# Configuring VPC connections in Amazon Quick Sight
| |
| --- |
| Applies to: Enterprise Edition |
| |
| --- |
| Intended audience: System administrators and Amazon Quick administrators |
**Note**
**If you're a Amazon Quick system administrator** configuring a VPC connection to Amazon Quick Sight, this section is for you. Amazon Quick knowledge bases currently don't support VPC integrations.
Quick Enterprise edition is fully integrated with the Amazon VPC service. A *VPC* based on this service closely resembles a traditional network that you operate in your own data center. It enables you to secure and isolate traffic between resources. You define and control the network elements to suit your requirements, while still getting the benefit of cloud networking and the scalable infrastructure of Amazon.
By creating a VPC connection in Amazon Quick, you're adding elastic network interfaces in your VPC. These network interfaces allow Amazon Quick to exchange network traffic with a network instance within your VPC. You can provide all of the standard security controls for this network traffic, as you do with other traffic in your VPC. Route tables, network access control lists (ACLs), subnets, and security groups settings all apply to network traffic to and from Amazon Quick in the same way that they apply to traffic between other instances in your VPC.
When you register a VPC connection with Amazon Quick, you can securely connect to data that's available only in your VPC, for example:
+ Data you can reach by IP address
+ Data that isn't available on the public internet
+ Private databases
+ On-premises data
This works if you set up connectivity between the VPC and your on-premises network. For example, you might set up connectivity with Amazon Direct Connect, a virtual private network (VPN), or a proxy.
After you connect to the data, you can use it to create data analyses and publish secure data dashboards.
To further increase security, consider logging data access operations with Amazon CloudTrail, as described in [Logging Amazon Quick information with CloudTrail](https://docs.amazonaws.cn/quicksight/latest/user/logging-using-cloudtrail.html). You can even create a dashboard to help you analyze your CloudTrail logs. By combining Amazon Quick logs with logs from your other Amazon services, you can get a fuller view of how your data is being used.
You don't need to be an networking expert to connect and use a VPC with Amazon Quick, because Amazon Quick provides a user interface for adding your network information. However, the person who gathers the information that you need for setup should have some understanding of networking concepts and using VPCs. This person also needs read-only access to the services. If network changes are required, we recommend that you don't make changes to your networking configuration without expert assistance.
To use a command line interface to access your VPC, you can use the Amazon Command Line Interface (Amazon CLI). For more information on using the Amazon CLI, see the [Amazon CLI User Guide](https://docs.amazonaws.cn/cli/latest/userguide/install-cliv2.html).
**Topics**
+ [
# VPC terminology
](vpc-terminology.md)
+ [
# Supported VPC data sources
](vpc-connection-supported-data-sources.md)
+ [
# Setting up a VPC to use with Amazon Quick
](vpc-setup-for-quicksight.md)
+ [
# Finding information to connect to a VPC
](vpc-finding-setup-information.md)
# VPC terminology
The following terminology can be useful when you work with a VPC and Amazon Quick.
A *VPC* is a virtual private cloud, which works like a private network to isolate the resources within it. The solution described in these topics uses an Amazon service called Amazon VPC.
A *route table* contains a set of rules, called *routes, *that are used to determine where network traffic is directed. You can view the route table in the Amazon VPC console at [https://console.amazonaws.cn/vpc/](https://console.amazonaws.cn/vpc/). The VPC details display the route table that the VPC is using. You can also see **Route tables** listed in the Amazon VPC console.
A *subnet* is a defined set of network IP addresses that are used to increase the security and efficiency of network communications. You can think of them like postal codes, used for routing packages from one location to another. The **Subnets** list in the Amazon VPC console displays subnet IDs and also their associated VPC IDs, route tables, and network ACLs. You need to provide at least two subnets in different availability zones to create a VPC connection.
A *network interface* represents a virtual network card. The network interface automatically created by Amazon Quick is called a *Amazon Quick network interface.* Each network interface in a VPC connection is configured based on the subnet it's attached to. You can view your Amazon Quick network interfaces in the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.amazonaws.cn/ec2/). The network interface displays its network interface ID, subnet ID, VPC ID, security group, and the Availability Zone that it exists in. You can click on the security group name to see its group ID and its inbound and outbound rules. The term *network interface* in the following sections always means elastic network interface.
