Controlling network traffic with Redshift enhanced VPC routing - Amazon Redshift
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Controlling network traffic with Redshift enhanced VPC routing

When you use Amazon Redshift enhanced VPC routing, Amazon Redshift forces all COPY and UNLOAD traffic between your cluster and your data repositories through your virtual private cloud (VPC) based on the Amazon VPC service. By using enhanced VPC routing, you can use standard VPC features, such as VPC security groups, network access control lists (ACLs), VPC endpoints, VPC endpoint policies, internet gateways, and Domain Name System (DNS) servers, as described in the Amazon VPC User Guide. You use these features to control the flow of data between your Amazon Redshift cluster and other resources. When you use enhanced VPC routing to route traffic through your VPC, you can also use VPC flow logs to monitor COPY and UNLOAD traffic.

Amazon Redshift clusters and Amazon Redshift Serverless workgroups both support enhanced VPC routing. You can't use enhanced VPC routing with Redshift Spectrum. For more information, see Accessing Amazon S3 buckets with Redshift Spectrum.

If enhanced VPC routing is not turned on, Amazon Redshift routes traffic through the internet, including traffic to other services within the Amazon network.

Important

Because enhanced VPC routing affects the way that Amazon Redshift accesses other resources, COPY and UNLOAD commands might fail unless you configure your VPC correctly. You must specifically create a network path between your cluster's VPC and your data resources, as described following.

When you run a COPY or UNLOAD command on a cluster with enhanced VPC routing turned on, your VPC routes the traffic to the specified resource using the strictest, or most specific, network path available.

For example, you can configure the following pathways in your VPC:

  • VPC endpoints – For traffic to an Amazon S3 bucket in the same Amazon Region as your cluster or workgroup, you can create a VPC endpoint to direct traffic directly to the bucket. When you use VPC endpoints, you can attach an endpoint policy to manage access to Amazon S3. For more information about using endpoints with Redshift, see Controlling database traffic with VPC endpoints. If you use Lake Formation, you can find more information about establishing a private connection between your VPC and Amazon Lake Formation at Amazon Lake Formation and interface VPC endpoints (Amazon PrivateLink).

    Note

    When you use Redshift VPC endpoints with Amazon S3 VPC Gateway endpoints, you must enable enhanced VPC routing in Redshift. For more information, see Gateway endpoints for Amazon S3.

  • NAT gateway – You can connect to an Amazon S3 bucket in another Amazon Region, and you can connect to another service within the Amazon network. You can also access a host instance outside the Amazon network. To do so, configure a network address translation (NAT) gateway, as described in the Amazon VPC User Guide.

  • Internet gateway – To connect to Amazon services outside your VPC, you can attach an internet gateway to your VPC subnet, as described in the Amazon VPC User Guide. To use an internet gateway, your cluster or workgroup must be publicly accessible to allow other services to communicate it.

For more information, see VPC Endpoints in the Amazon VPC User Guide.

There is no additional charge for using enhanced VPC routing. You might incur additional data transfer charges for certain operations. These include such operations as UNLOAD to Amazon S3 in a different Amazon Region. COPY from Amazon EMR, or Secure Shell (SSH) with public IP addresses. For more information about pricing, see Amazon EC2 Pricing.