# Setting up a VPC to use with Amazon Quick
Setting up a VPC to use with Amazon Quick


|  | 
| --- |
|  Applies to:  Enterprise Edition  | 


|  | 
| --- |
|    Intended audience:  System administrators  | 

To set up a VPC to use with Amazon Quick Enterprise edition, you need access to Amazon VPC and Amazon EC2. You also need access to each Amazon database service that you plan to add to Quick. You can use the console, or you can use the Amazon Command Line Interface (Amazon CLI). For more information about the CLI, see the [Amazon Command Line Interface User Guide](https://docs.amazonaws.cn/cli/latest/userguide/). To work with the CLI, go to [http://www.amazonaws.cn/cli/](http://www.amazonaws.cn/cli/).

Before you begin to set up your VPC connection in Amazon Quick, make sure that you understand the components of a VPC deployment. As part of that, familiarize yourself with the VPC's subnets and security groups in relation to the destinations (databases) that you want to reach from Amazon Quick. To set up a successful VPC connection, make sure that the following components work together to allow network traffic to pass between Amazon Quick and your data source:
+ The Amazon VPC service
+ The subnets that your data source is using
+ The Amazon Quick elastic network interfaces and the subnets they use
+ The route table
+ Inbound and outbound rules for these security groups:
  + Security group for your VPC. We recommend you create a new security group to isolate the rules on the VPC security group from the rules on the Amazon Quick network interface's security group).
  + Security group attached to the Amazon Quick network interface.
  + Security group attached to the database server (for each database server that you want to use).
+ (Optional) Amazon Route 53 Resolver inbound endpoints for private DNS resolution.

In the following topics, you can find the network components that are involved. You can also find descriptions of their roles in the network configuration of your VPC and your Amazon Quick VPC connection. The network interface for Amazon Quick that is automatically created during setup is called the *Amazon Quick network interface** (QNI).*

If your VPC is already completely configured, skip to the next section, [Finding information to connect to a VPC](https://docs.amazonaws.cn/quicksight/latest/user/vpc-finding-setup-information.html).

**Topics**
+ [

# VPC
](vpc-amazon-virtual-private-cloud.md)
+ [

# Subnets
](vpc-subnets.md)
+ [

# Security groups: inbound and outbound rules
](vpc-security-groups.md)
+ [

# Sample rules
](vpc-sample-rules.md)
+ [

# Route table
](vpc-route-table.md)
+ [

# Amazon Quick elastic network interface
](vpc-qeni.md)
+ [

# Inbound endpoints for Amazon Route 53 Resolver
](vpc-route-53.md)

# VPC


A *virtual private cloud (VPC)* is a virtual network dedicated to your Amazon account. The Amazon VPC service that provides it is a networking layer for your Amazon resources. Using Amazon VPC, you can define a virtual network in your own logically isolated area within the Amazon Cloud. A VPC closely resembles a traditional network that you might operate in your own data center, with the benefits of using the Amazon scalable infrastructure. Amazon VPC for Amazon EC2 virtual computing environments, known as *instances*, can be used for a variety of Amazon resources. 

VPCs offer options that allow for flexibility in a secure environment, for example:
+ To configure your VPC, you can set its IP address range, create subnets, configure route tables, network gateways, network interfaces, and security settings.
+ To make the Amazon Cloud an extension of your data center, you can connect your VPC to your own corporate data center.
+ You can connect your instances in the VPC to the internet, or keep your instances isolated on a private network.
+ To protect the resources in each subnet, you can use multiple layers of security, including security groups and network access control lists (ACLs). 

For more information, see the [Amazon VPC User Guide](https://docs.amazonaws.cn/vpc/latest/userguide/what-is-amazon-vpc.html). 

If you have a default VPC and don't specify a subnet when you launch an instance, the instance is launched into your default VPC. You can launch instances into your default VPC without needing to know anything about Amazon VPC. 

If you don't already have a VPC or want to use a new one, you can create one by following the instructions in [Getting started with Amazon VPC](https://docs.amazonaws.cn/vpc/latest/userguide/vpc-getting-started.html) in the *Amazon VPC User Guide*. This section offers guidance on how to set up your VPC. The guidance includes options for public and private subnets and for Amazon Site-to-Site VPN access for your corporate network (known as *on-premises access*). You can also use VPC peering or Amazon Direct Connect to reach an on-premises database instance. 

**Using the Amazon CLI**

You can start to set up a VPC in Amazon EC2 by using the [https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc.html](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc.html) command. To learn more about VPC settings for the Amazon CLI, see [Examples for VPC](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenarios.html) in the *Amazon VPC User Guide*.