A *security group* is a set of rules that controls the network access to the resources it is associated with. Access is permitted only to and from the components defined in the security group's inbound and outbound rules. If no rules are defined, the security group prevents all access. You can view security groups from several different consoles, depending on which resource that a particular security group applies to. You can see all the security groups and their settings in one place in the VPC console. For the Amazon Quick VPC connection, create a new security group.
*Inbound and outbound rules* define the following:
+ The type of traffic to allow, for example **"All TCP"** or **"RDS"**.
+ The protocol to allow (TCP, UDP, or ICMP).
+ The traffic source to allow for inbound rules, or the traffic destination to allow for outbound rules. When you work with a VPC and Amazon Quick, you specify the security group ID to use.
+ An optional description. We recommend that you add the word **Amazon Quick** to the description for Amazon Quick VPC rules.
An *internet gateway* is a VPC component that allows communication between instances in your VPC and the internet. You don't need an internet gateway to use Amazon Quick VPC connections.
A *VPC endpoint* enables you to privately connect your VPC to supported Amazon services without using public IP addresses. You don't need to set up a VPC endpoint to use Amazon Quick VPC connections.
# Supported VPC data sources
Amazon Quick VPC connections work only with specific Amazon Quick Sight data sources. Use this section to know which data sources are compatible and what requirements they must meet.
The following Amazon Quick Sight data sources can connect to Amazon Quick through a VPC connection:
+ Amazon OpenSearch Service
+ Amazon Redshift
+ Amazon Relational Database Service
+ Amazon Aurora
+ Databricks
+ Exasol
+ MariaDB
+ Microsoft SQL Server
+ MySQL
+ Oracle
+ PostgreSQL
+ Presto
+ Snowflake
+ Starburst Enterprise
+ Teradata
+ Trino
For a VPC data source to be accessed from Amazon Quick Sight, the following statements must be true of your configuration:
1. The Domain Name System (DNS) name of the VPC data source can be resolved from outside of your VPC.
1. The connection returns the private IP address of your instance. Databases hosted by Amazon Redshift, Amazon RDS, and Aurora automatically meet this requirement.
1. There is a clearly defined network path from the data source to Amazon Quick Sight.
1. You registered the VPC with Amazon Quick by creating or using a VPC connection with the Amazon Quick console.
# Setting up a VPC to use with Amazon Quick
| |
| --- |
| Applies to: Enterprise Edition |
| |
| --- |
| Intended audience: System administrators |
To set up a VPC to use with Amazon Quick Enterprise edition, you need access to Amazon VPC and Amazon EC2. You also need access to each Amazon database service that you plan to add to Quick. You can use the console, or you can use the Amazon Command Line Interface (Amazon CLI). For more information about the CLI, see the [Amazon Command Line Interface User Guide](https://docs.amazonaws.cn/cli/latest/userguide/). To work with the CLI, go to [http://www.amazonaws.cn/cli/](http://www.amazonaws.cn/cli/).
Before you begin to set up your VPC connection in Amazon Quick, make sure that you understand the components of a VPC deployment. As part of that, familiarize yourself with the VPC's subnets and security groups in relation to the destinations (databases) that you want to reach from Amazon Quick. To set up a successful VPC connection, make sure that the following components work together to allow network traffic to pass between Amazon Quick and your data source:
+ The Amazon VPC service
+ The subnets that your data source is using
+ The Amazon Quick elastic network interfaces and the subnets they use
+ The route table
+ Inbound and outbound rules for these security groups:
+ Security group for your VPC. We recommend you create a new security group to isolate the rules on the VPC security group from the rules on the Amazon Quick network interface's security group).
+ Security group attached to the Amazon Quick network interface.
+ Security group attached to the database server (for each database server that you want to use).
+ (Optional) Amazon Route 53 Resolver inbound endpoints for private DNS resolution.
