After careful consideration, we decided to end support for Amazon FinSpace, effective October 7, 2026. Amazon FinSpace will no longer accept new customers beginning October 7, 2025. As an existing customer with an Amazon FinSpace environment created before October 7, 2025, you can continue to use the service as normal. After October 7, 2026, you will no longer be able to use Amazon FinSpace. For more information, see [Amazon FinSpace end of support](https://docs.aws.amazon.com/finspace/latest/userguide/amazon-finspace-end-of-support.html).
# Connecting Amazon FinSpace to your network
**Important**
Amazon FinSpace Dataset Browser will be discontinued on *March 26, 2025*. Starting *November 29, 2023*, FinSpace will no longer accept the creation of new Dataset Browser environments. Customers using [Amazon FinSpace with Managed Kdb Insights](https://aws.amazon.com/finspace/features/managed-kdb-insights/) will not be affected. For more information, review the [FAQ](https://aws.amazon.com/finspace/faqs/) or contact [AWS Support](https://aws.amazon.com/contact-us/) to assist with your transition.
You can use a FinSpace virtual private cloud (VPC) connection to allow the compute resources running in your FinSpace environment infrastructure account to access resources in your internal network. For example, a FinSpace analyst can connect their FinSpace managed Spark cluster to an internal code repository or internal application REST service. Using this feature, you can also connect to databases on your corporate network and access data, which you could then combine with data in FinSpace.
## How a FinSpace VPC connection works
You create a FinSpace VPC connection by connecting your FinSpace infrastructure account to an existing transit gateway in your organization. You can configure the transit gateway to route traffic to other portions of your network. The following diagram shows how a FinSpace VPC connection works.
![\[A diagram that shows how a FinSpace VPC connection works.\]](http://docs.aws.amazon.com/finspace/latest/userguide/images/09-security/cno-vpc.png)
The diagram describes a high-level setup of a FinSpace VPC connection:
+ Each FinSpace environment contains a dedicated, service-managed AWS account called an environment infrastructure account.
+ In this account, there is a VPC. This VPC contains non-routable subnets that host FinSpace managed compute resources. The VPC also contains routable subnets that host a private NAT gateway. The private NAT gateway is connected to a customer managed transit gateway through a transit gateway attachment.
+ As shown in the diagram, you can connect the transit gateway that you manage to additional parts of your network, including your VPCs and on-premises networks. You can also configure a network path from this transit gateway to the internet if you want to.
+ The non-routable subnets that are in the VPC in the FinSpace infrastructure account use ranges within a Classless Inter-Domain Routing (CIDR) block of *192.168.0.0/16*. The routable subnets use CIDR ranges that you provide. This diagram shows an example of using a *100.64.0.0/26* CIDR range, which you provide for use in two Availability Zones (AZs).
+ In the VPC of the environment infrastructure account, a Route 53 outbound resolver forwards custom DNS queries to a custom DNS server that you specify.
+ FinSpace creates multiple AZs in a Region and private NAT gateways in every AZ.
### DNS resolution
The VPC in the environment infrastructure account contains a Route 53 resolver that is used by the hosts for DNS lookups. By default, after you configure a VPC connection, this resolver resolves AWS service names, but not other hosts on your network or the internet.
When you set up your FinSpace VPC connection, you can optionally configure this resolver so that it forwards queries to a resolver that you specify. This allows hosts that are running in the FinSpace infrastructure account to be able to resolve hostnames from this resolver.
** **Topics** **
+ [How a FinSpace VPC connection works](#cno-how-it-works)
+ [Managing a FinSpace VPC connection](manage-vpc.md)
+ [Validating your VPC connection](vpc-validation.md)
+ [Monitoring IP traffic](monitoring-ip-traffic.md)
# Managing a FinSpace VPC connection
**Important**
Amazon FinSpace Dataset Browser will be discontinued on *March 26, 2025*. Starting *November 29, 2023*, FinSpace will no longer accept the creation of new Dataset Browser environments. Customers using [Amazon FinSpace with Managed Kdb Insights](https://aws.amazon.com/finspace/features/managed-kdb-insights/) will not be affected. For more information, review the [FAQ](https://aws.amazon.com/finspace/faqs/) or contact [AWS Support](https://aws.amazon.com/contact-us/) to assist with your transition.
