How can I create a private connection from Amazon QuickSight to an Amazon Redshift cluster or an Amazon RDS DB instance that's in a private subnet?

4 minuto de leitura
0

I want to create a private connection from Amazon QuickSight to an Amazon Redshift cluster or database instance in a private subnet. How can I do that?

Short description

Amazon QuickSight supports Amazon Virtual Private Cloud (Amazon VPC) connections to AWS data sources. The Amazon VPC connection allows you to privately connect to an Amazon Redshift cluster or an Amazon Relational Database Service (Amazon RDS) instance.

To create a private connection from QuickSight, you must provide a subnet and security group from a VPC in the same AWS Region. Then, create a private connection from QuickSight to the private subnet. After the private connection is established, you can allow traffic between the new security group and the Amazon Redshift cluster or DB instance security group.

Note: The data source must be in the same account and Region that's used for QuickSight.

Resolution

Important: These steps apply to Amazon QuickSight Enterprise Edition. It's a best practice to upgrade to Amazon QuickSight Enterprise Edition to securely access data in private VPCs. For more information about Enterprise Edition pricing, see Amazon QuickSight pricing.

1.    Identify the ID of the subnet QuickSight will use to establish a private connection to your datasource. You can either use an existing subnet in the same VPC with a route to the database instance or create a new subnet.

2.    Create a new security group for QuickSight in the same VPC.

3.    Add an inbound rule to the QuickSight security group that allows all communication from the Amazon Redshift cluster or RDS DB instance.
For Type, choose All TCP.
For Source, choose Custom, and then enter the ID of the security group used by your Amazon Redshift cluster or RDS DB instance.

4.    Add an outbound rule to the QuickSight security group that allows all traffic to the Amazon Redshift cluster or RDS DB instance.
For Type, choose Custom TCP Rule.
For Port Range, enter the port used by the Amazon Redshift cluster or RDS DB instance. The default Amazon Redshift port is 5439. The default Amazon RDS port is 3306.
For Destination, choose Custom, and then enter the ID of the security group used by your Amazon Redshift cluster or RDS DB instance.

5.    In the Amazon Redshift cluster or RDS DB instance's security group, add an inbound rule. The inbound rule must allow all incoming traffic from the QuickSight security group that you created in Step 2.
For Type, choose Custom TCP Rule.
For Port Range, enter the port used by the Amazon Redshift cluster or RDS DB instance. The default Amazon Redshift port is 5439. The default Amazon RDS port is 3306.
For Source, choose Custom, and then enter the QuickSight security group ID.

6.    In the Amazon Redshift cluster or RDS DB instance's security group, add another outbound rule. This outbound rule must allow all traffic to the QuickSight security group that you created.
For Type, choose All TCP.
For Destination, choose Custom, and then enter the QuickSight security group ID.

7.    Create a private connection from QuickSight to Amazon VPC.
For VPC ID, select the VPC for your Amazon Redshift cluster or RDS DB instance.
For Subnet ID, select the private subnet that you created in Step 1.
For Security group ID, enter the QuickSight security group that you created.

8.    Create a new dataset from the Amazon Redshift cluster or RDS DB instance.
For Connection type, choose the VPC connection that you created in Step 5.

Example security group configuration

In SG-123345678f (QuickSight security group):

Inbound:

Type             Protocol          Port Range         Source                  Description
------------------------------------------------------------------------------------------------------------------
All TCP           All              0 - 65535       sg-122887878f         Amazon RDS/Amazon Redshift security group

Outbound:

Type              Protocol          Port Range           Source                  Description
------------------------------------------------------------------------------------------------------------
Custom TCP          TCP            5439 or 3306       sg-122887878f       Amazon RDS/Amazon Redshift security group

In SG-122887878f (Amazon RDS or Amazon Redshift security group):

Inbound:

Type             Protocol          Port Range           Source                Description
-----------------------------------------------------------------------------------------------------
Custom TCP         TCP            5439 or 3306        sg-123345678f        QuickSight security group

Outbound:

Type            Protocol          Port Range          Source                  Description
-------------------------------------------------------------------------------------------------
All TCP           TCP             0 - 65535           sg-123345678f        QuickSight security group

Related information

Connecting to a VPC with Amazon QuickSight

AWS OFICIAL
AWS OFICIALAtualizada há 2 anos
5 Comentários

I am still getting timeouts after following this guide for an rds postgres instance. Any idea what might be missing?

deniz
respondeu há 10 meses

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERADOR
respondeu há 10 meses

Hey I'm also getting timeouts after following this guide and all the others. I have even used the VPC reachability analyzer and confirmed that each network interface of the quicksight VPC connection can successfully reach the RDS network interface.

Is there any other way to troubleshoot my connection? I've made extremely permissive security group rules (allow all traffic on all ports etc) and still within the same VPC and subnet, the connection times out.

EDIT: This top answer solved my problem, apparently the underlying quicksight JDBC doesn't support "scram-sha-256" password hashing which my postgres 14 RDS had enabled by default, following the answer guide solved my issue. Hopefully it saves someone else from the wasted days I've lost!

nick
respondeu há 10 meses

The above comment from Nick needs to be on a pin comment here, I battled with this issue for almost a month.

respondeu há 10 meses

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERADOR
respondeu há 10 meses