In the following topics, you can find the network components that are involved. You can also find descriptions of their roles in the network configuration of your VPC and your Amazon Quick VPC connection. The network interface for Amazon Quick that is automatically created during setup is called the *Amazon Quick network interface** (QNI).*
If your VPC is already completely configured, skip to the next section, [Finding information to connect to a VPC](https://docs.amazonaws.cn/quicksight/latest/user/vpc-finding-setup-information.html).
**Topics**
+ [
# VPC
](vpc-amazon-virtual-private-cloud.md)
+ [
# Subnets
](vpc-subnets.md)
+ [
# Security groups: inbound and outbound rules
](vpc-security-groups.md)
+ [
# Sample rules
](vpc-sample-rules.md)
+ [
# Route table
](vpc-route-table.md)
+ [
# Amazon Quick elastic network interface
](vpc-qeni.md)
+ [
# Inbound endpoints for Amazon Route 53 Resolver
](vpc-route-53.md)
# VPC
A *virtual private cloud (VPC)* is a virtual network dedicated to your Amazon account. The Amazon VPC service that provides it is a networking layer for your Amazon resources. Using Amazon VPC, you can define a virtual network in your own logically isolated area within the Amazon Cloud. A VPC closely resembles a traditional network that you might operate in your own data center, with the benefits of using the Amazon scalable infrastructure. Amazon VPC for Amazon EC2 virtual computing environments, known as *instances*, can be used for a variety of Amazon resources.
VPCs offer options that allow for flexibility in a secure environment, for example:
+ To configure your VPC, you can set its IP address range, create subnets, configure route tables, network gateways, network interfaces, and security settings.
+ To make the Amazon Cloud an extension of your data center, you can connect your VPC to your own corporate data center.
+ You can connect your instances in the VPC to the internet, or keep your instances isolated on a private network.
+ To protect the resources in each subnet, you can use multiple layers of security, including security groups and network access control lists (ACLs).
For more information, see the [Amazon VPC User Guide](https://docs.amazonaws.cn/vpc/latest/userguide/what-is-amazon-vpc.html).
If you have a default VPC and don't specify a subnet when you launch an instance, the instance is launched into your default VPC. You can launch instances into your default VPC without needing to know anything about Amazon VPC.
If you don't already have a VPC or want to use a new one, you can create one by following the instructions in [Getting started with Amazon VPC](https://docs.amazonaws.cn/vpc/latest/userguide/vpc-getting-started.html) in the *Amazon VPC User Guide*. This section offers guidance on how to set up your VPC. The guidance includes options for public and private subnets and for Amazon Site-to-Site VPN access for your corporate network (known as *on-premises access*). You can also use VPC peering or Amazon Direct Connect to reach an on-premises database instance.
**Using the Amazon CLI**
You can start to set up a VPC in Amazon EC2 by using the [https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc.html](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc.html) command. To learn more about VPC settings for the Amazon CLI, see [Examples for VPC](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenarios.html) in the *Amazon VPC User Guide*.
**Using the Amazon EC2 console**
To view your VPC or create a new one in Amazon EC2, sign in to the Amazon Web Services Management Console and open the Amazon VPC console at [https://console.amazonaws.cn/vpc/](https://console.amazonaws.cn/vpc/). To create a new VPC, choose **Launch VPC Wizard** and follow the instructions. Note your new VPC ID for future reference. To view VPCs, choose **Your VPCs** on the left side.
**Amazon VPC resources in VPC guides and Amazon Support articles**
For general information, see [Working with VPCs and subnets](https://docs.amazonaws.cn/vpc/latest/userguide/working-with-vpcs.html).
