Network and Database Configuration Requirements - Amazon QuickSight

Network and Database Configuration Requirements

To serve as data sources, databases need to be configured so that Amazon QuickSight can access them. Use the following sections to make sure that your database is configured appropriately.

Important

Because a database instance on Amazon EC2 is administered by you rather than AWS, it must meet both the Network Configuration Requirements as well as the Database Configuration Requirements for Self-Administered Instances.

Network Configuration Requirements

 Intended audience: System administrators 

For you to use your database server from QuickSight, your server must be accessible from the internet. It must also allow inbound traffic from QuickSight servers.

If the database is on AWS and in the same AWS Region as your QuickSight account, you can auto-discover the instance to make connecting to it easier. To do this, you must grant QuickSight permissions to access it. For more information, see Using Other AWS Services: Scoping Down Access.

Network Configuration for an AWS Instance in a Default VPC

In some cases, your database might be on an AWS cluster or instance that you created in a default VPC. Thus, it's publicly accessible (that is, you didn't choose to make it private). In such cases, your database is already appropriately configured to be accessible from the internet. However, you still need to enable access from QuickSight servers to your AWS cluster or instance. For further details on how to do this, choose the appropriate topic following:

Network Configuration for an AWS Instance in a Nondefault VPC

If you are configuring an AWS instance in a nondefault VPC, make sure that the instance is publicly accessible and that the VPC has the following:

  • An internet gateway.

  • A public subnet.

  • A route in the route table between the internet gateway and the AWS instance.

  • Network access control lists (ACLs) in your VPC that allow traffic between the cluster or instance and QuickSight servers. These ACLs must do the following:

    • Allow inbound traffic from the appropriate QuickSight IP address range and all ports to the IP address and port that the database is listening on.

    • Allow outbound traffic from the database’s IP address and port to the appropriate QuickSight IP address range and all ports.

    For more information about QuickSight IP address ranges, see IP Address Ranges for QuickSight following.

    For more information about configuring VPC ACLs, see Network ACLs.

  • Security group rules that allow traffic between the cluster or instance and QuickSight servers. For further details on how to create appropriate security group rules, see Authorizing Connections from Amazon QuickSight to AWS Data Stores.

For more information about configuring a VPC in the Amazon VPC service, see Networking in Your VPC.

Network Configuration for an AWS Instance in a Private VPC

If your database is on an AWS cluster or instance that you created in a private VPC, you can use it with QuickSight. For more information, see Connecting to a VPC with Amazon QuickSight.

For more information on Amazon VPC, see Amazon VPC and Amazon VPC Documentation.

Network Configuration for an AWS Instance That is Not in a VPC

If you are configuring an AWS instance that is not in a VPC, make sure that the instance is publicly accessible. Also, make sure that there is a security group rule that allows traffic between the cluster or instance and QuickSight servers. For further details on how to do this, choose the appropriate topic following:

Network Configuration for a Non-AWS Database Instance

To use SSL to secure your connections to your database (recommended), make sure that you have a certificate signed by a recognized certificate authority (CA). QuickSight doesn't accept certificates that are self-signed or issued from a nonpublic CA. For more information, see QuickSight SSL and CA Certificates.

If your database is on a non-AWS server, you must change that server's firewall configuration to accept traffic from the appropriate QuickSight IP address range. For more information about QuickSight IP address ranges, see IP Address Ranges for QuickSight. For any other steps that you need to take to enable internet connectivity, see your operating system documentation.

QuickSight SSL and CA Certificates

Following is a list of accepted public certificate authorities. If you are using a non-AWS database instance, your certificate must be on this list, or it won't work.

