Setting up a VPC to connect to JDBC data stores for AWS Glue - AWS Glue

Setting up a VPC to connect to JDBC data stores for AWS Glue

To enable AWS Glue components to communicate, you must set up access to your data stores, such as Amazon Redshift and Amazon RDS. To enable AWS Glue to communicate between its components, specify a security group with a self-referencing inbound rule for all TCP ports. By creating a self-referencing rule, you can restrict the source to the same security group in the VPC, and it's not open to all networks. The default security group for your VPC might already have a self-referencing inbound rule for ALL Traffic.

To set up access for Amazon RDS data stores

  1. Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/.

  2. In the left navigation pane, choose Instances.

  3. Choose the Amazon RDS Engine and DB Instance name that you want to access from AWS Glue.

  4. From Instance Actions, choose See Details. On the Details tab, find the Security Groups name you will access from AWS Glue. Record the name of the security group for future reference.

  5. Choose the security group to open the Amazon EC2 console.

  6. Confirm that your Group ID from Amazon RDS is chosen, then choose the Inbound tab.

  7. Add a self-referencing rule to allow AWS Glue components to communicate. Specifically, add or confirm that there is a rule of Type All TCP, Protocol is TCP, Port Range includes all ports, and whose Source is the same security group name as the Group ID.

    The inbound rule looks similar to this:

    Type Protocol Port range Source

    All TCP

    TCP

    0–65535

    database-security-group

    For example:

    An example of a self-referencing inbound rule.

  8. Add a rule for outbound traffic also. Either open outbound traffic to all ports, for example:

    Type Protocol Port range Destination

    All Traffic

    ALL

    ALL

    0.0.0.0/0

    Or create a self-referencing rule where Type All TCP, Protocol is TCP, Port Range includes all ports, and whose Destination is the same security group name as the Group ID. If using an Amazon S3 VPC endpoint, also add an HTTPS rule for Amazon S3 access. The s3-prefix-list-id is required in the security group rule to allow traffic from the VPC to the Amazon S3 VPC endpoint.

    For example:

    Type Protocol Port range Destination

    All TCP

    TCP

    0–65535

    security-group

    HTTPS

    TCP

    443

    s3-prefix-list-id