For step-by-step instructions for setting up a VPC, see the following topics (choose the ones that relate to your scenario):
+ [Create an IPv4 VPC and subnets using the Amazon CLI](https://docs.amazonaws.cn/vpc/latest/userguide/vpc-subnets-commands-example.html)
+ [Sharing public subnets and private subnets](https://docs.amazonaws.cn/vpc/latest/userguide/example-vpc-share.html)
+ [Working with site-to-site VPN](https://docs.amazonaws.cn/vpn/latest/s2svpn/working-with-site-site.html)
+ [Amazon Site-to-Site VPN Network Administrator Guide](https://docs.amazonaws.cn/vpc/latest/adminguide/Welcome.html) (choose your network device for specific instructions)
+ [Generic Customer Gateway Device Without Border Gateway Protocol](https://docs.amazonaws.cn/vpc/latest/adminguide/GenericConfigNoBGP.html#DetailedViewCustomerGateway6) (recommended for customer gateways)
If you want to migrate data source instances into the same VPC, see the following Amazon Support articles:
+ [How do I change the VPC for an Amazon RDS DB instance?](https://aws.amazon.com/premiumsupport/knowledge-center/change-vpc-rds-db-instance/)
+ [How do I move my EC2 instance to another subnet, Availability Zone, or VPC?](https://aws.amazon.com/premiumsupport/knowledge-center/move-ec2-instance/)
+ [How do I move my Amazon Redshift cluster from one VPC to another VPC?](https://aws.amazon.com/premiumsupport/knowledge-center/move-redshift-cluster-vpcs/)
For troubleshooting information, see [How do I troubleshoot issues with VPC route tables?](https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-vpc-route-table/), an article with video created by Amazon Support.
# Subnets
A *subnet* is a range of IP addresses in your VPC. You need to provide at least two subnets to create a VPC connection. Each subnet must belong a different availability zone. You can attach Amazon resources, such as Amazon EC2 instances and Amazon RDS DB instances, to subnets. You can create subnets to group instances together according to your security and operational needs.
For Amazon Quick to connect to your database, the network needs to route traffic to the data sources that you want to reach from one of the subnets used by the Amazon Quick network interface. Amazon Quick determines which subnet to route traffic through on the backend. If the availability zone that the subnet is attached to experiences an outage, Amazon Quick reroutes the traffic to one of the other subnets that are configured in the VPC connection. If the data sources are on different subnets, make sure that there is a route from the Amazon Quick network interface to your database instance. By default, each subnet in a VPC is associated with one main route table and can reach the other subnets. For more information, see [VPC and Subnets](https://docs.amazonaws.cn/vpc/latest/userguide/VPC_Subnets.html) and [Network ACLs](https://docs.amazonaws.cn/vpc//latest/userguide/vpc-connection-network-acls.html) in the *Amazon VPC User Guide.*
If you use Amazon RDS, DB instances are associated with a subnet group that you can view either in the Amazon RDS console ([https://console.amazonaws.cn/rds/](https://console.amazonaws.cn/rds/)) or in the VPC console. For troubleshooting connectivity to Amazon RDS, see the Amazon Support article [How can I troubleshoot connectivity to an Amazon RDS instance that uses a public or private subnet of a VPC?](http://www.amazonaws.cn/premiumsupport/knowledge-center/rds-connectivity-instance-subnet-vpc/)
# Security groups: inbound and outbound rules
A *security group* acts as a virtual firewall for your instance to control inbound and outbound traffic. For each security group, you add rules that control the inbound traffic to instances, and a separate set of rules that control the outbound traffic.
For your VPC connection, create a new security group with the description `QuickSight-VPC`. This security group must allow all inbound TCP traffic from the security groups of the data destinations that you want to reach. The following example creates a new security group in the VPC and returns the ID of the new security group.
```
aws ec2 create-security-group \
--group-name quicksight-vpc \
--description "QuickSight-VPC" \
--vpc-id vpc-0daeb67adda59e0cd
```
**Important**
Network configuration is sufficiently complex that we strongly recommend that you create a new security group for use with Amazon Quick. It also makes it easier for Amazon Support to help you if you need to contact them. Creating a new group isn't absolutely required. However, the following topics are based on the assumption that you follow this recommendation.
