’s assigned to the relevant users and groups that will manage your Redshift data warehouse. These vary depending on if you’re using Amazon Redshift provisioned or Amazon Redshift Serverless. The permissions needed for the required actions are listed in the following table.
Action | IAM Permission | |
Redshift Provisioned | Redshift Serverless | |
Create custom domain for datawarehouse | redshift:CreateCustomDomainAssociation acm:DescribeCertificate |
redshiftServerless:CreateCustomDomainAssociation acm:DescribeCertificate |
Renaming cluster that has custom domain name | acm:DescribeCertificate | Not needed |
Changing certificate for association | redshift:ModifyCustomDomainAssociation acm:DescribeCertificate |
redshiftServerless:UpdateCustomDomainAssociation acm:DescribeCertificate |
Deleting custom domain | redshift:DeleteCustomDomainAssociation | redshiftServerless:DeleteCustomDomainAssociation |
Connecting to the data warehouse using custom domain name | redshift:DescribeCustomDomainAssociations | Not needed |
The following screenshot shows an example of creating an IAM policy on the IAM console.
Creating DNS CNAME entry for custom domain name
The custom domain name typically includes the root domain and a subdomain, like mycluster.mycompany.com
. You can either register a new root domain or use an existing one. For more information about registering a new domain with Route 53, refer to Registering a new domain.
After you set that up, you can add a DNS record that points your custom CNAME to the Redshift endpoint. You can find the data warehouse endpoint on the Amazon Redshift console on the cluster detail page.
The following screenshot illustrates locating a provisioned endpoint.
The following screenshot illustrates locating a serverless endpoint.
Now that you have created the CNAME entry, you can request a certificate from ACM. Complete the following steps:
- Open the ACM console and choose Request a certificate.
- For Fully qualified domain name, enter your custom domain name.
- Choose Request.
- Confirm that the request is validated by the owner of the domain by checking the status of the certificate.
The status should be Issued.
Now that you have created the CNAME record and certificate, you can create the custom domain URL for your Redshift cluster using the Amazon Redshift console.
Creating custom domain for a provisioned instance
To create a custom domain for a provisioned instance, complete the following steps:
- On the Amazon Redshift console, navigate to your provisioned instance detail page.
- On the Actions menu, choose Create custom domain name.
- For Custom domain name, enter the CNAME record for your Redshift provisioned cluster.
- For ACM certificate, choose the appropriate certificate.
- Choose Create.
You should now have a custom domain name associated to your provisioned data warehouse. The custom domain name and custom domain certificate ARN values should now be populated with your entries.
Note that sslmode=verify-full
will only work for the new custom endpoint. You can’t use this mode with the default endpoint; you can connect to the default endpoint by using other SSL modes like sslmode=verify-ca
.
Create a custom domain for a serverless instance
To create a custom domain for a serverless instance, complete the following steps:
- On the Amazon Redshift console, navigate to your serverless instance detail page.
- On the Actions menu, choose Create custom domain name.
- For Custom domain name, enter the CNAME record for your Redshift Serverless workgroup.
- For ACM certificate, choose the appropriate certificate.
- Choose Create.
You should now have a custom domain name associated to your serverless workgroup. The custom domain name and custom domain certificate ARN values should now be populated with your entries.
Note that, as with a provisioned instance, sslmode=verify-full
will only work for the new custom endpoint. You can’t use this mode with the default endpoint; you can connect to the default endpoint by using other SSL modes like sslmode=verify-ca
.
Connect using custom domain name
You can now connect to your cluster using the custom domain name. The JDBC URL would be similar to jdbc:redshift://prefix.rootdomain.com:5439/dev?sslmode=verify-full
, where prefix.rootdomain.com
is your custom domain name and dev
is the default database. Use your preferred editor to connect to this URL using your user name and password.
Update the certificate association for your provisioned custom domain
To update the certificate association using the Amazon Redshift console, navigate to your provisioned cluster details page and on the Actions menu, choose Edit custom domain name. Update the domain name and ACM certificate, then choose Save changes.
To change the cluster’s ACM certificate associated to the custom domain using the AWS Command Line Interface (AWS CLI), use the following command:
Update the certificate for your serverless custom domain
To update the certificate using the Amazon Redshift console, navigate to your serverless workgroup details page and on the Actions menu, choose Edit custom domain name. Update the domain name and ACM certificate, then choose Save changes.
To change the serverless workgroup’s ACM certificate associated to the custom domain using the AWS CLI, use the following command:
Delete a custom provisioned domain
To delete your custom domain, navigate to the provisioned cluster details page. On the Actions menu, choose Delete custom domain name. Enter delete
to confirm, then choose Delete.
To use the AWS CLI, use the following code:
Delete a custom serverless domain
To delete your custom domain, navigate to the serverless workgroup details page. On the Actions menu, choose Delete custom domain name. Enter delete
to confirm, then choose Delete.
To use the AWS CLI, use the following code:
Conclusion
In this post, we discussed the benefits of using custom domain names for your Redshift data warehouse and the steps needed to associate a custom domain name with the Redshift endpoint. For more information, refer to Using a custom domain name for client connections.
About the Authors
Raghu Kuppala is an Analytics Specialist Solutions Architect experienced working in the databases, data warehousing, and analytics space. Outside of work, he enjoys trying different cuisines and spending time with his family and friends.
Sam Selvan is a Principal Analytics Solution Architect with Amazon Web Services.
Yanzhu Ji is a Product Manager in the Amazon Redshift team. She has experience in product vision and strategy in industry-leading data products and platforms. She has outstanding skill in building substantial software products using web development, system design, database, and distributed programming techniques. In her personal life, Yanzhu likes painting, photography, and playing tennis.
Nikhitha Loyapally is a Senior Software Development Engineer for Amazon Redshift.