How can I create a private connection from Amazon QuickSight to an Amazon Redshift cluster or an Amazon RDS DB instance that's in a private subnet?

Last updated: 2020-10-09

I want to create a private connection from Amazon QuickSight to an Amazon Redshift cluster or DB instance in a private subnet. How can I do that?

Short description

QuickSight supports Amazon Virtual Private Cloud (Amazon VPC) connections to AWS data sources. The Amazon VPC connection allows you to privately connect to an Amazon Redshift cluster or an Amazon Relational Database Service (Amazon RDS) instance.

To create a private connection from QuickSight, you must create a new private subnet and a new security group. Then, create a private connection from QuickSight to the private subnet. After the private connection is established, you can allow traffic between the new security group and the Amazon Redshift cluster or DB instance security group.

Note: The data source must be in the same account and Region being used for QuickSight.

Resolution

1.    Create a new private subnet (a subnet with no internet gateway attached) in the same VPC that the Amazon Redshift cluster or RDS DB instance is in. This is the subnet that QuickSight uses for the private connection.

2.    Create a new security group for QuickSight in the same VPC.

3.    Add an inbound rule to the QuickSight security group that allows all communication from the Amazon Redshift cluster or RDS DB instance.
For Type, choose All TCP.
For Source, choose Custom, and then enter the ID of the security group used by your Amazon Redshift cluster or RDS DB instance.

4.    Add an outbound rule to the QuickSight security group that allows all traffic to the Amazon Redshift cluster or RDS DB instance.
For Type, choose Custom TCP Rule.
For Port Range, enter the port used by the Amazon Redshift cluster or RDS DB instance. The default Amazon Redshift port is 5439. The default Amazon RDS port is 3306.
For Destination, choose Custom, and then enter the ID of the security group used by your Amazon Redshift cluster or RDS DB instance.

5.    In the Amazon Redshift cluster or RDS DB instance's security group, add an inbound rule. The inbound rule must allow all incoming traffic from the QuickSight security group that you created in step 2.
For Type, choose All TCP.
For Source, choose Custom, and then enter the QuickSight security group ID.

6.    In the Amazon Redshift cluster or RDS DB instance's security group, add another outbound rule. This outbound rule must allow all traffic to the QuickSight security group that you created.
For Type, choose All TCP.
For Destination, choose Custom, and then enter the QuickSight security group ID.

7.    Create a private connection from QuickSight to Amazon VPC:
For VPC ID, select the VPC for your Amazon Redshift cluster or RDS DB instance.
For Subnet ID, select the private subnet that you created in step 1.
For Security group ID, enter the QuickSight security group that you created.

8.    Create a new data set from the Amazon Redshift cluster or RDS DB instance.
For Connection type, choose the VPC connection that you created in step 5.

Example security group configuration

In SG-123345678f (QuickSight security group):

Inbound:

Type             Protocol          Port Range         Source                  Description
------------------------------------------------------------------------------------------------------------------
All TCP           All              0 - 65535       sg-122887878f         Amazon RDS/Amazon Redshift security group

Outbound:

Type              Protocol          Port Range           Source                  Description
------------------------------------------------------------------------------------------------------------
Custom TCP          TCP            5439 or 3306       sg-122887878f       Amazon RDS/Amazon Redshift security group

In SG-122887878f (Amazon RDS or Amazon Redshift security group):

Inbound:

Type             Protocol          Port Range           Source                Description
-----------------------------------------------------------------------------------------------------
Custom TCP         TCP            5439 or 3306        sg-123345678f        QuickSight security group

Outbound:

Type            Protocol          Port Range          Source                  Description
-------------------------------------------------------------------------------------------------
All TCP           TCP             0 - 65535           sg-123345678f        QuickSight security group

Did this article help?


Do you need billing or technical support?