To enable Quick to successfully connect to an instance in your VPC, configure your security group rules to allow traffic between the Amazon Quick network interface and the instance that contains your data. To do this, configure the security group attached to your database's instance inbound rules to allow the following traffic:
+ From the port that Amazon Quick is connecting to
+ From one of the following options:
+ The security group ID that's associated with Amazon Quick network interface (recommended)
or
+ The private IP address of the Amazon Quick network interface
For more information, see [Security groups for your VPC](https://docs.amazonaws.cn/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html) and [VPCs and subnets](https://docs.amazonaws.cn/AmazonVPC/latest/UserGuide/VPC_Subnets.html) in the *Amazon VPC User Guide.*
Use the topics listed below to learn more about inbound and outbound rules.
**Topics**
+ [
## Inbound rules
](#vpc-inbound-rules)
+ [
## Outbound rules
](#vpc-outbound-rules)
## Inbound rules
**Important**
The following section applies to your VPC connection if the connection was created before April 27, 2023.
When you create a security group, it has no inbound rules. No inbound traffic originating from another host to your instance is allowed until you add inbound rules to the security group.
The security group attached to the Amazon Quick network interface behaves differently than most security groups, because it isn't stateful. Other security groups are usually *stateful*. This means that, after they establish an outbound connection to a resource's security group, they automatically allow return traffic. In contrast, the Amazon Quick network interface security group doesn't automatically allow return traffic. Because of this, adding an egress rule to the Amazon Quick network interface security group doesn't work. To make it work for the Amazon Quick network interface security group, make sure to add an inbound rule that explicitly authorizes the return traffic from the database host.
The inbound rule in your security group must allow traffic on all ports. It needs to do this because the destination port number of any inbound return packets is set to a randomly allocated port number.
To restrict Amazon Quick to connect only to certain instances, you can specify the security group ID (recommended) or private IP address of the instances that you want to allow. In either case, your security group inbound rule still needs to allow traffic on all ports (0–65535).
To allow Amazon Quick to connect to any instance in the VPC, you can configure the Amazon Quick network interface security group. In this case, give it an inbound rule to allow traffic on 0.0.0.0/0 on all ports (0–65535). The security group used by the Amazon Quick network interface should be different than the security groups used for your databases. We recommend that you use separate security groups for VPC connection.
**Important**
If you are using a long-standing Amazon RDS DB instance, check your configuration to see if you're using a DB security group. DB security groups are used with DB instances that are not in a VPC and are on the EC2-Classic platform.
If this is your configuration, and you aren't moving your DB instance into the VPC for use with Amazon Quick, make sure to update your DB security group's inbound rules. Update them to allow inbound traffic from the VPC security group that you're using for Amazon Quick. For more information, see [Controlling Access with Security Groups](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/Overview.RDSSecurityGroups.html) in the *Amazon RDS User Guide.*
## Outbound rules
**Important**
The following section applies to your VPC connection if the connection was created before April 27, 2023.
By default, a security group includes an outbound rule that allows all outbound traffic. We recommend that you remove this default rule and add outbound rules that allow specific outbound traffic only.
**Warning**
Do not configure the security group on the Amazon Quick network interface with an outbound rule to allow traffic on all ports. For information on key considerations and recommendations for managing network egress traffic from VPCs, see [Security best practices for your VPC](https://docs.amazonaws.cn/vpc/latest/userguide/vpc-security-best-practices.html) in the *Amazon VPC User Guide.*
The security group attached to Amazon Quick network interface should have outbound rules that allow traffic to each of the database instances in your VPC that you want Amazon Quick to connect to. To restrict Amazon Quick to connect only to certain instances, specify the security group ID (recommended) or the private IP address of the instances to allow. You set this up, along with the appropriate port numbers for your instances (the port that the instances are listening on), in the outbound rule.
The VPC security group must also allow outbound traffic to the security groups of the data destinations, specifically on the port or ports that the database is listening on.
# Sample rules
Following, you can find some example configurations of inbound and outbound rules for Amazon RDS and Amazon Redshift.
## VPC connection rules: Amazon Quick Sight: Amazon RDS for MySQL
The following tables show rule settings for connecting Amazon Quick Sight to Amazon RDS for MySQL.
