Configuring the VPC Connection in the QuickSight Console - Amazon QuickSight

Configuring the VPC Connection in the QuickSight Console

 Applies to: Enterprise Edition 

 Intended audience: System administrators and Amazon QuickSight administrators 

To create a secure private connection to the Amazon VPC service from Amazon QuickSight Enterprise edition, use the following procedure.


  • Sign in to QuickSight as an QuickSight admin to set up a VPC connection in QuickSight. To verify that you're an QuickSight administrator, choose your profile image at upper right. If your profile menu contains the option Manage QuickSight, then you're an QuickSight administrator.

  • Before you begin, make sure that you have the following information available to copy and paste into the VPC Connection screen. For more information, see Finding Information to Connect to a VPC.

    • AWS Region – The AWS Region where you plan to create a connection to your data source.

    • VPC ID – The ID of the VPC that contains the data, the subnets, and the security groups that you plan to use.

    • Subnet ID – The ID of the subnet that the QuickSight network interface is using.

    • Security group ID – The ID of the security group.

To create a secure private connection to the Amazon VPC service from Amazon QuickSight Enterprise edition

  1. In QuickSight, choose your profile icon at the upper right of the screen, then choose Manage QuickSight.

    Only QuickSight administrators can view the Manage QuickSight option. If you don't see this option on your profile menu, you're not an administrator. In this case, contact your QuickSight account administrators for assistance.

  2. On the menu at left, choose Manage VPC connections. Choose one of the following three options:

    1. Create a VPC connection

      To add a new VPC connection, choose Add VPC connection.

    2. Edit a VPC connection

      To change a VPC connection, you must delete it and then recreate it. You can reuse the same VPC connection name, to avoid having to reconnect your data sources.

    3. Delete a VPC connection

      To delete a VPC connection, use the delete icon.

  3. For VPC connection name, enter a unique descriptive name of your choice. This name doesn't need to be an actual VPC ID or name.

  4. Enter the subnet ID for Subnet ID, and enter the group ID for Security group ID.

  5. (Optional) If you aren't using DNS resolver endpoints, skip to the next step.

    If your database host IP address must be resolved through private DNS servers in your AWS account, enter the DNS resolver endpoints (one per line).

    Make sure that you are entering an endpoint, rather than a database address like the one you plan to use in QuickSight. Most AWS-hosted databases don't need to resolve DNS queries between VPCs and a customer's network. For more information, see Resolving DNS queries between VPCs and your network in the Amazon Route 53 Developer Guide. You only need this if you can't resolve the IP address that connects to your database by using the public DNS server system.

  6. Review your choices, then choose Create.

  7. Verify that QuickSight has created an QuickSight elastic network interface in your AWS account. To do this, check that the network interface has Status in-use and Attachment Status attached. To locate the correct network interface, use the following steps:

    1. Open the Amazon EC2 console at Choose Network Interfaces at left. Find the network interface that has a description with a prefix of QuickSight. It is in the VPC, subnet, and security group that you choose in the previous steps.

    2. Choose this network interface, and view Details in the lower window.

    3. (Optional) If the network interface Status isn't in-use or Attachment Status isn't attached, then delete and recreate the VPC connection in QuickSight. If this happens more than once, contact AWS Support.

      To use the AWS CLI, use the following command to view QuickSight network interface information.

      aws ec2 describe-network-interfaces \ --filters Name=description,Values="QuickSight" \ Name=status,Values=in-use \ Name="attachment.status",Values=attached \ --query 'NetworkInterfaces[*].[Description,NetworkInterfaceId,Status,Attachment.Status,VpcId,Groups[0].GroupName,Groups[0].GroupId,SubnetId,PrivateIpAddresses[0].PrivateIpAddress]'

When you create a new QuickSight VPC connection, QuickSight assumes an implicit IAM role with permissions to the following QuickSight and EC2 actions: quicksight:CreateVPCConnection and ec2:CreateNetworkInterface. However, these permissions aren't directly assigned to the person who configures the QuickSight VPC connection.