Amazon QuickSight and interface VPC endpoints (AWS PrivateLink)
You can establish a private connection between your VPC and Amazon QuickSight by creating an
interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink
Each interface endpoint is represented by one or more Elastic Network Interfaces in your subnets.
For more information, see Interface VPC endpoints (AWS PrivateLink) in the Amazon VPC User Guide.
Considerations for QuickSight VPC endpoints
Before you set up an interface VPC endpoint for QuickSight, ensure that you review Interface endpoint properties and limitations in the Amazon VPC User Guide.
The following considerations apply to VPC endpoint restrictions in QuickSight:
-
The VPC endpoint that you create for QuickSight only works for the QuickSight website. QuickSight API calls are not supported through VPC endpoints.
-
QuickSight supports data sources from AWS services including Amazon S3, Amazon Redshift, and Athena. QuickSight needs access to the resources from your AWS accounts to retrieve this data. If you want traffic to other AWS services to be routed through the VPC endpoint, you need to create VPC endpoint connections for each service that your QuickSight account is configured to. For more information about connecting to a VPC connection with QuickSight, see Connecting to a VPC with Amazon QuickSight.
-
IP and VPC endpoint rules precede all other rules in QuickSight. If you have embedded dashboards or visuals that are visible to the public (anyone on the internet) and restrict traffic to the QuickSight website through a VPC endpoint, public dashboards can only be shared through the VPC endpoint. For more information on public embedding, see Turning on public access to visuals and dashboards with a 1-click embed code.
-
QuickSight VPC endpoints are not available in China regions.
-
QuickSight VPC endpoints are not available in GovCloud regions.
Creating an interface VPC endpoint for QuickSight
You can create a VPC endpoint for the QuickSight website using either the Amazon VPC console or the AWS Command Line Interface (AWS CLI). For more information, see Creating an interface endpoint in the Amazon VPC User Guide.
Create a VPC endpoint for QuickSight using the following service name:
-
com.amazonaws.
region
.quicksight-website
The private DNS names for the QuickSight website are not same as the public URL for QuickSight. To reach QuickSight through the public URL, create an A record for the website in the format <region>.quicksight.aws.amazon.com
and point it to the VPC endpoint. For more information about routing to a VPC endpoint, see Routing traffic to an Amazon Virtual Private Cloud interface endpoint by using your domain name.
The management of certain administrator features require that an administrator sign in to QuickSight as an IAM user. If you sign in through the VPC endpoint, you need to create the following VPC endpoints for the AWS Management Console.
-
com.amazonaws.
region
.console -
com.amazonaws.
region
.signin
For more information about VPC endpoints for the AWS Management Console, see Required VPC endpoints and DNS configuration.
Creating a VPC endpoint policy for QuickSight
You can attach an endpoint policy to your VPC endpoint to restrict usage of the endpoint to specific QuickSight accounts or to accounts under specific AWS organizations. The AWS account IDs that are allow–listed or deny–listed are the AWS accounts in which the QuickSight account is created. In most cases, this is the same account ID in which the VPC endpoint is created. The policy specifies the following information:
-
The principal that can perform actions.
-
The actions that can be performed.
-
The resources on which actions can be performed.
For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.
Example: VPC endpoint policy for QuickSight actions
The following is an example of an endpoint policy for QuickSight. When attached to an endpoint, this policy grants access to all QuickSight actions for all principals on all resources.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": "*", "Condition": { "StringEquals": { "aws:PrincipalAccount": [ "012345678901" ] } } } ] }
Policies for the QuickSight website must have the values of the Principal
,
Action
, and Resource
fields set to
"*"
.
A condition may be specified only against the aws:PrincipalAccount
or the
aws:OrgId attributes
. These conditions are evaluated on all requests to
the QuickSight website after the user signs in.
Restricting access to the QuickSight website
You can choose to restrict access to your QuickSight account to only allow traffic from
an approved VPC endpoint.
This prevents general internet users from accessing your QuickSight account. Before you
can make this change, make sure that you're an IAM user with the UpdateIpRestriction
permission. For more information on the
permissions that are required to restrict access with a VPC endpoint, see Turning on IP and VPC endpoint restrictions in Amazon QuickSight.
Use the following procedure to restrict access with a VPC endpoint in QuickSight.
-
Open the QuickSight console
. -
Choose Manage QuickSight, and then choose Security & permissions.
-
On the Security & permissions page that opens, navigate to IP and VPC endpoint restrictions and choose Manage.
-
Turn on the Enforce restrictions switch to turn on your VPC endpoint restrictions.
You can also perform this action with the QuickSight APIs. The following example turns on the enforcement of a VPC endpoint restriction.
aws quicksight update-ip-restriction \ --aws-account-id
AWSACCOUNTID
\ --regionREGION
\ --enabled \ --vpc-endpoint-id-restriction-rule-mapvpce-001122def=MyVpcEndpointAllowed
Domains accessed by QuickSight
The table below lists all URLs that are accessed by Amazon QuickSight from your browser. Make sure that you have established connectivity for all of domins listed in the table.
URL | Reason | Has VPC endpoint support? |
---|---|---|
region.quicksight.aws.amazon.com |
The bulk of traffic to QuickSight flows through this domain. |
Yes |
signin.aws.amazon.com |
To sign in to the AWS console if the account uses IAM identities. |
Yes |
region.signin.aws |
To sign in to the AWS console if the account uses or QuickSight native users for identity management. |
No |
*.cloudfront.net |
To download static assets, for example CSS orr JS. |
No |
*.s3.region.amazonaws.com |
To download reports and thumbnails. |
Yes |
*.execute-api.region.amazonaws.com |
To access client-side metrics. |
No |