**Amazon Quick Sight Network interface security group: inbound rule**
| | |
| --- |--- |
| Type | All TCP |
| Protocol | TCP |
| Port Range | 0 - 65535 |
| Source | sg-RDS11111111 |
| Description | Amazon Quick Sight - RDS MySQL |
**Amazon Quick Sight Network interface security group: outbound rule**
| | |
| --- |--- |
| Type | MYSQL/Aurora |
| Protocol | TCP |
| Port Range | 3306 |
| Source | sg-RDS11111111 |
| Description | Amazon Quick Sight to RDS MySQL |
**RDS MySQL: inbound rule**
| | |
| --- |--- |
| Type | MYSQL/Aurora |
| Protocol | TCP |
| Port Range | 3306 |
| Source | sg-ENI3333333 |
| Description | Amazon Quick Sight to RDS MySQL |
## VPC connection rules: Amazon Redshift in Amazon Quick Sight
The following tables show rule settings for connecting Amazon Quick Sight to Amazon Redshift.
**Amazon Quick Sight network interface security group: inbound rule**
| | |
| --- |--- |
| Type | All TCP |
| Protocol | TCP |
| Port Range | 0 - 65535 |
| Source | sg-RedSh222222 |
| Description | Amazon Quick Sight–Amazon Redshift |
**Amazon Quick Sight network interface security group: outbound rule**
| | |
| --- |--- |
| Type | Amazon Redshift |
| Protocol | TCP |
| Port Range | 5439 |
| Source | sg-RedSh222222 |
| Description | Amazon Quick Sight–Amazon Redshift |
**Amazon Redshift: inbound rule**
| | |
| --- |--- |
| Type | Amazon Redshift |
| Protocol | TCP |
| Port Range | 5439 |
| Source | sg-ENI3333333 |
| Description | Amazon Quick Sight–Amazon Redshift |
# Route table
To use VPC peering or Amazon Direct Connect to reach an on-premises database instance, update the route table that's associated with the VPC you're using with Amazon Quick. For more information on route tables, see [Route tables](https://docs.amazonaws.cn/vpc/latest/userguide/VPC_Route_Tables.html) in the *Amazon VPC User Guide.*
To learn more about VPC peering and view sample scenarios and configurations, see [What is VPC peering?](https://docs.amazonaws.cn/vpc/latest/peering/what-is-vpc-peering.html) in the *Amazon VPC Peering Guide.* For an example configuration, see [Example: Services using Amazon PrivateLink and VPC peering](https://docs.amazonaws.cn/vpc/latest/userguide/vpc-peer-region-example.html) in the *Amazon VPC User Guide.*
**Using the Amazon CLI**
The following example creates a route table.
```
aws ec2 create-route-table --vpc-id vpc-0daeb67adda59e0cd
```
Then you can use the `create-route` command to create a route. For more information and examples, see [create-route](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-route.html) in the *Amazon CLI Command Reference.*
For the following examples to work, make sure that you have a subnet in the VPC associated with the route table. The first example describes the route table with the specified VPC ID. The second one describes the route table with the specified route table ID.
```
aws ec2 describe-route-tables \
--filters "Name=vpc-id,Values=vpc-0daeb67adda59e0cd"
aws ec2 describe-route-tables \
--route-table-ids rtb-45ac473a
```
The following example describes the specified associations between a specific VPC and your local gateway route tables.
```
aws ec2 describe-local-gateway-route-table-vpc-associations
--filters "Name=vpc-id,Values=vpc-0daeb67adda59e0cd"
```
# Amazon Quick elastic network interface
The *Amazon Quick elastic network interface* is a logical networking component in a VPC that represents a virtual network card. Quick creates at least two of these network interfaces to use with a VPC connection based off of the subnets that are attached to it. Then you add the VPC connection to each Amazon Quick Sight data source you create. The Quick network interface alone doesn't give Quick direct access to your databases. The VPC connection works only for the Amazon Quick Sight data sources that are configured to use it.
