In this article we will show you the steps that you need to follow to create a VPC connection in your QuickSight account.
Initial assumptions
- You are using QuickSight Enterprise edition
- Your user is a QuickSight administrator
Overview
Amazon Virtual Private Cloud (Amazon VPC), allow you to launch AWS resources in a logically isolated virtual network that you’ve defined. This virtual network closely resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS.
Amazon QuickSight operates outside of your defined VPCs, meaning that if you want to connect to a resource that is inside a VPC you have two options:
- Provide the resource with a Public IP and follow the steps to allow QuickSight to connect via Public Network (outside of the scope of this article, you can find more info about how to configure this here)
- Allow QuickSight to access a VPC, this is done when you want to access private resources within your VPC. This is done by adding elastic network interfaces in your VPC. These network interfaces allow QuickSight to exchange network traffic with a network instance within your VPC
Configuration process
EC2 Security group configuration
You can provide all of the standard security controls for this network traffic, as you do with other traffic in your VPC. Route tables, network access control lists (ACLs), subnets, and security groups settings all apply to network traffic to and from QuickSight in the same way that they apply to traffic between other instances in your VPC.
For this example we are going to create a security group that will allow access from QuickSight to the data-source and vice-versa.
To allow traffic we need to create a security group with no rules, once created note down its security group id.
Then edit the inbound and then outbound rules to add the following (change the destination TCP port according to the data-source type you are adding (in this example we are using Redshift as reference)
Inbound rules
| IP version | Type | Protocol | Port range | Source | Description |
|---|---|---|---|---|---|
| Ipv4 | Redshift | TCP | 5439 | select “custom” in the drop-down menu and enter the security group ID you noted down earlier | Allows traffic originated within this security group |
Outbound rules
| IP version | Type | Protocol | Port range | Source | Description |
|---|---|---|---|---|---|
| Ipv4 | All Traffic | All | All | 0.0.0.0/0 | Allows all outbound traffic |
Once configured add the security group to your target data source (Redshift cluster in our example)
NOTE: This example uses the simplest configuration possible which is to use the same security group in the QuickSight VPC connection and in the target data-source. If you want to have separate security groups refer to this knowledge article to know how to configure them.
IAM & QuickSight configuration
Now that we have created our security group we are ready to create the VPC connection in QuickSight. However in order to allow QuickSight to create the necessary underlying assets (EC2 network interface) we need to create a IAM role with permissions to perform specific actions in EC2, QuickSight and IAM. Once created we will be using this role to configure the VPC connection.
We can do this by performing the following steps:
- Go to IAM roles and click on the “create a role” button
- Select custom trust policy and use the trust policy that you can find below, refer to Appendix resources(1)
- Go to next step. In a new tab, open IAM policies
- Create a policy using the policy document provided below, refer to Appendix resources(2)
- Go back to the IAM role tab and refresh the policies to choose the one created in step 4
- Create the role with a user friendly name
- Go back to the QS console (admin section) and choose “Manage VPC connections”
- Click “Add VPC Connection” and create the VPC connection using the role created in step 6, and the security group created in the previous section (remember to assign this security group to your target data-source server as well (e.g. Redshift cluster)
- Now create a new data source and dataset using the VPC connection created in step 8. When creating the data source, click on the validate connection button to confirm the connection is successful
Congratulations! You have successfully connected your QuickSight instance (outside of VPC) to your VPC where you have your target data-source (a Redshift cluster in this case).
Refer to our documentation to learn more about configuring a VPC connection in QuickSight.
Appendix resources:
Trust policy (1)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "quicksight.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Custom policy document (2)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DeleteNetworkInterface",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
}
]
}