How can I create a private connection from Amazon QuickSight to an Amazon Redshift cluster or an Amazon RDS DB instance that's in a private subnet?

Last updated: 2020-02-10

I want to create a private connection from Amazon QuickSight to an Amazon Redshift cluster or an Amazon Relational Database Service (Amazon RDS) instance that's in a private subnet. How do I do that?

Short Description

QuickSight supports Amazon Virtual Private Cloud (Amazon VPC) connections to AWS data sources. This means that you can connect to an Amazon Redshift cluster or an Amazon RDS DB instance without using the public internet.

Before creating the private connection from QuickSight to the private subnet, you must create a new private subnet and new security group. Then, allow traffic between the new security group and the Amazon Redshift cluster or DB instance security group.

Note: The data source must be in the same account and same Region that you're using for QuickSight.

Resolution

  1. Create a new private subnet (a subnet with no internet gateway attached) in the same VPC that the Amazon Redshift cluster or RDS DB instance is in. This is the subnet that QuickSight will use for the private connection.
  2. Create a new security group for QuickSight in the same VPC.
  3. Add an inbound rule to the QuickSight security group that allows all communication from the Amazon Redshift cluster or RDS DB instance.
    For Type, choose All TCP.
    For Source, choose Custom, and then enter the ID of the security group that the cluster or DB instance is using.
  4. Add an outbound rule to the QuickSight security group that allows all traffic to the Amazon Redshift cluster or RDS DB instance.
    For Type, choose Custom TCP Rule.
    For Port Range, enter the port that the Amazon Redshift cluster or RDS DB instance is using. The default Amazon Redshift port is 5439. The default Amazon RDS port is 3306.
    For Destination, choose Custom, and then enter the ID of the security group that the cluster or DB instance is using.
  5. In the cluster or DB instance's security group, add an inbound rule that allows all traffic from the security group that you created in step 2 (the QuickSight security group).
    For Type, choose All TCP.
    For Source, choose Custom, and then enter the QuickSight security group ID.
  6. In the cluster or DB instance's security group, add an outbound rule that allows all traffic to the security group that you created in step 2 (the QuickSight security group).
    For Type, choose All TCP.
    For Source, choose Custom, and then enter the QuickSight security group ID.
  7. Create a private connection from QuickSight to Amazon VPC:
    For VPC ID, select the VPC that the cluster or DB instance is in.
    For Subnet ID, select the private subnet that you created in step 1.
    For Security group ID, enter the security group that you created in step 2 (the QuickSight security group).
  8. Create a new data set from the Amazon Redshift cluster or RDS DB instance:
    For Connection type, choose the VPC connection that you created in step 5.

Example security group configuration

In SG-123345678f (Amazon QuickSight security group):

Inbound:

Type             Protocol          Port Range         Source                  Description
------------------------------------------------------------------------------------------------------------------
All TCP           All              0 - 65535       sg-122887878f         Amazon RDS/Amazon Redshift security group

Outbound:

Type              Protocol          Port Range           Source                  Description
------------------------------------------------------------------------------------------------------------
Custom TCP          TCP            5439 or 3306       sg-122887878f       Amazon RDS/Redshift security group

In SG-122887878f (Amazon RDS or Amazon Redshift security group):

Inbound:

Type             Protocol          Port Range           Source                Description
-----------------------------------------------------------------------------------------------------
Custom TCP         TCP            5439 or 3306        sg-123345678f        QuickSight security group

Outbound:

Type            Protocol          Port Range          Source              Description
-------------------------------------------------------------------------------------------------
All TCP           TCP             0 - 65535         sg-123345678f      QuickSight security group

Did this article help you?

Anything we could improve?


Need more help?