This configuration is particularly useful with multi-region deployments that need to maintain secure and efficient access to their Redshift data warehouses
Description
This document outlines the steps to access an Amazon Redshift cluster in a cross-region setup using a VPC endpoint and VPC peering. The configuration involves three AWS accounts across two regions, where the Redshift cluster is hosted in one account, the VPC endpoint is created in another account, and the client (DBeaver) is running in a third account.
Setup and architecture overview

This configuration involves three AWS accounts across two regions:
- Account1 (US-WEST-2): Hosts the Redshift cluster
- Account2 (US-WEST-2): Contains the Redshift VPC endpoint
- Account3 (US-EAST-1): Runs DBeaver client
Key Steps
-
Configure the Redshift cluster in Account1. Follow this AWS Amazon Redshift documentation for detail steps.
- Create a Redshift cluster in Account1 (US-WEST-2)
- Note down the cluster endpoint and port. Grant access to Account2 to create Redshift-managed VPC endpoint on this cluster

-
Create a Redshift-managed VPC endpoint in Account2. Follow this AWS Amazon Redshift documentation for detail steps.
-
In Account2 (US-WEST-2), create a VPC
-
Create a Redshift-managed VPC endpoint in the VPC

-
Configure the VPC endpoint to access the Redshift cluster in Account1
-
Set up VPC peering between Account2 and Account3
- In Account2 (US-WEST-2), create a VPC peering connection with Account3 (US-EAST-1)
- In Account3 (US-EAST-1), accept the VPC peering connection
-
Set up DBeaver on an EC2 instance in Account3
- In Account3 (US-EAST-1), launch an EC2 instance
- Install and configure DBeaver on the EC2 instance
Networking Considerations
-
Update route tables for VPC peering
- In Account2 (US-WEST-2), update the route table associated with the VPC endpoint to route traffic to the peered VPC in Account3
- In Account3 (US-EAST-1), update the route table associated with the peered VPC to route traffic to the VPC endpoint in Account2
-
Configure security groups to allow necessary traffic
- In Account1 (US-WEST-2), configure the security group associated with the Redshift cluster to allow inbound traffic from the VPC endpoint in Account2
- In Account2 (US-WEST-2), configure the security group associated with the VPC endpoint to allow outbound traffic to the Redshift cluster in Account1
- In Account3 (US-EAST-1), configure the security group associated with the EC2 instance to allow outbound traffic to the VPC endpoint in Account2
By following these steps, you can successfully access an Amazon Redshift cluster in a cross-region setup using a VPC endpoint and VPC peering, enabling secure and efficient data access across multiple AWS accounts and regions.