**Using the Amazon EC2 console**

To view your VPC or create a new one in Amazon EC2, sign in to the Amazon Web Services Management Console and open the Amazon VPC console at [https://console.amazonaws.cn/vpc/](https://console.amazonaws.cn/vpc/). To create a new VPC, choose **Launch VPC Wizard** and follow the instructions. Note your new VPC ID for future reference. To view VPCs, choose **Your VPCs** on the left side.

**Amazon VPC resources in VPC guides and Amazon Support articles**

For general information, see [Working with VPCs and subnets](https://docs.amazonaws.cn/vpc/latest/userguide/working-with-vpcs.html).

For step-by-step instructions for setting up a VPC, see the following topics (choose the ones that relate to your scenario):
+ [Create an IPv4 VPC and subnets using the Amazon CLI](https://docs.amazonaws.cn/vpc/latest/userguide/vpc-subnets-commands-example.html)
+ [Sharing public subnets and private subnets](https://docs.amazonaws.cn/vpc/latest/userguide/example-vpc-share.html)
+ [Working with site-to-site VPN](https://docs.amazonaws.cn/vpn/latest/s2svpn/working-with-site-site.html)
+ [Amazon Site-to-Site VPN Network Administrator Guide](https://docs.amazonaws.cn/vpc/latest/adminguide/Welcome.html) (choose your network device for specific instructions)
+  [Generic Customer Gateway Device Without Border Gateway Protocol](https://docs.amazonaws.cn/vpc/latest/adminguide/GenericConfigNoBGP.html#DetailedViewCustomerGateway6) (recommended for customer gateways)

If you want to migrate data source instances into the same VPC, see the following Amazon Support articles:
+ [How do I change the VPC for an Amazon RDS DB instance?](https://aws.amazon.com/premiumsupport/knowledge-center/change-vpc-rds-db-instance/)
+ [How do I move my EC2 instance to another subnet, Availability Zone, or VPC?](https://aws.amazon.com/premiumsupport/knowledge-center/move-ec2-instance/)
+ [How do I move my Amazon Redshift cluster from one VPC to another VPC?](https://aws.amazon.com/premiumsupport/knowledge-center/move-redshift-cluster-vpcs/)

For troubleshooting information, see [How do I troubleshoot issues with VPC route tables?](https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-vpc-route-table/), an article with video created by Amazon Support.

# Subnets


A *subnet* is a range of IP addresses in your VPC. You need to provide at least two subnets to create a VPC connection. Each subnet must belong a different availability zone. You can attach Amazon resources, such as Amazon EC2 instances and Amazon RDS DB instances, to subnets. You can create subnets to group instances together according to your security and operational needs.

For Amazon Quick to connect to your database, the network needs to route traffic to the data sources that you want to reach from one of the subnets used by the Amazon Quick network interface. Amazon Quick determines which subnet to route traffic through on the backend. If the availability zone that the subnet is attached to experiences an outage, Amazon Quick reroutes the traffic to one of the other subnets that are configured in the VPC connection. If the data sources are on different subnets, make sure that there is a route from the Amazon Quick network interface to your database instance. By default, each subnet in a VPC is associated with one main route table and can reach the other subnets. For more information, see [VPC and Subnets](https://docs.amazonaws.cn/vpc/latest/userguide/VPC_Subnets.html) and [Network ACLs](https://docs.amazonaws.cn/vpc//latest/userguide/vpc-connection-network-acls.html) in the *Amazon VPC User Guide.*

If you use Amazon RDS, DB instances are associated with a subnet group that you can view either in the Amazon RDS console ([https://console.amazonaws.cn/rds/](https://console.amazonaws.cn/rds/)) or in the VPC console. For troubleshooting connectivity to Amazon RDS, see the Amazon Support article [How can I troubleshoot connectivity to an Amazon RDS instance that uses a public or private subnet of a VPC?](http://www.amazonaws.cn/premiumsupport/knowledge-center/rds-connectivity-instance-subnet-vpc/)

# Security groups: inbound and outbound rules


A *security group* acts as a virtual firewall for your instance to control inbound and outbound traffic. For each security group, you add rules that control the inbound traffic to instances, and a separate set of rules that control the outbound traffic.

For your VPC connection, create a new security group with the description `QuickSight-VPC`. This security group must allow all inbound TCP traffic from the security groups of the data destinations that you want to reach. The following example creates a new security group in the VPC and returns the ID of the new security group.

```
aws ec2 create-security-group \
--group-name quicksight-vpc \
--description "QuickSight-VPC" \
--vpc-id vpc-0daeb67adda59e0cd
```

**Important**  
Network configuration is sufficiently complex that we strongly recommend that you create a new security group for use with Amazon Quick. It also makes it easier for Amazon Support to help you if you need to contact them. Creating a new group isn't absolutely required. However, the following topics are based on the assumption that you follow this recommendation. 

