# Using Amazon VPC with Amazon Q Business connectors Using Amazon VPC Amazon Q Business can connect to a virtual private cloud (VPC) that you created with Amazon Virtual Private Cloud to index content stored in data sources running in your private cloud. When you create a data source connector, you can provide security group and subnet identifiers for the subnet that contains your data source. With this information, Amazon Q Business creates an elastic network interface that it uses to securely communicate with your data source within your VPC. To set up an Amazon Q Business data source connector with Amazon VPC, you can use either the AWS Management Console or the [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) API operation. If you use the console, you connect a VPC during the connector configuration process. **Note** The Amazon VPC feature is optional when setting up an Amazon Q Business data source connector. If your data source is accessible from the public internet, you don't need to enable the Amazon VPC feature. Not all Amazon Q Business data source connectors support Amazon VPC. If your data source isn't running on Amazon VPC and isn't accessible from the public internet, you first connect your data source to your VPC using a virtual private network (VPN). Then, you can connect your data source to Amazon Q Business by using a combination of Amazon VPC and AWS Virtual Private Network. For information about setting up a VPN, see the [Site-to-Site VPN documentation](https://docs.aws.amazon.com/vpn/). **Topics** + [ # Configuring Amazon VPC support for Amazon Q Business connectors ](connector-vpc-steps.md) + [ # Set up an Amazon Q Business data source to connect to Amazon VPC ](connector-vpc-setup.md) + [ ## Viewing Amazon VPC identifiers ](#viewing-vpc-identifiers) + [ ## Checking your data source IAM role ](#vpc-iam-roles) + [ # Using Amazon VPC with an Amazon S3 data source ](s3-vpc-example-1.md) + [ ## Step 3. Configure your external data source and Amazon VPC ](#connector-vpc-prerequisites-3) # Configuring Amazon VPC support for Amazon Q Business connectors Configuring Amazon VPC To configure Amazon VPC for use with your Amazon Q Business connectors, take the following steps. **Topics** + [ ## Step 1. Create Amazon VPC subnets for Amazon Q Business ](#connector-vpc-prerequisites-1) + [ ## Step 2. Create Amazon VPC security groups for Amazon Q Business ](#connector-vpc-prerequisites-2) + [ ## Step 3. Configure your external data source and Amazon VPC ](#connector-vpc-prerequisites-3) ## Step 1. Create Amazon VPC subnets for Amazon Q Business Create or choose an existing Amazon VPC subnet that Amazon Q Business can use to access your data source. The prepared subnets must be in one of the following AWS Regions and Availability Zones: + US West (Oregon)/us-west-2—usw2-az1, usw2-az2, usw2-az3 + US East (N. Virginia)/us-east-1—use1-az1, use1-az2, use1-az4 + Europe (Ireland)/eu-west-1—euw1-az1, euw1-az2, euw1-az3 + Asia Pacific (Sydney)/ap-southeast-2—apse2-az1, apse2-az2, apse2-az3 Your data source must be accessible from the subnets that you provided to Amazon Q Business connector. For more information about how to configure Amazon VPC subnets, see [Subnets for your Amazon VPC](https://docs.aws.amazon.com/vpc/latest/userguide/configure-subnets.html) in the *Amazon VPC User Guide*. If Amazon Q Business must route the connection between two or more subnets, you can prepare multiple subnets. For example, the subnet that contains your data source is out of IP addresses. In that case, you can provide Amazon Q with an additional subnet that has sufficient IP addresses and connected to the first subnet. If you list multiple subnets, the subnets must be able to communicate with each other. ## Step 2. Create Amazon VPC security groups for Amazon Q Business To connect your Amazon Q Business data source connector to Amazon VPC, you must prepare one or more security groups from your VPC to assign to Amazon Q Business. The security groups will be associated to the elastic network interface created by Amazon Q Business. This network interface controls inbound and outbound traffic to and from Amazon Q Business when accessing the Amazon VPC subnets. Make sure that your security group's outbound rules allow the traffic from Amazon Q Business data source connectors to access the subnets and the data source that you are going to sync with. For example, you might use an MySQL connector to sync from a MySQL database. If you're using the default port, the security groups must allow Amazon Q to access port 3306 on the host that runs the database. We recommend that you configure a default security group with the following values for Amazon Q Business to use: + **Inbound rules** – If you choose to leave this empty, all inbound traffic will be blocked. + **Outbound rules** – Add one rule to allow all outbound traffic so that Amazon Q Business can initiate the requests to sync from your data source. + **IP version** – IPv4 + **Type** – All traffic + **Protocol** – All traffic + **Port range** – All + **Destination** – 0.0.0.0/0 For more information about how to configure Amazon VPC security groups, see [Security group rules](https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html) in the *Amazon VPC User Guide*. ## Step 3. Configure your external data source and Amazon VPC Make sure that your external data source has the correct permissions configuration and network settings for Amazon Q Business to access it. You can find detailed instructions on how to configure your data sources in the prerequisites section of each connector page. Also, check your Amazon VPC settings and make sure that your external data source is reachable from the subnet you will assign to Amazon Q Business. To do this, we recommend that you create an Amazon EC2 instance in the same subnet with the same security groups and test access to your data source from this Amazon EC2 instance. For more information, see [Troubleshooting Amazon VPC