Connecting to Amazon Redshift using an interface VPC endpoint
You can connect directly to Amazon Redshift API service using an interface VPC endpoint (Amazon PrivateLink) in your virtual private cloud (VPC) instead of connecting over the internet. For information about Amazon Redshift API actions, see Actions in the Amazon Redshift API Reference. For more information about Amazon PrivateLink, see Interface VPC endpoints (Amazon PrivateLink) in the Amazon VPC User Guide. Note that JDBC/ODBC connection to the cluster is not part of Amazon Redshift API service.
When you use an interface VPC endpoint, communication between your VPC and Amazon Redshift is conducted entirely within the Amazon network, which can provide greater security. Each VPC endpoint is represented by one or more elastic network interfaces with private IP addresses in your VPC subnets. For more information on elastic network interfaces, see Elastic network interfaces in the Amazon EC2 User Guide for Linux Instances.
An interface VPC endpoint connects your VPC directly to Amazon Redshift. It doesn't use an internet gateway, network address translation (NAT) device, virtual private network (VPN) connection, or Amazon Direct Connect connection. The instances in your VPC don't need public IP addresses to communicate with the Amazon Redshift API.
To use Amazon Redshift through your VPC, you have two options. One is to connect from an instance that is inside your VPC. The other is to connect your private network to your VPC by using an Amazon VPN option or Amazon Direct Connect. For more information about Amazon VPN options, see VPN connections in the Amazon VPC User Guide. For information about Amazon Direct Connect, see Creating a Connection in the Amazon Direct Connect User Guide.
You can create an interface VPC endpoint to connect to Amazon Redshift using the Amazon Web Services Management Console or Amazon Command Line Interface (Amazon CLI) commands. For more information, see Creating an Interface Endpoint.
After you create an interface VPC endpoint, you can enable private DNS host names
for the endpoint. When you do, the default Amazon Redshift endpoint
(https://redshift.)
resolves to your VPC endpoint.Region
If you don't enable private DNS host names, Amazon VPC provides a DNS endpoint name that you can use in the following format.
VPC_endpoint_ID.redshift.Region.vpce.amazonaws.com
For more information, see Interface VPC endpoints (Amazon PrivateLink) in the Amazon VPC User Guide.
Amazon Redshift supports making calls to all of its API operations inside your VPC.
You can attach VPC endpoint policies to a VPC endpoint to control access for Amazon Identity and Access Management (IAM) principals. You can also associate security groups with a VPC endpoint to control inbound and outbound access based on the origin and destination of network traffic. An example is a range of IP addresses. For more information, see Controlling Access to Services with VPC Endpoints in the Amazon VPC User Guide.
Creating a VPC endpoint policy for Amazon Redshift
You can create a policy for VPC endpoints for Amazon Redshift to specify the following:
The principal that can or can't perform actions
The actions that can be performed
The resources on which actions can be performed
For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.
Following, you can find examples of VPC endpoint policies.
Topics
- Example: VPC endpoint policy to deny all access from a specified Amazon account
- Example: VPC endpoint policy to allow VPC access only to a specified IAM role
- Example: VPC endpoint policy to allow VPC access only to a specified IAM principal (user)
- Example: VPC endpoint policy to allow read-only Amazon Redshift operations
- Example: VPC endpoint policy denying access to a specified cluster
Example: VPC endpoint policy to deny all access from a specified Amazon account
The following VPC endpoint policy denies the Amazon account
123456789012
{ "Statement": [ { "Action": "*", "Effect": "Allow", "Resource": "*", "Principal": "*" }, { "Action": "*", "Effect": "Deny", "Resource": "*", "Principal": { "AWS": [ "123456789012" ] } } ] }
Example: VPC endpoint policy to allow VPC access only to a specified IAM role
The following VPC endpoint policy allows full access only to the IAM role
redshiftrole123456789012. All other IAM principals are denied
access using the endpoint.
{ "Statement": [ { "Action": "*", "Effect": "Allow", "Resource": "*", "Principal": { "AWS": [ "arn:aws:iam::123456789012:role/redshiftrole" ] } }] }
This is only a sample. In most use cases we recommend attaching permissions for specific actions to narrow the scope of permissions.
Example: VPC endpoint policy to allow VPC access only to a specified IAM principal (user)
The following VPC endpoint policy allows full access only to the IAM user
redshiftadmin123456789012. All other IAM principals are denied
access using the endpoint.
{ "Statement": [ { "Action": "*", "Effect": "Allow", "Resource": "*", "Principal": { "AWS": [ "arn:aws:iam::123456789012:user/redshiftadmin" ] } }] }
This is only a sample. In most use cases we recommend attaching permissions to a role before assigning to a user. Additionally, we recommend using specific actions to narrow the scope of permissions.
Example: VPC endpoint policy to allow read-only Amazon Redshift operations
The following VPC endpoint policy allows only Amazon account
123456789012
The actions specified provide the equivalent of read-only access for Amazon Redshift. All other actions on the VPC are denied for the specified account. Also, all other accounts are denied any access. For a list of Amazon Redshift actions, see Actions, Resources, and Condition Keys for Amazon Redshift in the IAM User Guide.
{ "Statement": [ { "Action": [ "redshift:DescribeAccountAttributes", "redshift:DescribeClusterParameterGroups", "redshift:DescribeClusterParameters", "redshift:DescribeClusterSecurityGroups", "redshift:DescribeClusterSnapshots", "redshift:DescribeClusterSubnetGroups", "redshift:DescribeClusterVersions", "redshift:DescribeDefaultClusterParameters", "redshift:DescribeEventCategories", "redshift:DescribeEventSubscriptions", "redshift:DescribeHsmClientCertificates", "redshift:DescribeHsmConfigurations", "redshift:DescribeLoggingStatus", "redshift:DescribeOrderableClusterOptions", "redshift:DescribeQuery", "redshift:DescribeReservedNodeOfferings", "redshift:DescribeReservedNodes", "redshift:DescribeResize", "redshift:DescribeSavedQueries", "redshift:DescribeScheduledActions", "redshift:DescribeSnapshotCopyGrants", "redshift:DescribeSnapshotSchedules", "redshift:DescribeStorage", "redshift:DescribeTable", "redshift:DescribeTableRestoreStatus", "redshift:DescribeTags", "redshift:FetchResults", "redshift:GetReservedNodeExchangeOfferings" ], "Effect": "Allow", "Resource": "*", "Principal": { "AWS": [ "123456789012" ] } } ] }
Example: VPC endpoint policy denying access to a specified cluster
The following VPC endpoint policy allows full access for all accounts and
principals. At the same time, it denies any access for Amazon account
123456789012my-redshift-cluster
{ "Statement": [ { "Action": "*", "Effect": "Allow", "Resource": "*", "Principal": "*" }, { "Action": "*", "Effect": "Deny", "Resource": "arn:aws:redshift:us-east-1:123456789012:cluster:my-redshift-cluster", "Principal": { "AWS": [ "123456789012" ] } } ] }