To enable Quick to successfully connect to an instance in your VPC, configure your security group rules to allow traffic between the Amazon Quick network interface and the instance that contains your data. To do this, configure the security group attached to your database's instance inbound rules to allow the following traffic:
+ From the port that Amazon Quick is connecting to
+ From one of the following options:
  + The security group ID that's associated with Amazon Quick network interface (recommended) 

    or
  + The private IP address of the Amazon Quick network interface

For more information, see [Security groups for your VPC](https://docs.amazonaws.cn/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html) and [VPCs and subnets](https://docs.amazonaws.cn/AmazonVPC/latest/UserGuide/VPC_Subnets.html) in the *Amazon VPC User Guide.* 

Use the topics listed below to learn more about inbound and outbound rules.

**Topics**
+ [

## Inbound rules
](#vpc-inbound-rules)
+ [

## Outbound rules
](#vpc-outbound-rules)

## Inbound rules


**Important**  
The following section applies to your VPC connection if the connection was created before April 27, 2023.

When you create a security group, it has no inbound rules. No inbound traffic originating from another host to your instance is allowed until you add inbound rules to the security group.

The security group attached to the Amazon Quick network interface behaves differently than most security groups, because it isn't stateful. Other security groups are usually *stateful*. This means that, after they establish an outbound connection to a resource's security group, they automatically allow return traffic. In contrast, the Amazon Quick network interface security group doesn't automatically allow return traffic. Because of this, adding an egress rule to the Amazon Quick network interface security group doesn't work. To make it work for the Amazon Quick network interface security group, make sure to add an inbound rule that explicitly authorizes the return traffic from the database host.

The inbound rule in your security group must allow traffic on all ports. It needs to do this because the destination port number of any inbound return packets is set to a randomly allocated port number.

To restrict Amazon Quick to connect only to certain instances, you can specify the security group ID (recommended) or private IP address of the instances that you want to allow. In either case, your security group inbound rule still needs to allow traffic on all ports (0–65535).

To allow Amazon Quick to connect to any instance in the VPC, you can configure the Amazon Quick network interface security group. In this case, give it an inbound rule to allow traffic on 0.0.0.0/0 on all ports (0–65535). The security group used by the Amazon Quick network interface should be different than the security groups used for your databases. We recommend that you use separate security groups for VPC connection.

**Important**  
If you are using a long-standing Amazon RDS DB instance, check your configuration to see if you're using a DB security group. DB security groups are used with DB instances that are not in a VPC and are on the EC2-Classic platform.   
If this is your configuration, and you aren't moving your DB instance into the VPC for use with Amazon Quick, make sure to update your DB security group's inbound rules. Update them to allow inbound traffic from the VPC security group that you're using for Amazon Quick. For more information, see [Controlling Access with Security Groups](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/Overview.RDSSecurityGroups.html) in the *Amazon RDS User Guide.* 

## Outbound rules


**Important**  
The following section applies to your VPC connection if the connection was created before April 27, 2023.

By default, a security group includes an outbound rule that allows all outbound traffic. We recommend that you remove this default rule and add outbound rules that allow specific outbound traffic only.

**Warning**  
Do not configure the security group on the Amazon Quick network interface with an outbound rule to allow traffic on all ports. For information on key considerations and recommendations for managing network egress traffic from VPCs, see [Security best practices for your VPC](https://docs.amazonaws.cn/vpc/latest/userguide/vpc-security-best-practices.html) in the *Amazon VPC User Guide.* 

The security group attached to Amazon Quick network interface should have outbound rules that allow traffic to each of the database instances in your VPC that you want Amazon Quick to connect to. To restrict Amazon Quick to connect only to certain instances, specify the security group ID (recommended) or the private IP address of the instances to allow. You set this up, along with the appropriate port numbers for your instances (the port that the instances are listening on), in the outbound rule.

The VPC security group must also allow outbound traffic to the security groups of the data destinations, specifically on the port or ports that the database is listening on.

# Sample rules


Following, you can find some example configurations of inbound and outbound rules for Amazon RDS and Amazon Redshift.

## VPC connection rules: Amazon Quick Sight: Amazon RDS for MySQL


The following tables show rule settings for connecting Amazon Quick Sight to Amazon RDS for MySQL. 


**Amazon Quick Sight Network interface security group: inbound rule**  

|  |  | 
| --- |--- |
| Type | All TCP | 
| Protocol | TCP | 
| Port Range | 0 - 65535 | 
| Source | sg-RDS11111111 | 
| Description | Amazon Quick Sight - RDS MySQL | 


**Amazon Quick Sight Network interface security group: outbound rule**  

|  |  | 
| --- |--- |
| Type | MYSQL/Aurora | 
| Protocol | TCP | 
| Port Range | 3306 | 
| Source | sg-RDS11111111 | 
| Description | Amazon Quick Sight to RDS MySQL | 


**RDS MySQL: inbound rule**  

|  |  | 
| --- |--- |
| Type | MYSQL/Aurora | 
| Protocol | TCP | 
| Port Range | 3306 | 
| Source | sg-ENI3333333 | 
| Description | Amazon Quick Sight to RDS MySQL | 

## VPC connection rules: Amazon Redshift in Amazon Quick Sight


The following tables show rule settings for connecting Amazon Quick Sight to Amazon Redshift.


