Complete a 3 Question Survey and Earn a re:Post Badge

Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!

How do I connect QuickSight to a private Amazon RDS data source in a different AWS Region or AWS account?

7 minute read

I want to connect my Amazon QuickSight account to an Amazon Relational Database Service (Amazon RDS) data source in a different AWS Region or AWS account.

Short description

Example Amazon RDS data source and Amazon Virtual Private Cloud (Amazon VPC) configuration:


Account type	Amazon RDS data source in the same Region	Amazon RDS data source in a different Region
Same AWS account	Amazon VPC connection in QuickSight	Amazon VPC peering
Different AWS account	Amazon VPC peering	Amazon VPC peering

Resolution

The following resolution applies to QuickSight Enterprise edition.

Note: It's a best practice to upgrade to QuickSight Enterprise edition to securely access Amazon RDS data sources. For more information about QuickSight Enterprise edition pricing, see Amazon QuickSight pricing.

With QuickSight Enterprise edition, you can connect to an Amazon VPC through an elastic network interface. This connection keeps the network traffic private within the AWS network. You can also connect Amazon RDS data sources from QuickSight in the same Region or account with an Amazon VPC connection. For instructions, see How can I create a private connection from Amazon QuickSight to an Amazon Redshift cluster or an Amazon RDS DB instance that's in a private subnet?

Prepare your QuickSight environment

This resolution uses the following Amazon RDS configuration:

RDS data source is hosted on VPC: vpc-33cc44dd
CIDR range of vpc-33cc44dd: 172.0.0.0/16
Subnet IDs and associated route table IDs: subnet-3c3d (rtb-33cd), subnet-4c4d (rtb-44cd)
Security group associated with RDS data source: sg-445566

Note: If you already have an Amazon VPC and subnet, go to step 3.

Complete the following steps:

Create an Amazon VPC and a subnet in the same Region as your QuickSight account.
Note: Make sure that the CIDR block of your Amazon VPC is different than the CIDR block of your Amazon RDS instance. If you want to use the hostname of the Amazon RDS data source, then activate DNS hostnames and DNS resolution.
Example Amazon VPC configuration:

Name                     VPC           IPv4 CIDR      Description-----------------------------------------------------------------------------------------  
QuickSight Account VPC   vpc-11aa22bb  10.0.0.0/16    VPC created in the QuickSight account

Example subnets configuration:

Name                                 Subnet ID      VPC            IPv4 CIDR     Route table----------------------------------------------------------------------------------------------  
Subnet 1 - QuickSight Account VPC    subnet-1a1b    vpc-11aa22bb   10.0.0.0/20   rtb-11ab
Subnet 2 - QuickSight Account VPC    subnet-2a2b    vpc-11aa22bb   10.0.16.0/20  rtb-22ab

Create a security group and add an inbound rule for all TCP traffic from the Amazon VPC CIDR range of the Amazon RDS data source.
Choose the Amazon VPC that you created in step 1.
In Inbound rules, for Type, choose All TCP.
For Source, choose Custom.
If you use Tags, then, for Value, enter the VPC CIDR range of the Amazon RDS data source.
Example QuickSight security group configuration:

Security Group ID     Security Group Name          VPC ID---------------------------------------------------------------  
sg-112233             QuickSight Security Group    vpc-11aa22bb

Example inbound rule configuration:

Type        Protocol   Port Range   Source          Description------------------------------------------------------------------------------  
All TCP    TCP        0-65535      172.0.0.0/16    VPC CIDR of RDS Data Source

Create the VPC connection in the QuickSight console.
Configure the VPC connection and Subnet ID that you created in step 1, and the Security group ID that you created in step 2.
Note: Log in as a QuickSight administrator. Only QuickSight administrators can view the Manage QuickSight option.
Example Amazon VPC connection configuration in QuickSight:

VPC connection name        VPC connection ARN                                                               Subnet ID      Security group ID    DNS resolvers-----------------------------------------------------------------------------------------------------------------------------------------------------------------  
VPCConnectionQuickSight    arn:aws:quicksight:us-east-1:1212121212:vpcConnection/VPCConnectionQuickSight    subnet-1a1b    sg-112233

Prepare the Amazon RDS environment

Add an inbound rule in the security group associated with the Amazon RDS data source. This rule allows all TCP traffic from the Amazon VPC CIDR range of the QuickSight account Amazon VPC.

