Enabling an AWS PrivateLink between ThoughtSpot Cloud and your Redshift data warehouse

Learn how to deploy an AWS PrivateLink between your Redshift data warehouse and the ThoughtSpot Cloud tenant.

AWS PrivateLink is only available to Enterprise Edition users.

Your data’s security is important. ThoughtSpot encrypts all your data by default. For an additional layer of security and network reliability, you can use an AWS PrivateLink. This option is currently available for your Amazon Aurora MySQL, Amazon Aurora PostgreSQL, Amazon RDS MySQL, Amazon RDS PostgreSQL, Amazon Redshift, Databricks, Denodo, Dremio, Oracle, PostgreSQL, SAP HANA, Snowflake, SQL Server, Starburst, or Teradata data warehouse connections.

ThoughtSpot supports a maximum of five PrivateLinks in your environment, in any combination of supported cloud data warehouses. For example, you could have a PrivateLink for Denodo, one for Databricks, and one for Starburst in the same environment.

This article details how to enable a PrivateLink for Redshift; to enable it for other data warehouses, refer to:

You can enable a maximum of five PrivateLinks in your environment.

To deploy an AWS PrivateLink, you must work with ThoughtSpot Support and follow the procedure in this article.

Prerequisites

  • You must have a Redshift account

  • The ThoughtSpot cluster must be in the same AWS region as your Redshift account

  • You must obtain the ThoughtSpot AWS Account Amazon Resource Name (ARN) from ThoughtSpot Support. This is required for step 6 of Configure the Endpoint Service. For example: arn:aws:iam::999999999999:root

To deploy an AWS PrivateLink between your Redshift data warehouse and the ThoughtSpot Cloud tenant, follow these steps.

Configure the Endpoint Service in your AWS Console

After completing the prerequisites, you must configure the Endpoint Service.

  1. Sign in to the AWS Console.

  2. Create a Network Load Balancer (NLB) routing TCP traffic on port 5439 to your Redshift database. Ensure that "Cross Zone Load Balancing" is enabled in the load balancer.

  3. Navigate to AWS VPC Console  Endpoint Services  Create Endpoint Service.

  4. Select the Redshift NLB you created in step 2.

  5. Select Require Acceptance for Endpoint.

  6. Select Endpoint Service  Whitelist principles  Add principles to whitelist. Add the ThoughtSpot AWS Account Amazon Resource Name (ARN) that you obtained from ThoughtSpot Support in the prerequisites.

  7. Select Endpoint Service.

  8. Write down the values for:

    • Service name: for example, com.amazonaws.vpce.us-west-2.vpce-svc-0123456789abcdef

    • Availability zones: for example, us-west-2a (usw2-az1)

      You must provide the service name and availability zones to ThoughtSpot Support.

Exchange AWS and ThoughtSpot information with ThoughtSpot Support

  1. Send the Service name and Availability zones you gathered in step 8 of Configure the Endpoint Service in your AWS Console to ThoughtSpot Support.

  2. After ThoughtSpot Support configures the AWS PrivateLink in ThoughtSpot, ask them to send you the PrivateLink Endpoint DNS name.

Accept the PrivateLink Request

  1. Navigate to VPC  Endpoint Services.

  2. Select the Endpoint Service you created in Configure the Endpoint Service in your AWS Console.

  3. Select Endpoint Connections.

  4. Select the connection from the ThoughtSpot AWS Account. Its status should be Pending Acceptance.

  5. Select Actions  Accept endpoint connection request.