Network and database configuration requirements
To serve as data sources, databases need to be configured so that Amazon QuickSight can access them. Use the following sections to make sure that your database is configured appropriately.
Important
Because a database instance on Amazon EC2 is administered by you rather than AWS, it must meet both the Network configuration requirements as well as the Database configuration requirements for self-administered instances.
Network configuration requirements
Intended audience: System administrators |
For you to use your database server from QuickSight, your server must be accessible from the internet. It must also allow inbound traffic from QuickSight servers.
If the database is on AWS and in the same AWS Region as your QuickSight account, you can auto-discover the instance to make connecting to it easier. To do this, you must grant QuickSight permissions to access it. For more information, see Accessing data sources.
Network configuration for an AWS instance in a default VPC
In some cases, your database might be on an AWS cluster or instance that you created in a default VPC. Thus, it's publicly accessible (that is, you didn't choose to make it private). In such cases, your database is already appropriately configured to be accessible from the internet. However, you still need to enable access from QuickSight servers to your AWS cluster or instance. For further details on how to do this, choose the appropriate topic following:
Network configuration for an AWS instance in a nondefault VPC
If you are configuring an AWS instance in a nondefault VPC, make sure that the instance is publicly accessible and that the VPC has the following:
-
An internet gateway.
-
A public subnet.
-
A route in the route table between the internet gateway and the AWS instance.
-
Network access control lists (ACLs) in your VPC that allow traffic between the cluster or instance and QuickSight servers. These ACLs must do the following:
-
Allow inbound traffic from the appropriate QuickSight IP address range and all ports to the IP address and port that the database is listening on.
-
Allow outbound traffic from the database’s IP address and port to the appropriate QuickSight IP address range and all ports.
For more information about QuickSight IP address ranges, see IP address ranges for QuickSight following.
For more information about configuring VPC ACLs, see Network ACLs.
-
-
Security group rules that allow traffic between the cluster or instance and QuickSight servers. For further details on how to create appropriate security group rules, see Authorizing connections to AWS data stores.
For more information about configuring a VPC in the Amazon VPC service, see Networking in Your VPC.
Network configuration for an AWS instance in a private VPC
If your database is on an AWS cluster or instance that you created in a private VPC, you can use it with QuickSight. For more information, see Connecting to a VPC with Amazon QuickSight.
For more information on Amazon VPC, see Amazon VPC
Network configuration for an AWS instance that is not in a VPC
If you are configuring an AWS instance that is not in a VPC, make sure that the instance is publicly accessible. Also, make sure that there is a security group rule that allows traffic between the cluster or instance and QuickSight servers. For further details on how to do this, choose the appropriate topic following:
Network configuration for a database instance other than AWS
To use SSL to secure your connections to your database (recommended), make sure that you have a certificate signed by a recognized certificate authority (CA). QuickSight doesn't accept certificates that are self-signed or issued from a nonpublic CA. For more information, see QuickSight SSL and CA certificates.
If your database is on a server other than AWS, you must change that server's firewall configuration to accept traffic from the appropriate QuickSight IP address range. For more information about QuickSight IP address ranges, see IP address ranges for QuickSight. For any other steps that you need to take to enable internet connectivity, see your operating system documentation.
QuickSight SSL and CA certificates
Following is a list of accepted public certificate authorities. If you are using a database instance other than AWS, your certificate must be on this list, or it won't work.
|
|
IP address ranges for QuickSight
For more information on the IP address ranges for QuickSight in supported Regions, see AWS Regions, websites, IP address ranges, and endpoints.