connection](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/vpc-connector-troubleshoot.html). # Set up an Amazon Q Business data source to connect to Amazon VPC Connecting to Amazon VPC When you add a new data source in Amazon Q Business, you can use the Amazon VPC feature if the selected data source connector supports this feature. You can set up a new Amazon Q Business data source with Amazon VPC enabled by using the AWS Management Console or the Amazon Q Business API. Specifically, use the [https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) API operation, and then use the `VpcConfiguration` parameter to provide the following information: + `SubnetIds` – A list of identifiers of Amazon VPC subnets + `SecurityGroupIds` – A list of identifiers of Amazon VPC security groups If you use the console, you provide the required Amazon VPC information during connector configuration. To use the console to enable the Amazon VPC feature for a connector, you first choose an Amazon VPC. Then, you provide identifiers of any Amazon VPC subnets and identifiers of any Amazon VPC security groups. You can choose the Amazon VPC subnets and Amazon VPC security groups that you created in [Configuring Amazon VPC](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-vpc-steps.html), or use any existing ones. **Topics** + [ # Configuring Amazon VPC support for Amazon Q Business connectors ](connector-vpc-steps.md) + [ # Set up an Amazon Q Business data source to connect to Amazon VPC ](connector-vpc-setup.md) + [ ## Viewing Amazon VPC identifiers ](#viewing-vpc-identifiers) + [ ## Checking your data source IAM role ](#vpc-iam-roles) + [ # Using Amazon VPC with an Amazon S3 data source ](s3-vpc-example-1.md) + [ ## Step 3. Configure your external data source and Amazon VPC ](#connector-vpc-prerequisites-3) ## Viewing Amazon VPC identifiers The identifiers for subnets and security groups are configured in the Amazon VPC console. To view the identifiers, use the following procedures. **To view subnet identifiers** 1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. From the navigation pane, choose **Subnets**. 1. From the **Subnets** list, choose the subnet that contains your database server. 1. From the **Details** tab, make a note of the identifier in the **Subnet ID** field. **To view security group identifiers** 1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. From the navigation pane, choose **Security groups**. 1. From the security group list, choose the group that you want the identifier for. 1. From the **Details** tab, make a note of the identifier in the **Security Group ID** field. ## Checking your data source IAM role Make sure that your data source connector AWS Identity and Access Management IAM) role contains permissions to access your Amazon VPC. If you use the console to create a new role for your IAM role, Amazon Q Business automatically adds the correct permissions to your IAM role on your behalf. If you use the API, or use an existing IAM role, check that your role contains permissions to access Amazon VPC. To verify that you have the right permissions, see [IAM roles for data sources](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/iam-roles.html#iam-roles-ds). You can modify an existing data source to use a different Amazon VPC subnet. However, check your data source's IAM role and, if necessary, modify it to reflect the change for the Amazon Q Business data source connector to work properly. # Using Amazon VPC with an Amazon S3 data source Using Amazon VPC with Amazon S3 This topic describes the requirements for connecting Amazon Q Business to an Amazon Simple Storage Service through Amazon Virtual Private Cloud. It outlines the necessary prerequisites, including VPC configuration and S3 endpoint setup, to enable Amazon Q Business to access Amazon S3 buckets through a private connection. **Important** So that an Amazon Q Business Amazon S3 connector can access your Amazon S3 bucket, make sure that you have assigned an Amazon S3 endpoint to your virtual private cloud (VPC). For more information about configuring an Amazon Q Business Amazon S3 connector with Amazon VPC, see [Using Amazon VPC with Amazon S3](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/s3-connector.html#s3-vpc). For Amazon Q Business to sync documents from your Amazon S3 bucket through Amazon VPC, you must complete the following steps: + Set up an Amazon S3 endpoint for Amazon VPC. For more information about how to set up an Amazon S3 endpoint, see [Gateway endpoints for Amazon S3](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html) in the *AWS PrivateLink Guide*. + (Optional) Checked your Amazon S3 bucket policies to make sure that the Amazon S3 bucket is accessible from the virtual private cloud (VPC) that you assigned to Amazon Q Business. For more information, see [Controlling access from VPC endpoints with bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies-vpc-endpoint.html) in the *Amazon S3 User Guide*. For more information about how to configure Amazon VPC security groups, see [Security group rules](https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html) in the *Amazon VPC User Guide*. ## Step 3. Configure your external data source and Amazon VPC Make sure that your external data source has the correct permissions configuration and network settings for Amazon Q Business to access it. You can find detailed instructions on how to configure your data sources in the prerequisites section of each connector page. Also, check your Amazon VPC settings and make sure that your external data source is reachable from the subnet you will assign to Amazon Q Business. To do this, we recommend that you create an Amazon EC2 instance in the same subnet with the same security groups and test access to your data source from this Amazon EC2 instance. For more information, see [Troubleshooting Amazon VPC connection](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/vpc-connector-troubleshoot.html).