Authorizing connections from Amazon QuickSight to Amazon Redshift clusters

Applies to: Enterprise Edition and Standard Edition

Intended audience: System administrators

For Amazon QuickSight to connect to an Amazon Redshift instance, you must create a new security group for that instance. This security group contains an inbound rule authorizing access from the appropriate IP address range for the Amazon QuickSight servers in that AWS Region. To learn more about authorizing Amazon QuickSight connections, see Manually enabling access to an Amazon Redshift cluster in a VPC or Manually enabling access to an Amazon Redshift cluster that is not in a VPC.

To create and assign a security group for an Amazon Redshift cluster, you must have AWS credentials that permit access to that cluster.

Enabling connection from Amazon QuickSight servers to your cluster is just one of several prerequisites for creating a data set based on an AWS database data source. For more information about what is required, see Creating datasets from new database data sources.

Manually enabling access to an Amazon Redshift cluster in a VPC

Use the following procedure to enable Amazon QuickSight access to an Amazon Redshift cluster in a VPC.

To enable Amazon QuickSight access to an Amazon Redshift cluster in a VPC

1. Sign in to the AWS Management Console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.

2. Choose the details page icon next to the cluster you want to make available, as shown following.

   

3. In the Cluster Database Properties section, find Port. Note the Port value.

4. In the Cluster Properties section, find VPC ID and note the VPC ID value. Choose View VPCs to open the Amazon VPC Management Console.

   

5. On the Amazon VPC Management Console, choose Security Groups in the navigation pane.

6. Choose Create Security Group.

7. On the Create Security Group page, enter the security group information as follows:

   • For Name tag and Group name, enter Amazon-QuickSight-access.

   • For Description, enter Amazon-QuickSight-access.

   • For VPC, choose the VPC for your instance. This is the VPC with the VPC ID that you noted.

   

8. Choose Yes, Create.

   Your new security group should appear on the screen.

9. Choose your new security group, and choose the Inbound Rules tab.

   Choose Edit to create a new rule. Use the following values:

   • For Type, choose Custom TCP Rule.

   • For Protocol, choose TCP (6).

   • For Port Range, enter the port number of the Amazon Redshift cluster to which you are providing access. This is the port number that you noted in an earlier step.

   • For Source, enter the CIDR address block for the AWS Region where you plan to use Amazon QuickSight. For example, here is the CIDR address block for Europe (Ireland): 52.210.255.224/27. For more information on the IP address ranges for Amazon QuickSight in supported AWS Regions, see AWS Regions, websites, IP address ranges, and endpoints.

     Note

     If you activated Amazon QuickSight in multiple AWS Regions, you can create inbound rules for each Amazon QuickSight endpoint CIDR. Doing this allows Amazon QuickSight to have access to the Amazon RDS DB instance from any AWS Region defined in the inbound rules.

     An Amazon QuickSight user or administrator who uses Amazon QuickSight in multiple AWS Regions is treated as a single user. In other words, even if you are using Amazon QuickSight in every AWS Region, both your Amazon QuickSight account and your users are global.

   

10. Choose Save to save your new inbound rule.

11. Return to the Clusters page of the Amazon Redshift Management Console, and then open the details page for the cluster that you want to enable access to.

    Choose Cluster, and then choose Modify.

    

12. The currently assigned security groups are already chosen for VPC Security Groups. Press CTRL and choose Amazon-QuickSight-access in addition to the other selected groups.

13. Choose Modify.

Manually enabling access to an Amazon Redshift cluster that is not in a VPC

Use the following procedure to access an Amazon Redshift cluster that is not in a VPC.

To access an Amazon Redshift cluster that is not in a VPC

1. Sign in to the AWS Management Console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.

2. Choose Security in the navigation pane.

3. Choose Create Cluster Security Group.

4. Enter Amazon-QuickSight-access for the Cluster Security Group Name and Description values, and then choose Create.

5. Choose the details icon next to the security group, as shown following.

   

6. Choose Add Connection Type.

7. Enter the connection information:

   • For Connection Type, choose CIDR/IP.

   • For CIDR/IP to Authorize, enter the appropriate CIDR address block. For the supported IP address ranges for Amazon QuickSight Regions, see AWS Regions, websites, IP address ranges, and endpoints.

     

8. Choose Authorize.

9. Return to the Clusters page of the Amazon Redshift console, open the details page for the cluster that you want to enable access to, choose Cluster, and then choose Modify.

10. The currently assigned security groups are already chosen for Cluster Security Group. Press CTRL and choose Amazon-QuickSight-access in addition to the other selected groups.

11. Choose Modify.

Enabling access to Amazon Redshift Spectrum

Using Amazon Redshift Spectrum, you can connect Amazon QuickSight to an external catalog with Amazon Redshift. For example, you can access the Amazon Athena catalog . You can then query unstructured data on your Amazon S3 data lake using an Amazon Redshift cluster instead of the Athena query engine.

You can also combine data sets that include data stored in Amazon Redshift and in S3. Then you can access them using the SQL syntax in Amazon Redshift.

After you've registered your data catalog (for Athena) or external schema (for a Hive metastore), you can use Amazon QuickSight to choose the external schema and Amazon Redshift Spectrum tables. This process works just as for any other Amazon Redshift tables in your cluster. You don't need to load or transform your data.

For more information on using Amazon Redshift Spectrum, see Using Amazon Redshift Spectrum to query external data in the Amazon Redshift Database Developer Guide.

To connect using Redshift Spectrum, do the following:

• Create or identify an IAM role associated with the Amazon Redshift cluster.

• Add the IAM policies AmazonS3ReadOnlyAccess and AmazonAthenaFullAccess to the IAM role.

• Register an external schema or data catalog for the tables that you plan to use.

Redshift Spectrum lets you separate storage from compute, so you can scale them separately. You only pay for the queries that you run.

To connect to Redshift Spectrum tables, you don't need to grant Amazon QuickSight access to Amazon S3 or Athena. Amazon QuickSight needs access only to the Amazon Redshift cluster. For full details on configuring Redshift Spectrum, see Getting started with Amazon Redshift Spectrum in the Amazon Redshift Database Developer Guide.