Learn how to deploy an AWS PrivateLink between your Redshift data warehouse and the ThoughtSpot Cloud tenant.

Your data’s security is important. To ensure a secure two-way data exchange between your cloud data warehouse and the ThoughtSpot Cloud tenant, you can use an AWS PrivateLink. This option is currently available for your Snowflake or Redshift data warehouse connections. This article details how to enable a PrivateLink for Redshift; you can also enable it for Snowflake.

To deploy an AWS PrivateLink, you must work with ThoughtSpot Support and follow the procedure in this article.

Prerequisites

  • You must have a Redshift account
  • The ThoughtSpot cluster must be in the same AWS region as your Redshift account
  • You must obtain the ThoughtSpot AWS Account Amazon Resource Name (ARN) from ThoughtSpot Support. You may need a separate ARN for staging or dev environments.

To deploy an AWS PrivateLink between your Redshift data warehouse and the ThoughtSpot Cloud tenant, follow these steps.

  1. Configure the Endpoint Service in your AWS Console

  2. Exchange AWS and ThoughtSpot information with ThoughtSpot Support

  3. Accept the PrivateLink Request

  4. Configure Embrace

Configure the Endpoint Service in your AWS Console

After completing the prerequisites, you must configure the Endpoint Service.

  1. Log into the AWS Console.

  2. Create a Network Load Balancer (NLB) routing TCP traffic on port 5439 to your Redshift database.

  3. Navigate to AWS VPC Console > Endpoint Services > Create Endpoint Service.

  4. Select the Redshift NLB you created in step 2.

  5. Select Require Acceptance for Endpoint.

  6. Select Endpoint Service > Whitelist principles > Add principles to whitelist. Add the ThoughtSpot AWS Account Amazon Resource Name (ARN) that you obtained from ThoughtSpot Support in the prerequisites. You may need a separate ARN for staging or dev environments.

  7. Select Endpoint Service.

  8. Write down the values for:

  • Service name: for example, com.amazonaws.vpce.us-west-2.vpce-svc-0123456789abcdef

  • Availability zones: for example, us-west-2a (usw2-az1)

    You must provide the service name and availability zones to ThoughtSpot Support.

Exchange AWS and ThoughtSpot information with ThoughtSpot Support

  1. Send the Service name and Availability zones you gathered in step 8 of Configure the Endpoint Service in your AWS Console to ThoughtSpot Support.

  2. After ThoughtSpot Support configures the AWS PrivateLink in ThoughtSpot, ask them to send you the PrivateLink Endpoint DNS name.

Accept the PrivateLink Request

  1. Navigate to VPC > Endpoint Services.

  2. Select the Endpoint Service you created in Configure the Endpoint Service in your AWS Console.

  3. Select Endpoint Connections.

  4. Select the connection from the ThoughtSpot AWS Account. Its status should be Pending Acceptance.

  5. Select Actions > Accept endpoint connection request.

Configure Embrace

Configure Embrace for Redshift, using the PrivateLink Endpoint DNS name from ThoughtSpot Support.