Working with Redshift-managed VPC endpoints - Amazon Redshift
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Working with Redshift-managed VPC endpoints

By default, an Amazon Redshift cluster or an Amazon Redshift Serverless workgroup is provisioned in a virtual private cloud (VPC). The VPC can be accessed from another VPC or subnet when you either allow public access or set up an internet gateway, a NAT device, or an Amazon Direct Connect connection to route traffic to it. You can also access a cluster or workgroup by setting up a Redshift-managed VPC endpoint (powered by Amazon PrivateLink).

You can set up a Redshift-managed VPC endpoint as a private connection between a VPC that contains a cluster or workgroup and a VPC where a client tool is running. If the cluster or workgroup is in another account, the account owner (grantor) must grant access to the connecting account (grantee). With this approach, you can access the data warehouse without using a public IP address or routing traffic through the internet.

These are common reasons to allow access using a Redshift-managed VPC endpoint:

  • Amazon account A wants to allow a VPC in Amazon account B to have access to a cluster or workgroup.

  • Amazon account A wants to allow a VPC that is also in Amazon account A to have access to a cluster or workgroup.

  • Amazon account A wants to allow a different subnet in the VPC within Amazon account A to have access to a cluster or workgroup.

The workflow to set up a Redshift-managed VPC endpoint to access a cluster or workgroup in another account is as follows:

  1. The owner account grants access authorization to another account and specifies the Amazon account ID and VPC identifier (or all VPCs) of the grantee.

  2. The grantee account is notified that they have permission to create a Redshift-managed VPC endpoint.

  3. The grantee account creates a Redshift-managed VPC endpoint.

  4. The grantee account accesses the cluster or workgroup of the owner account using the Redshift-managed VPC endpoint.

You can do this this using the Amazon Redshift console, the Amazon CLI, or the Amazon Redshift API.

Considerations when using Redshift-managed VPC endpoints

Note

To create or modify Redshift-managed VPC endpoints, you need permission ec2:CreateVpcEndpoint or ec2:ModifyVpcEndpoint in your IAM policy, in addition to other permissions specified in the Amazon managed policy AmazonRedshiftFullAccess.

When using Redshift-managed VPC endpoints, keep the following in mind:

  • Make sure that the cluster to access is an RA3 node type. An Amazon Redshift Serverless workgroup works for this as well.

  • For provisioned clusters, make sure that the cluster to access has cluster relocation turned on. For information about requirements to turn on cluster relocation, see Relocating your cluster.

  • Make sure that the cluster or workgroup to access through its security group is available within the valid port ranges 5431-5455 and 8191-8215. The default is 5439.

  • You can modify the VPC security groups associated with an existing Redshift-managed VPC endpoint. To modify other settings, delete the current Redshift-managed VPC endpoint and create a new one.

  • The number of Redshift-managed VPC endpoints that you can create is limited to your VPC endpoint quota.

  • The Redshift-managed VPC endpoints aren't accessible from the internet. A Redshift-managed VPC endpoint is accessible only within the VPC where the endpoint is provisioned or from any VPCs peered with the VPC where the endpoint is provisioned as permitted by the route tables and security groups.

  • You can't use the Amazon VPC console to manage Redshift-managed VPC endpoints.

  • When you create a Redshift-managed VPC endpoint for a provisioned cluster, the VPC you choose must have a subnet group. To create a subnet group, see Managing cluster subnet groups using the console.

For information about quotas and naming constraints, see Quotas and limits in Amazon Redshift.

For information about pricing, see Amazon PrivateLink pricing.

Managing Redshift-managed VPC endpoints using the console

You can configure the use of Redshift-managed VPC endpoints by using the Amazon Redshift console.

Granting access

If the VPC that you want to access your cluster or workgroup is in another Amazon account, make sure to authorize it from the owner's (grantor's) account.

To allow a VPC in another Amazon account to have access to your cluster or workgroup
  1. Sign in to the Amazon Web Services Management Console and open the Amazon Redshift console at https://console.amazonaws.cn/redshiftv2/.

  2. On the navigation menu, choose Clusters. For Amazon Redshift Serverless, choose Serverless dashboard.

  3. For a cluster that you want to allow access to, view the details by choosing the cluster name. Choose the Properties tab of the cluster.

    The Granted accounts section displays the accounts and corresponding VPCs that have access to your cluster. For an Amazon Redshift Serverless workgroup, choose the workgroup. Granted accounts are available under the Data access tab.

  4. Choose Grant access to display a form to enter Grantee information to add an account.

  5. For Amazon account ID, enter the ID of the account you are granting access. You can grant access to specific VPCs or all VPCs in the specified account.

  6. Choose Grant access to grant access.

Creating a Redshift-managed VPC endpoint

If you own a cluster or workgroup, or you have been granted access to manage it, you can create a Redshift-managed VPC endpoint for it.

To create a Redshift-managed VPC endpoint
  1. Sign in to the Amazon Web Services Management Console and open the Amazon Redshift console at https://console.amazonaws.cn/redshiftv2/.

  2. On the navigation menu, choose Configurations.

    The Configurations page displays the Redshift-managed VPC endpoints that have been created. To view details for an endpoint, choose its name. For Amazon Redshift Serverless, the VPC endpoints are under the Data access tab, when you choose the workgroup.

  3. Choose Create endpoint to display a form to enter information about the endpoint to add.

  4. Enter values for Endpoint name, the 12-digit Amazon account ID, the Virtual private cloud (VPC) where the endpoint is located, the Subnet and the VPC security group.

    The subnet in Subnet defines the subnets and IP addresses where Amazon Redshift deploys the endpoint. Amazon Redshift chooses a subnet that has IP addresses available for the network interface associated with the endpoint.

    The security group rules in VPC security group define the ports, protocols, and sources for inbound traffic that you are authorizing for your endpoint. You allow access to the selected port via the security group or the CIDR range where your workloads run.

  5. Choose Create endpoint to create the endpoint.

After your endpoint is created, you can access the cluster or workgroup through the URL shown in Endpoint URL in the configuration settings for your Redshift-managed VPC endpoint.

Managing Redshift-managed VPC endpoints using the Amazon CLI

You can use the following Amazon Redshift CLI operations to work with Redshift-managed VPC endpoints. For more information, see the Amazon CLI Command Reference.

Managing Redshift-managed VPC endpoints using Amazon Redshift API operations

You can use the following Amazon Redshift API operations to work with Redshift-managed VPC endpoints. For more information, see the Amazon Redshift API Reference.

Managing Redshift-managed VPC endpoints using Amazon CloudFormation

For information about the Amazon CloudFormation resource type to create Redshift-managed VPC endpoint using Amazon CloudFormation, see AWS::Redshift::EndpointAccess in the Amazon CloudFormation User Guide.