When you use the Amazon Quick Sight data source to query a database or other instance within your VPC, all the network traffic from Amazon Quick originates from this Amazon Quick network interface. Because the Amazon Quick network interface exists inside your VPC, traffic originating from it can reach destinations within your VPC by using their private IP addresses. Each Amazon Quick network interface gets its own private IP address that comes from the subnet you configure. The private IP address is unique for each Amazon account, unlike the public IP range.
# Inbound endpoints for Amazon Route 53 Resolver
*Amazon Route 53 Resolver* provides DNS query capabilities to your VPC. Route 53 Resolver resolves all local DNS queries and recursively looks up any DNS queries that aren't local on public DNS servers.
Amazon Quick can't directly use Route 53 Resolver to query private DNS servers. However, you can set up Route 53 Resolver inbound endpoints to make these queries indirectly. For more information about inbound endpoints, see [Forwarding inbound DNS queries to your VPCs](https://docs.amazonaws.cn/Route53/latest/DeveloperGuide/resolver-forwarding-inbound-queries.html) in the *Route 53 Resolver Developer Guide*. To use inbound endpoints in Amazon Quick, provide the IP addresses of the endpoints for **DNS resolver endpoints** when you create a VPC connection.
# Finding information to connect to a VPC
| |
| --- |
| Applies to: Enterprise Edition |
| |
| --- |
| Intended audience: System administrators |
To gather the information to have ready when you create a VPC connection in Amazon Quick Enterprise edition, take the steps listed following.
**Topics**
+ [
## Identify the data sources to use
](#vpc-data-sources)
+ [
## Identify the Amazon Web Services Region to use
](#vpc-aws-region)
+ [
## Identify the VPC ID to use
](#vpc-id)
+ [
## Identify the subnet IDs to use
](#vpc-subnet-id)
+ [
## Identify the security group to use
](#vpc-security-group-id)
## Identify the data sources to use
Start by identifying all the data sources that you want to connect to using Quick. For each of these, note the database's private IP, security group, and subnets. Amazon Quick connects to your data using the private IP. However, you don't need to enter this or the security group or subnet information for the VPC connection. This information helps you identify the other components you need for the Amazon Quick VPC connection.
**Note**
For the connection to your data source to work, make sure that there's a traceable route from your data source to the VPC ID. For more details, see [Identify the data sources to use](https://docs.amazonaws.cn/quicksight/latest/user/vpc-finding-setup-information.html).
## Identify the Amazon Web Services Region to use
For the connection to work, the data, the subnets, and the security group must be in the same VPC. Make sure also that you use Quick in the same Amazon Web Services Region with the VPC.
You can't use Amazon Quick in one Amazon Web Services Region and expect to connect to a VPC in a different Amazon Web Services Region.
If your team is already using Amazon Quick, you can see your current Amazon Web Services Region displayed at the upper right of the Amazon Quick home screen. You can change the Amazon Web Services Region you're using in Amazon Quick by changing the Region at the upper right of the Amazon Quick home screen. All the people who plan to use the data in the VPC must be using the same Amazon Web Services Region in Amazon Quick.
**Note**
The Amazon Web Services Region that displays in the Amazon Quick console doesn't have to match your Amazon CLI configuration. Take care not to mistake your current Amazon Quick console settings with the settings that apply in any Amazon CLI commands that you run or the settings in other consoles. Changing the current Amazon Web Services Region in any console doesn't change the Region anywhere except for that page.
For example, let's say you have three tabs open in one browser window. You can have the Amazon Quick console open in one Amazon Web Services Region, the Amazon VPC console open in a second Region, the Amazon RDS console open in a third Region, and the Amazon CLI running in a fourth Region.
## Identify the VPC ID to use
The VPC ID is assigned when the VPC is created.
**Using the Amazon CLI**
The following `describe-vpcs` example retrieves details for all of your VPCs.
```
aws ec2 describe-vpcs
```
The following `describe-vpcs` example retrieves details for the specified VPC.
