Amazon QuickSight
User Guide

Network and Database Configuration Requirements

To serve as data sources, databases need to be configured so that Amazon QuickSight can access them. Use the following sections to make sure that your database is configured appropriately.

Important

Because a database instance on Amazon EC2 is administered by you rather than AWS, it must meet both the Network Configuration Requirements as well as the Database Configuration Requirements for Self-Administered Instances.

Network Configuration Requirements

To be usable from Amazon QuickSight, a database server must be accessible from the internet. It must also allow inbound traffic from Amazon QuickSight servers.

If the database is on AWS and in the same AWS Region as your Amazon QuickSight account, you can auto-discover the instance to make connecting to it easier. To do this, you must grant Amazon QuickSight permissions to access it. For more information, see Managing Amazon QuickSight Permissions to AWS Resources.

Network Configuration for an AWS Instance in a Default VPC

In some cases, your database might be on an AWS cluster or instance that you created in a default VPC and so is publicly accessible (that is, you didn't choose to make private). In such cases, your database is already appropriately configured to be accessible from the internet. However, you still need to enable access from Amazon QuickSight servers to your AWS cluster or instance. For further details on how to do this, choose the appropriate topic following:

Network Configuration for an AWS Instance in a Non-Default VPC

If you are configuring an AWS instance in a non-default VPC, make sure that the instance is publicly accessible and that the VPC has the following:

  • An internet gateway.

  • A public subnet.

  • A route in the route table between the internet gateway and the AWS instance.

  • Network access control lists (ACLs) in your VPC that allow traffic between the cluster or instance and Amazon QuickSight servers. These ACLs must do the following:

    • Allow inbound traffic from the appropriate Amazon QuickSight IP address range and all ports to the IP address and port that the database is listening on.

    • Allow outbound traffic from the database’s IP address and port to the appropriate Amazon QuickSight IP address range and all ports.

    For more information about Amazon QuickSight IP address ranges, see IP Address Ranges for Amazon QuickSight following.

    For more information about configuring VPC ACLs, see Network ACLs.

  • Security group rules that allow traffic between the cluster or instance and Amazon QuickSight servers. For further details on how to create appropriate security group rules, see Authorizing Connections from Amazon QuickSight to AWS Data Stores.

For more information about configuring a VPC in the Amazon VPC service, see Networking in Your VPC.

Network Configuration for an AWS Instance in a Private VPC

If your database is on an AWS cluster or instance that you created in a private VPC, you can use it with Amazon QuickSight. For more information, see Working with Amazon VPC.

For more information on Amazon Virtual Private Cloud, see Amazon VPC and Amazon VPC Documentation.

Network Configuration for an AWS Instance That is Not in a VPC

If you are configuring an AWS instance that is not in a VPC, make sure that the instance is publicly accessible. Also, make sure that there is a security group rule that allows traffic between the cluster or instance and Amazon QuickSight servers. For further details on how to do this, choose the appropriate topic following:

Network Configuration for a Non-AWS Database Instance

If you want to use SSL to secure your connections to your database (recommended), make sure that you have a certificate signed by a recognized certificate authority (CA). Amazon QuickSight doesn't accept certificates that are self-signed or issued from a non-public CA. For more information, see Amazon QuickSight SSL and CA Certificates.

If your database is on a non-AWS server, you must change that server's firewall configuration to accept traffic from the appropriate Amazon QuickSight IP address range. For more information about Amazon QuickSight IP address ranges, see IP Address Ranges for Amazon QuickSight. Refer to your operating system documentation for any other steps you need to take to enable internet connectivity.

Amazon QuickSight SSL and CA Certificates

Following is a list of accepted public Certificate Authorities. If you are using a non-AWS database instance, your certificate must be on this list, or it won't work.