  • AAA Certificate Services

  • AddTrust Class 1 CA Root

  • AddTrust External CA Root

  • AddTrust Qualified CA Root

  • AffirmTrust Commercial

  • AffirmTrust Networking

  • AffirmTrust Premium

  • AffirmTrust Premium ECC

  • America Online Root Certification Authority 1

  • America Online Root Certification Authority 2

  • Baltimore CyberTrust Code Signing Root

  • Baltimore CyberTrust Root

  • Buypass Class 2 Root CA

  • Buypass Class 3 Root CA

  • Certum CA

  • Certum Trusted Network CA

  • Chambers of Commerce Root

  • Chambers of Commerce Root - 2008

  • Class 2 Primary CA

  • Class 3P Primary CA

  • Deutsche Telekom Root CA 2

  • DigiCert Assured ID Root CA

  • DigiCert Global Root CA

  • DigiCert High Assurance EV Root CA

  • Entrust.net Certification Authority (2048)

  • Entrust Root Certification Authority

  • Entrust Root Certification Authority - G2

  • Equifax Secure eBusiness CA-1

  • Equifax Secure Global eBusiness CA-1

  • GeoTrust Global CA

  • GeoTrust Primary Certification Authority

  • GeoTrust Primary Certification Authority - G2

  • GeoTrust Primary Certification Authority - G3

  • GeoTrust Universal CA

  • Global Chambersign Root - 2008

  • GlobalSign

  • GlobalSign Root CA

  • Go Daddy Root Certificate Authority - G2

  • GTE CyberTrust Global Root

  • KEYNECTIS ROOT CA

  • QuoVadis Root CA 2

  • QuoVadis Root CA 3

  • QuoVadis Root Certification Authority

  • SecureTrust CA

  • Sonera Class1 CA

  • Sonera Class2 CA

  • Starfield Root Certificate Authority - G2

  • Starfield Services Root Certificate Authority - G2

  • SwissSign Gold CA - G2

  • SwissSign Platinum CA - G2

  • SwissSign Silver CA - G2

  • TC TrustCenter Class 2 CA II

  • TC TrustCenter Class 4 CA II

  • TC TrustCenter Universal CA I

  • Thawte Personal Freemail CA

  • Thawte Premium Server CA

  • thawte Primary Root CA

  • thawte Primary Root CA - G2

  • thawte Primary Root CA - G3

  • Thawte Server CA

  • Thawte Timestamping CA

  • T-TeleSec GlobalRoot Class 2

  • T-TeleSec GlobalRoot Class 3

  • UTN - DATACorp SGC

  • UTN-USERFirst-Client Authentication and Email

  • UTN-USERFirst-Hardware

  • UTN-USERFirst-Object

  • Valicert

  • VeriSign Class 1 Public Primary Certification Authority - G3

  • VeriSign Class 2 Public Primary Certification Authority - G3

  • VeriSign Class 3 Public Primary Certification Authority - G3

  • VeriSign Class 3 Public Primary Certification Authority - G4

  • VeriSign Class 3 Public Primary Certification Authority - G5

  • VeriSign Universal Root Certification Authority

  • XRamp Global Certification Authority

IP Address Ranges for QuickSight

For more information on the IP address ranges for QuickSight in supported regions, see AWS Regions, Websites, IP Address Ranges, and Endpoints.

Database Configuration Requirements for Self-Administered Instances

 Intended audience: System administrators and Amazon QuickSight administrators 

For a database to be accessible to QuickSight, it must meet the following criteria:

  • It must be accessible from the internet. To enable internet connectivity, see your database management system documentation.

  • It must be configured to accept connections and authenticate access using the user credentials that you provide as part of creating the data set.

  • If you are connecting to MySQL or PostgreSQL, the database engine must be accessible from your host or IP range. This optional security limitation is specified in MySQL or PostgreSQL connection settings. If this limitation is in place, any attempt to connect from a nonspecified host or IP address is rejected, even if you have the correct user name and password.

  • In MySQL, the server accepts the connection only if the user and host are verified in the user table. For more information, see Access Control, Stage 1: Connection Verification in the MySQL documentation.

  • In PostgreSQL, you control client authentication by using the pg_hba.conf file in the database cluster's data directory. However, this file might be named and located differently on your system. For more information, see Client Authentication in the PostgreSQL documentation.