Configuring the VPC connection in the QuickSight console - Amazon QuickSight

Important: We've redesigned the Amazon QuickSight analysis workspace. You might encounter screenshots or procedural text that doesn't reflect the new look in the QuickSight console. We're in the process of updating screenshots and procedural text.

To find a feature or item, use the Quick search bar.

For more information on QuickSight's new look, see Introducing new analysis experience on Amazon QuickSight.

Configuring the VPC connection in the QuickSight console

To create a secure private connection to the Amazon VPC service from the Amazon QuickSight console, use the following procedure.

Prerequisites

  • Sign in to QuickSight as a QuickSight admin to set up a VPC connection in QuickSight. To verify that you're a QuickSight administrator, choose your profile icon in the upper-right. If your profile menu contains the option Manage QuickSight, then you're a QuickSight administrator. Make sure your admin role in IAM includes the following permissions. The "iam:PassRole" permission needs to be applied only to the execution role that is created in the procedures below.

    • "quicksight:ListVPCConnections"

    • "quicksight:CreateVPCConnection"

    • "quicksight:DescribeVPCConnection"

    • "quicksight:DeleteVPCConnection"

    • "quicksight:UpdateVPCConnection"

    • "ec2:describeSubnets"

    • "ec2:describeVpcs"

    • "ec2:describeSecurityGroups"

    • "iam:ListRoles"

    • "iam:PassRole"

      The following example shows an IAM policy that applies "iam:PassRole" only to the execution role.

      {
   "Version": "2012-10-17",
   "Statement": [{
       "Effect": "Allow",
       "Action": [
           "iam:PassRole"
       ],
       "Resource": "arn:aws:iam::account-id:role/vpc-role-for-qs"
   }]
}

  • Before you begin, make sure that you have the following information available to copy and paste into the VPC Connection screen. For more information, see Finding information to connect to a VPC.

    • AWS Region – The AWS Region where you plan to create a connection to your data source.

    • VPC ID – The ID of the VPC that contains the data, the subnets, and the security groups that you plan to use.

    • Execution role– An IAM role that contains a trust policy that allows QuickSight to create, update, and delete network infrastructure in your account. This policy is required for all VPC connections. At minimum, the IAM policy needs the following Amazon EC2 permissions:

      • DescribeSecurityGroups

      • DescribeSubnets

      • CreateNetworkInterface

      • DeleteNetworkInterface

      • ModifyNetworkInterfaceAttribute

      The following example shows an IAM policy that you can add to an existing IAM role to create, delete, or modify a VPC connection:

      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInterface",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:DeleteNetworkInterface",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups"
            ],
            "Resource": "*"
        }
    ]
}

      After you add the necessary permissions to an IAM role, attach a trust policy to allow QuickSight to configure the VPC connection to your account. The following example shows a trust policy that you can add to an existing IAM role to allow QuickSight access to the role:

      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "quicksight.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

    • Subnet IDs – The IDs of the subnets that the QuickSight network interface is using. Each VPC connection needs at least two subnets.

    • Security group IDs – The IDs of the security groups. Each VPC connection needs at least one security group.

To create a secure private connection to the Amazon VPC service from Amazon QuickSight Enterprise edition

  1. In QuickSight, choose your profile icon in the upper-right, then choose Manage QuickSight.

    Only QuickSight administrators can view the Manage QuickSight option. If you don't see this option on your profile menu, you're not an administrator. In this case, contact your QuickSight account administrators for assistance.

  2. In the left navigation pane, choose Manage VPC connections.

  3. On the Manage VPC connections page that opens, choose Add VPC connection.

    The ADD VPC CONNECTION button at the top-right of the Manage VPC connections table.

  4. For VPC connection name, enter a unique descriptive name of your choice. This name doesn't need to be an actual VPC ID or name.

  5. In the VPC ID dropdown menu, choose the ID of the VPC in Amazon EC2 that you want to connect to your QuickSight account. This field can't be changed later.

  6. In the Execution role dropdown menu, choose the appropriate IAM role to use for the VPC connection. The Execution role dropdown only shows IAM policies that contain a trust policy that allows QuickSight to configure the VPC connection to your account.

  7. In the Subnets table, choose a subnet ID from the Subnet ID dropdown menu of at least two of the listed Availability zones. The Availability Zones listed in the Subnets table are determined based on how you configured the VPC connection in the Amazon EC2 console.

  8. (Optional) If you aren't using DNS resolver endpoints, skip to the next step.

    If your database host IP address must be resolved through private DNS servers in your AWS account, enter IP addresses for Route 53 Resolver inbound endpoints (one per line).

    Make sure that you are entering an endpoint, rather than a database address like the one you plan to use in QuickSight. Most databases that are hosted by AWS don't need to resolve DNS queries between VPCs and a customer's network. For more information, see Resolving DNS queries between VPCs and your network in the Amazon Route 53 Developer Guide. You only need this endpoint if you can't resolve the IP address that connects to your database by using the public DNS server system.

  9. Review your choices, then choose ADD.

    The Add VPC Connection window that you use to configure a new VPC connection to your QuickSight account.

When you finish creating a VPC connection, the new connection appears in the Manage VPC connections table. In some cases, the status of the new VPC might be UNAVAILABLE until the connection is configured on the backend. After QuickSight is finished configuring the new connection, the status of the connection switches to AVAILABLE, which indicates that the connection has been established. The following table describes the different Status values for a VPC connection.

Status Description

AVAILABLE

The VPC connection is established and can be used.

PARTIALLY AVAILABLE

One of the network interfaces that is configured to the VPC connection is unavailable. The VPC connection can still be used.

UNAVAILABLE

The VPC connection is not established and can't be used.

To see a summary of a VPC connection, choose a VPC connection from the VPC connection name row of the Manage VPC connections table. The pop-up box that appears shows information about the network interfaces associated with the VPC connection.

A pop-up that shows information about the network interfaces that are configured to a VPC connection.

The following table describes the different Status values for a network interface.

Status Description

CREATING

The network interface creation is in progress.

AVAILABLE

The network interface is available for use.

CREATION_FAILURE

The network interface couldn't be created.

UPDATING

The security group associated with the network inferface is updating.

UPDATE_FAILED

The security group associated with the network interface did not update successfully.

DELETING

The network interface is in the process of being deleted.

DELETED

The network interface is deleted and can no longer be used.

DELETION_FAILED

The network interface deletion failed and can still be used.

DELETION_SCHEDULED

This network interface is scheduled for deletion.

ATTACHMENT_FAILED_ROLLBACK_FAILED

The elastic interface failed to attach and QuickSight was unable to delete the elastic network interface that was created within your account.

When you delete a network interface from a VPC connection, the status of the connection changes to PARTIALLY AVAILABLE to indicate the loss of a network interface.

To make changes to an existing VPC connection, choose the more actions (three-dots) button to the right of the connection that you want to modify, and choose Edit. In the Edit VPC connection window that appears, make your changes, and then choose SAVE.

To delete a VPC connection, choose the more actions (three-dots) button to the right of the connection that you want to delete and choose Delete. In the Delete QuickSight VPC Connection pop-up that appears, confirm that you want to delete the connection, and then choose Delete.

The Actions available are Edit or Delete for a VPC connection that you want to modify.