**Amazon Quick Sight network interface security group: inbound rule**  

|  |  | 
| --- |--- |
| Type | All TCP | 
| Protocol | TCP | 
| Port Range | 0 - 65535 | 
| Source | sg-RedSh222222 | 
| Description | Amazon Quick Sight–Amazon Redshift | 


**Amazon Quick Sight network interface security group: outbound rule**  

|  |  | 
| --- |--- |
| Type | Amazon Redshift | 
| Protocol | TCP | 
| Port Range | 5439 | 
| Source | sg-RedSh222222 | 
| Description | Amazon Quick Sight–Amazon Redshift | 


**Amazon Redshift: inbound rule**  

|  |  | 
| --- |--- |
| Type | Amazon Redshift | 
| Protocol | TCP | 
| Port Range | 5439 | 
| Source | sg-ENI3333333 | 
| Description | Amazon Quick Sight–Amazon Redshift | 

# Route table


To use VPC peering or Amazon Direct Connect to reach an on-premises database instance, update the route table that's associated with the VPC you're using with Amazon Quick. For more information on route tables, see [Route tables](https://docs.amazonaws.cn/vpc/latest/userguide/VPC_Route_Tables.html) in the *Amazon VPC User Guide.*

To learn more about VPC peering and view sample scenarios and configurations, see [What is VPC peering?](https://docs.amazonaws.cn/vpc/latest/peering/what-is-vpc-peering.html) in the *Amazon VPC Peering Guide.* For an example configuration, see [Example: Services using Amazon PrivateLink and VPC peering](https://docs.amazonaws.cn/vpc/latest/userguide/vpc-peer-region-example.html) in the *Amazon VPC User Guide.*

**Using the Amazon CLI**

The following example creates a route table.

```
aws ec2 create-route-table --vpc-id vpc-0daeb67adda59e0cd
```

Then you can use the `create-route` command to create a route. For more information and examples, see [create-route](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-route.html) in the *Amazon CLI Command Reference.*

For the following examples to work, make sure that you have a subnet in the VPC associated with the route table. The first example describes the route table with the specified VPC ID. The second one describes the route table with the specified route table ID. 

```
aws ec2 describe-route-tables \
--filters "Name=vpc-id,Values=vpc-0daeb67adda59e0cd" 

aws ec2 describe-route-tables \
--route-table-ids rtb-45ac473a
```

The following example describes the specified associations between a specific VPC and your local gateway route tables.

```
aws ec2 describe-local-gateway-route-table-vpc-associations
--filters "Name=vpc-id,Values=vpc-0daeb67adda59e0cd"
```

# Amazon Quick elastic network interface


The *Amazon Quick elastic network interface* is a logical networking component in a VPC that represents a virtual network card. Quick creates at least two of these network interfaces to use with a VPC connection based off of the subnets that are attached to it. Then you add the VPC connection to each Amazon Quick Sight data source you create. The Quick network interface alone doesn't give Quick direct access to your databases. The VPC connection works only for the Amazon Quick Sight data sources that are configured to use it.

When you use the Amazon Quick Sight data source to query a database or other instance within your VPC, all the network traffic from Amazon Quick originates from this Amazon Quick network interface. Because the Amazon Quick network interface exists inside your VPC, traffic originating from it can reach destinations within your VPC by using their private IP addresses. Each Amazon Quick network interface gets its own private IP address that comes from the subnet you configure. The private IP address is unique for each Amazon account, unlike the public IP range.

# Inbound endpoints for Amazon Route 53 Resolver


*Amazon Route 53 Resolver* provides DNS query capabilities to your VPC. Route 53 Resolver resolves all local DNS queries and recursively looks up any DNS queries that aren't local on public DNS servers. 

Amazon Quick can't directly use Route 53 Resolver to query private DNS servers. However, you can set up Route 53 Resolver inbound endpoints to make these queries indirectly. For more information about inbound endpoints, see [Forwarding inbound DNS queries to your VPCs](https://docs.amazonaws.cn/Route53/latest/DeveloperGuide/resolver-forwarding-inbound-queries.html) in the *Route 53 Resolver Developer Guide*. To use inbound endpoints in Amazon Quick, provide the IP addresses of the endpoints for **DNS resolver endpoints** when you create a VPC connection.