  • AAA Certificate Services

  • AddTrust Class 1 CA Root

  • AddTrust External CA Root

  • AddTrust Qualified CA Root

  • AffirmTrust Commercial

  • AffirmTrust Networking

  • AffirmTrust Premium

  • AffirmTrust Premium ECC

  • America Online Root Certification Authority 1

  • America Online Root Certification Authority 2

  • Baltimore CyberTrust Code Signing Root

  • Baltimore CyberTrust Root

  • Buypass Class 2 Root CA

  • Buypass Class 3 Root CA

  • Certum CA

  • Certum Trusted Network CA

  • Chambers of Commerce Root

  • Chambers of Commerce Root - 2008

  • Class 2 Primary CA

  • Class 3P Primary CA

  • Deutsche Telekom Root CA 2

  • DigiCert Assured ID Root CA

  • DigiCert Global Root CA

  • DigiCert High Assurance EV Root CA

  • Entrust.net Certification Authority (2048)

  • Entrust Root Certification Authority

  • Entrust Root Certification Authority - G2

  • Equifax Secure eBusiness CA-1

  • Equifax Secure Global eBusiness CA-1

  • GeoTrust Global CA

  • GeoTrust Primary Certification Authority

  • GeoTrust Primary Certification Authority - G2

  • GeoTrust Primary Certification Authority - G3

  • GeoTrust Universal CA

  • Global Chambersign Root - 2008

  • GlobalSign

  • GlobalSign Root CA

  • Go Daddy Root Certificate Authority - G2

  • GTE CyberTrust Global Root

  • KEYNECTIS ROOT CA

  • QuoVadis Root CA 2

  • QuoVadis Root CA 3

  • QuoVadis Root Certification Authority

  • SecureTrust CA

  • Sonera Class1 CA

  • Sonera Class2 CA

  • Starfield Root Certificate Authority - G2

  • Starfield Services Root Certificate Authority - G2

  • SwissSign Gold CA - G2

  • SwissSign Platinum CA - G2

  • SwissSign Silver CA - G2

  • TC TrustCenter Class 2 CA II

  • TC TrustCenter Class 4 CA II

  • TC TrustCenter Universal CA I

  • Thawte Personal Freemail CA

  • Thawte Premium Server CA

  • thawte Primary Root CA

  • thawte Primary Root CA - G2

  • thawte Primary Root CA - G3

  • Thawte Server CA

  • Thawte Timestamping CA

  • T-TeleSec GlobalRoot Class 2

  • T-TeleSec GlobalRoot Class 3

  • UTN - DATACorp SGC

  • UTN-USERFirst-Client Authentication and Email

  • UTN-USERFirst-Hardware

  • UTN-USERFirst-Object

  • Valicert

  • VeriSign Class 1 Public Primary Certification Authority - G3

  • VeriSign Class 2 Public Primary Certification Authority - G3

  • VeriSign Class 3 Public Primary Certification Authority - G3

  • VeriSign Class 3 Public Primary Certification Authority - G4

  • VeriSign Class 3 Public Primary Certification Authority - G5

  • VeriSign Universal Root Certification Authority

  • XRamp Global Certification Authority

IP Address Ranges for Amazon QuickSight

For more information on the IP address ranges for Amazon QuickSight in supported regions, see AWS Regions and IP Address Ranges.

Database Configuration Requirements for Self-Administered Instances

For a database to be accessible to Amazon QuickSight, it must meet the following criteria:

  • It must be accessible from the internet. To enable internet connectivity, see your database management system documentation.

  • It must be configured to accept connections and authenticate access using the user credentials that you provide as part of creating the data set.

  • If you are connecting to MySQL or PostgreSQL, the database engine must be accessible from your host or IP range. This optional security limitation is specified in MySQL or PostgreSQL connection settings. If this limitation is in place, any attempt to connect from a nonspecified host or IP address is rejected, even if you have the correct user name and password.

  • In MySQL, the server accepts the connection only if the user and host are verified in the user table. For more information, see Access Control, Stage 1: Connection Verification in the MySQL documentation.

  • In PostgreSQL, you must control client authentication by using the pg_hba.conf file in the database cluster's data directory, although this file might be named and located differently on your system. For more information, see Client Authentication in the PostgreSQL documentation.