Example security group inbound rule (sg-445566) configuration of the Amazon RDS data source:

Type        Protocol   Port Range   Source         Description------------------------------------------------------------------------------------  
All TCP    TCP        0-65535      10.0.0.0/16    VPC CIDR of QuickSight Account VPC

Amazon VPC Peering

Create a connection between the Amazon VPCs

To create a VPC peering connection between the Amazon VPC with the QuickSight account and the Amazon VPC with the Amazon RDS data source, complete the following steps:

Open the Amazon VPC console.
In the navigation pane, choose Peering connections, and then choose Create peering connection.
(Optional) For Name, enter a name for the peering connection. For example, QuickSight RDS VPC peering.
For VPC ID, choose your VPC.
For Select another VPC to peer with, take one of the following actions:
If your RDS data source and QuickSight use the same AWS account, then choose My account.
-or-
If your RDS data source and QuickSight use different AWS accounts, then choose Another account.
For Region, take one of the following actions:
Choose This Region if your Amazon RDS data source and QuickSight use the same AWS account. Then, for VPC ID, choose your Amazon VPC.
-or-
Choose Another Region, and then for Region, choose the Region for the RDS data source and VPC. For VPC ID, enter the VPC ID.
Choose Create peering connection.

Example of Amazon VPC peering connection configuration:

Name                          Peering connection ID    Status               Requester VPC    Accepter VPC--------------------------------------------------------------------------------------------------------  
QuickSight RDS VPC peering    pcx-ab12cd34             Pending acceptance   vpc-11aa22bb     vpc-33cc44dd

Accept an Amazon VPC peering connection

An Amazon VPC peering connection in the pending-acceptance state must be accepted in the same account and Region of the accepter Amazon VPC. For instructions, see Accept or reject a VPC peering connection.

Example Amazon VPC peering connection configuration:

Name                          Peering connection ID    Status   Requester VPC    Accepter VPC--------------------------------------------------------------------------------------------------------  
QuickSight RDS VPC peering    pcx-ab12cd34             Active   vpc-11aa22bb     vpc-33cc44dd

Note: To use the hostname of the Amazon RDS data source, you must activate the DNS resolution for an Amazon VPC peering connection. You must also activate the DNS resolution for both Amazon VPCs.

Update the route tables

Update the route tables in the QuickSight account and RDS data source account to route network traffic. The route destination is the CIDR block of the peer VPC and the target is the ID of the VPC peering connection.

Note: To avoid connectivity loss, make sure to update the route tables with the same routes for all subnets associated with the Amazon RDS data source.

Example QuickSight Amazon VPC connection subnets route table (rtb-11ab) configuration:

Destination     Target----------------------------  
10.0.0.0/16     local
172.0.0.0/16    pcx-ab12cd34

Example Amazon RDS data source subnets route tables (rtb-33cd, rtb-44cd) configuration:

Destination     Target-----------------------------  
172.0.0.0/16    local
10.0.0.0/16     pcx-ab12cd34

Connect QuickSight to the Amazon RDS data source

Complete the following steps:

Open the QuickSight console.
In the navigation pane, choose Datasets, and then choose New dataset.
Choose your database engine.
For Connection type, choose the Amazon VPC that you created for step 3 in the Prepare your QuickSight environment section of this article.
Enter the variables for your database.
Choose Validate connection to make sure that QuickSight can connect to the data source, and then choose Create data source.
Choose the database that you want to use, choose a table, and then choose Select.

For more information, see Creating a dataset using an existing database data source.

Related information

Amazon QuickSight deployment models for cross-account and cross-Region access to Amazon Redshift and Amazon RDS

Topics

Analytics Machine Learning & AI

Relevant content

Help needed for connecting a RDS PostgreSQL in a private subnet to QuickSight
deniz
asked 2 years ago
Quicksight Data Transfer to RDS
Accepted Answer
prosinholi
asked 5 years ago
How can I perform data validation using AWS DMS for a private RDS PostgreSQL database located in a different AWS account
Tatev
asked 5 months ago
RDS Data Source Validation timeout in Amazon QuickSight
Accepted Answer
deniz
asked 2 years ago
Configuring AWS Quicksight to connect to an RDS PostgreSQL
Accepted Answer
Nesrine GUESMI
asked a year ago
How can I create a private connection from Amazon QuickSight to an Amazon Redshift cluster or an Amazon RDS DB instance that's in a private subnet?
AWS OFFICIALUpdated a year ago
How do I resolve SQL exception errors with custom SQL data sources in QuickSight?
AWS OFFICIALUpdated 6 months ago
How do I troubleshoot issues with joined data sources in QuickSight?
AWS OFFICIALUpdated 9 months ago
How do I resolve "Access denied" errors when I use Athena as a data source in Quicksight?
AWS OFFICIALUpdated a year ago
AWS re:Post Knowledge Center Spotlight: QuickSight
EXPERT
Shannon Lewis
published a year ago