```
aws ec2 describe-vpcs \
--vpc-ids vpc-06e4ab6c6cEXAMPLE
```
**Using the Amazon VPC console**
In the VPC console ([https://console.amazonaws.cn/vpc/](https://console.amazonaws.cn/vpc/)), choose **Your VPCs** at left. Choose the VPC-ID that you want to use. The correct one has Availability Zones in your Amazon Web Services Region and also meets the requirements described in [Finding information to connect to a VPC](https://docs.amazonaws.cn/quicksight/latest/user/vpc-finding-setup-information.html). Also note the ID of **Main Route Table**, because you need this to identify related subnets.
**Tip**
In the Amazon VPC console, you can filter by VPC. This option is located at the top left of the console. If you filter by your VPC ID, all the other menus display only the network elements that are in your selected VPC.
## Identify the subnet IDs to use
To locate the subnet IDs for the subnets used by the VPC, open the VPC console. Locate the VPC you are using, and at least two subnets in different availibility zones. Amazon Quick creates its Amazon Quick elastic network interface (Amazon Quick network interface) for the subnets that you choose. The Amazon Quick network interfaces get created after you save your VPC connection settings, described in the following section.
Your database instances can reside in different subnets. However, make sure you can trace the route from this subnet to any data destinations that you want to reach.
**Using the Amazon CLI**
The following example describes all existing subnets.
```
aws ec2 describe-subnets
```
The following `describe-subnets` example uses a filter to retrieve details for the subnets of the specified VPC.
```
aws ec2 describe-subnets \
--filters "Name=vpc-id,Values=vpc-06e4ab6c6cEXAMPLE"
```
**Using the Amazon VPC console**
In the VPC console ([https://console.amazonaws.cn/vpc/](https://console.amazonaws.cn/vpc/)), choose **Subnets** at left, and find the correct **Subnet ID**. Any subnet is correct if your database subnet has a route to the subnet that you choose at this point. In most cases, if you haven't configured the VPC network yourself, all subnets are connected.
## Identify the security group to use
The security group contains rules that control the inbound and outbound network traffic on your data source instances. The security group you are using should have the description `"QuickSight-VPC"` to make it easier to identify.
When you locate the correct security group, copy its **Group ID** value.
**Using the Amazon CLI**
The following example displays the security groups in a specific Amazon Web Services Region. It displays only the group ID, name, and description. It filters the result to display only groups for a specific VPC ID that also have a description of `"QuickSight-VPC"`.
```
aws ec2 describe-security-groups \
--region us-west-2 \
--query 'SecurityGroups[*].[GroupId, GroupName, Description]' \
--filters "Name=vpc-id,Values=vpc-06e4ab6c6cEXAMPLE" "Name=description,Values=QuickSight-VPC"
```
The following example displays information about the security group with the ID `sg-903004f8`. Note that you can't reference a security group for EC2-VPC by name.
```
aws ec2 describe-security-groups
--group-ids sg-903004f8
--region us-west-2
```
The following example queries the results to describe VPC the inbound and outbound rules of a security group with a specific ID (`sg-903004f8`), in a specific Amazon Web Services Region (`us-west-2`).
```
aws ec2 describe-security-groups \
--region us-west-2 \
--group-ids sg-903004f8 \
--query 'SecurityGroups[*].[GroupId, GroupName, Description, IpPermissions,IpPermissionsEgress]'
```
The following example uses filters to describe VPC security groups that have a specific rule that allows SQL Server traffic (port `1433`). The example also has a rule that allows traffic from all addresses (`0.0.0.0/0`). The output is filtered to display only the group IDs, names, and descriptions of the security groups. Security groups must match all filters to be returned in the results. However, a single rule doesn't have to match all filters. (EC2-VPC only)
```
aws ec2 describe-security-groups \
--filters Name=ip-permission.from-port,Values=1433 \
Name=ip-permission.to-port,Values=1433 \
Name=ip-permission.cidr,Values='0.0.0.0/0' \
--query 'SecurityGroups[*].[GroupId, GroupName, Description]'
```
**Using the Amazon VPC console**
In the VPC console ([https://console.amazonaws.cn/vpc/](https://console.amazonaws.cn/vpc/)), choose **Security groups** at left, and find the correct group ID. The correct one has your VPC ID on it. It should also have a tag or description that includes the word `"QuickSight"`.