Whether you're taking your first steps with Kubernetes or you're an experienced practitioner looking to sharpen your skills, our Amazon EKS workshop series delivers practical, real-world experience that moves you forward. Learn directly from AWS solutions architects and EKS specialists through hands-on sessions designed to build your confidence with Kubernetes. Register now and start building with Amazon EKS!
How do I create a private connection from Quick Sight to an Amazon Redshift cluster or an Amazon RDS DB instance that's in a private subnet?
I want to create a private connection from Amazon Quick Sight to an Amazon Redshift cluster or an Amazon Relational Database Service (Amazon RDS) DB instance that's in a private subnet.
Short description
Quick Sight supports Amazon Virtual Private Cloud (Amazon VPC) connections to AWS data sources. The Amazon VPC connection allows you to privately connect to an Amazon Redshift cluster or an RDS DB instance.
To create a private connection from Quick Sight, you must provide a subnet and security group from a VPC that's in the same AWS Region. Then, create a private connection from Quick Sight to the private subnet. After you establish the connection, you can allow traffic between the new security group and the Amazon Redshift cluster or RDS DB instance security group.
Note: The data source must be in the same AWS account and Region that you use for Quick Sight. Cross-Region and cross-account data sources require additional configuration. For more information, see How do I connect Quick Sight to a private Amazon RDS data source in a different AWS Region or AWS account?
Resolution
Important: The following resolution applies to Amazon Quick Suite Enterprise edition. To securely access data in private VPCs, it's a best practice to upgrade to Quick Suite Enterprise edition. For more information about Quick Suite Enterprise edition pricing, see Amazon Quick Sight pricing.
Review the prerequisites to configure the VPC in the Quick Suite console or the Quick Suite command line interface (CLI).
Add inbound and outbound rules to the Quick Sight security group
Complete the following steps:
- Identify the ID of the subnet that Quick Sight uses to establish a private connection to your data source.
Note: Each VPC connection must use at least two subnets. You can either use an existing subnet in the same VPC with a route to the database instance, or create a new subnet. - Create a new Quick Sight security group in the same VPC.
- Add an inbound rule to the security group that allows all communication from the Amazon Redshift cluster or RDS DB instance.
- For Type, choose All TCP.
- For Source, choose Custom, and then enter the ID of the security group that your Amazon Redshift cluster or RDS DB instance uses.
- Add an outbound rule to the Quick Sight security group that allows all traffic to the Amazon Redshift cluster or RDS DB instance.
- For Type, choose Custom TCP Rule.
- For Port Range, enter the port that the Amazon Redshift cluster or RDS DB instance uses. The default Amazon Redshift port is 5439. The default Amazon RDS port is 3306.
- For Destination, choose Custom, and then enter the ID of the security group that your Amazon Redshift cluster or RDS DB instance uses.
Add inbound and outbound rules to the Amazon Redshift cluster or Amazon RDS security group
Complete the following steps:
- In the cluster or DB instance's security group, add an inbound rule that allows all incoming traffic from the Quick Sight security group.
- For Type, choose Custom TCP Rule.
- For Port Range, enter the port that the Amazon Redshift cluster or RDS DB instance uses. The default Amazon Redshift port is 5439. The default Amazon RDS port is 3306.
- For Source, choose Custom, and then enter the Quick Sight security group ID.
- In the Amazon Redshift cluster or RDS DB instance's security group, add another outbound rule that allows all traffic to the Quick Sight security group.
- For Type, choose All TCP.
- For Destination, choose Custom, and then enter the Quick Sight security group ID.
Create a private connection from Quick Sight to Amazon VPC
Create a private connection from Quick Sight to Amazon VPC. Make sure to complete the prerequisites so that your AWS Identity and Access Management (IAM) execution role has the required permissions and trust policies.
Create a new dataset from the Amazon Redshift cluster or RDS DB instance
Complete the following steps:
- Open the Quick Suite console, and then choose Datasets.
- Choose New dataset.
- Create a connection to an auto-discovered AWS data source. Choose the VPC connection type that you created.
Example Quick Sight SG-123345678f:
Inbound:
Type Protocol Port Range Source Description------------------------------------------------------------------------------------------------------------------ All TCP All 0 - 65535 sg-122887878f Amazon RDS/Amazon Redshift security group
Outbound:
Type Protocol Port Range Source Description------------------------------------------------------------------------------------------------------------ Custom TCP TCP 5439 or 3306 sg-122887878f Amazon RDS/Amazon Redshift security group
Example Amazon RDS or Amazon Redshift SG-122887878f:
Inbound:
Type Protocol Port Range Source Description----------------------------------------------------------------------------------------------------- Custom TCP TCP 5439 or 3306 sg-123345678f Quick Sight security group
Outbound:
Type Protocol Port Range Source Description------------------------------------------------------------------------------------------------- All TCP TCP 0 - 65535 sg-123345678f Quick Sight security group
Related information
- Lingua
- English
I am still getting timeouts after following this guide for an rds postgres instance. Any idea what might be missing?
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Hey I'm also getting timeouts after following this guide and all the others. I have even used the VPC reachability analyzer and confirmed that each network interface of the quicksight VPC connection can successfully reach the RDS network interface.
Is there any other way to troubleshoot my connection? I've made extremely permissive security group rules (allow all traffic on all ports etc) and still within the same VPC and subnet, the connection times out.
EDIT: This top answer solved my problem, apparently the underlying quicksight JDBC doesn't support "scram-sha-256" password hashing which my postgres 14 RDS had enabled by default, following the answer guide solved my issue. Hopefully it saves someone else from the wasted days I've lost!
The above comment from Nick needs to be on a pin comment here, I battled with this issue for almost a month.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Same problem with Redshift connection does anybody get a solution?