Menu
Amazon QuickSight
User Guide

Network and Database Configuration Requirements

To serve as data sources, databases need to be configured so that Amazon QuickSight can access them. Use the following sections to make sure that your database is configured appropriately.

Important

Because a database instance on Amazon EC2 is administered by you rather than AWS, it must meet both the Network Configuration Requirements as well as the Database Configuration Requirements for Self-Administered Instances.

Network Configuration Requirements

To be usable from Amazon QuickSight, a database server must be accessible from the internet. It must also allow inbound traffic from Amazon QuickSight servers.

If the database is on AWS and in the same region as your Amazon QuickSight account, you can auto-discover the instance to make connecting to it easier. To do this, you must grant Amazon QuickSight permissions to access it. For more information, see Managing Amazon QuickSight Permissions to AWS Resources.

Network Configuration for an AWS Instance in a Default VPC

If your database is on an AWS cluster or instance that you created in a default VPC and is publicly accessible (that is, you did not choose to make private), it is already appropriately configured to be accessible from the internet. You still need to enable access from Amazon QuickSight servers to your AWS cluster or instance. For further details on how to do this, choose the appropriate topic following:

Network Configuration for an AWS Instance in a Non-Default VPC

If you are configuring an AWS instance in a non-default VPC, make sure that the instance is publicly accessible and that the VPC has the following:

  • An internet gateway.

  • A public subnet.

  • A route in the route table between the internet gateway and the AWS instance.

  • Network access control lists (ACLs) in your VPC that allow traffic between the cluster or instance and Amazon QuickSight servers. These ACLs must do the following:

    • Allow inbound traffic from the appropriate Amazon QuickSight IP address range and all ports to the IP address and port that the database is listening on.

    • Allow outbound traffic from the database’s IP address and port to the appropriate Amazon QuickSight IP address range and all ports.

    For more information about Amazon QuickSight IP address ranges, see IP Address Ranges for Amazon QuickSight below.

    For more information about configuring VPC ACLs, see Network ACLs.

  • Security group rules that allow traffic between the cluster or instance and Amazon QuickSight servers. For further details on how to create appropriate security group rules, see Authorizing Connections from Amazon QuickSight to AWS Data Stores.

For more information about configuring an AWS VPC, see Networking in Your VPC.

Network Configuration for an AWS Instance That is Not in a VPC

If you are configuring an AWS instance that is not in a VPC, make sure that the instance is publicly accessible and that there is a security group rule that allows traffic between the cluster or instance and Amazon QuickSight servers. For further details on how to do this, choose the appropriate topic following:

Network Configuration for a Non-AWS Database Instance

If you want to use SSL to secure your connections to your database (recommended), make sure that you have a certificate signed by a recognized certificate authority (CA). Amazon QuickSight doesn't accept certificates that are self-signed or issued from a non-public CA. For more information, see Amazon QuickSight SSL and CA Certificates

If your database is on a non-AWS server, you must change that server's firewall configuration to accept traffic from the appropriate Amazon QuickSight IP address range. For more information about Amazon QuickSight IP address ranges, see IP Address Ranges for Amazon QuickSight. Refer to your operating system documentation for any other steps you need to take to enable internet connectivity.

Amazon QuickSight SSL and CA Certificates

Following is a list of accepted public Certificate Authorities. If you are using a non-AWS database instance, your certificate must be on this list, or it won't work.

  • AAA Certificate Services

  • AddTrust Class 1 CA Root

  • AddTrust External CA Root

  • AddTrust Qualified CA Root

  • AffirmTrust Commercial

  • AffirmTrust Networking

  • AffirmTrust Premium

  • AffirmTrust Premium ECC

  • America Online Root Certification Authority 1

  • America Online Root Certification Authority 2

  • Baltimore CyberTrust Code Signing Root

  • Baltimore CyberTrust Root

  • Buypass Class 2 Root CA

  • Buypass Class 3 Root CA

  • Certum CA

  • Certum Trusted Network CA

  • Chambers of Commerce Root

  • Chambers of Commerce Root - 2008

  • Class 2 Primary CA

  • Class 3P Primary CA

  • Deutsche Telekom Root CA 2

  • DigiCert Assured ID Root CA

  • DigiCert Global Root CA

  • DigiCert High Assurance EV Root CA

  • Entrust.net Certification Authority (2048)

  • Entrust Root Certification Authority

  • Entrust Root Certification Authority - G2

  • Equifax Secure eBusiness CA-1

  • Equifax Secure Global eBusiness CA-1

  • GeoTrust Global CA

  • GeoTrust Primary Certification Authority

  • GeoTrust Primary Certification Authority - G2

  • GeoTrust Primary Certification Authority - G3

  • GeoTrust Universal CA

  • Global Chambersign Root - 2008

  • GlobalSign

  • GlobalSign Root CA

  • Go Daddy Root Certificate Authority - G2

  • GTE CyberTrust Global Root

  • KEYNECTIS ROOT CA

  • QuoVadis Root CA 2

  • QuoVadis Root CA 3

  • QuoVadis Root Certification Authority

  • SecureTrust CA

  • Sonera Class1 CA

  • Sonera Class2 CA

  • Starfield Root Certificate Authority - G2

  • Starfield Services Root Certificate Authority - G2

  • SwissSign Gold CA - G2

  • SwissSign Platinum CA - G2

  • SwissSign Silver CA - G2

  • TC TrustCenter Class 2 CA II

  • TC TrustCenter Class 4 CA II

  • TC TrustCenter Universal CA I

  • Thawte Personal Freemail CA

  • Thawte Premium Server CA

  • thawte Primary Root CA

  • thawte Primary Root CA - G2

  • thawte Primary Root CA - G3

  • Thawte Server CA

  • Thawte Timestamping CA

  • T-TeleSec GlobalRoot Class 2

  • T-TeleSec GlobalRoot Class 3

  • UTN - DATACorp SGC

  • UTN-USERFirst-Client Authentication and Email

  • UTN-USERFirst-Hardware

  • UTN-USERFirst-Object

  • Valicert

  • VeriSign Class 1 Public Primary Certification Authority - G3

  • VeriSign Class 2 Public Primary Certification Authority - G3

  • VeriSign Class 3 Public Primary Certification Authority - G3

  • VeriSign Class 3 Public Primary Certification Authority - G4

  • VeriSign Class 3 Public Primary Certification Authority - G5

  • VeriSign Universal Root Certification Authority

  • XRamp Global Certification Authority

IP Address Ranges for Amazon QuickSight

For more information on the IP address ranges for Amazon QuickSight in supported regions, see AWS Regions and IP Address Ranges.

Database Configuration Requirements for Self-Administered Instances

For a database to be accessible to Amazon QuickSight, it must meet the following criteria:

  • It is accessible from the internet. Refer to your database management system documentation for any steps you need to take to enable internet connectivity.

  • It is configured to accept connections and authenticate access using the user credentials you provide as part of creating the data set.

  • If you are connecting to MySQL or PostgreSQL, it must be accessible from your host or IP range. This is an optional security limitation specified in MySQL or PostgreSQL connection settings. If this limitation is in place, any attempt to connect from nonspecified host or IP address will be rejected, even if you have the correct username and password.