This section explains how to set up and remove a FinSpace virtual private cloud (VPC) connection.
## Prerequisites
Before you proceed, complete the following prerequisites:
+ Make sure that a FinSpace environment has been created. For more information, see [Setting up an Amazon FinSpace environment](https://docs.aws.amazon.com/finspace/latest/userguide/setting-up-for-amazon-finspace.html).
+ Make sure that a transit gateway has been created in AWS Transit Gateway. For more information, see [Create the transit gateway](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-getting-started.html#step-create-tgw) in the *AWS Transit Gateway User Guide*.
+ Make sure that you’ve gathered the following information to create an Support case to request access:
+ FinSpace environment ID.
+ AWS Region of the FinSpace environment.
+ Transit gateway ID of the transit gateway that you will connect your FinSpace environment to.
+ The IP address range to use for the customer-facing side of the NAT gateway. This should be a /26 IP address range from the 100.64.0.0/10 range that is specified by RFC 6598.
+ (Optional) Custom DNS domain name – The name of the domain for which the DNS queries are forwarded to custom DNS server IP address.
+ (Optional) Custom DNS server IP address – The IP address that's routable from your transit gateway attachment.
## Considerations
Before you get started with the setup, make sure that you review the following considerations:
+ The /26 IP address range for the routable subnets that is attached to the transit gateway must be from the 100.64.0.0/10 range specified by RFC 6598.
+ The /26 IP address range for the routable subnets that is attached to the transit gateway must be unique across FinSpace environments and your network that's connected to the same transit gateway. For example, you might have two FinSpace environments (environment-A and environment-B) that are connected to TGW-A. Ensure that the /26 CIDR provided for each environment is distinct across environment-A and environment-B, and your network connected to the TGW-A.
## Setting up a VPC connection
**To set up a VPC connection**
1. Sign in to the [AWS Support Center Console](https://console.aws.amazon.com/support).
1. Open a technical support case to enable the VPC connection for FinSpace, and provide the following information:
+ The FinSpace environment ID
+ The transit gateway ID
+ The AWS Region of the FinSpace environment
+ The /26 IP range to use for the customer-facing side of the NAT gateway
+ (Optional) The custom DNS domain name
+ (Optional) The custom DNS server IP address
For more information, see [Creating a support case](https://docs.aws.amazon.com/awssupport/latest/user/case-management.html) in the *AWS Support User Guide*.
1. Create a RAM share for your transit gateway to the FinSpace environment infrastructure account. For more information, see [Share a transit gateway](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html#tgw-sharing) in the *AWS Transit Gateway User Guide*.
1. After verifying the support case, a FinSpace operator runs a setup program. This program accepts the RAM share request, disables internet in the FinSpace environment infrastructure account, and issues a VPC attachment request to your transit gateway.
1. When the request is complete, the FinSpace operator sends a notification, and adds the transit gateway attachment ID and the Availability Zone (AZ) to the VPC attachment request.
1. Accept the VPC attachment request that FinSpace issues to your transit gateway. For more information, see [Accept a shared attachment](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html#tgw-accept-shared-attachment) in the *AWS Transit Gateway User Guide*.
1. Configure the routing tables in your transit gateway traffic, and route to/from the subnets in the VPC that were attached in the VPC attachment.
**Note**
Ensure that your transit gateway attachment is created with all the Availability Zones provided in the notification that you receive from the FinSpace operator.
1. Ensure that the VPC connection setup is successful by following the steps in [Validating your VPC connection](vpc-validation.md).
## Removing a VPC connection
**To remove an existing VPC connection**
1. Delete the transit gateway attachment from your transit gateway. For more information, see [Delete a VPC attachment](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-vpc-attachments.html#delete-vpc-attachment) in the *AWS Transit Gateway User Guide*.
1. After removing the attachment, restore direct internet access to your FinSpace environment by creating a new technical support case that specifies the environment ID.
**Note**
Deleting a FinSpace environment does not automatically delete the attachment. You must remove the attachment separately.
## Updating a VPC connection
You cannot update an existing connection. To make changes to an existing connection, remove the old connection and create a new one.
# Validating your VPC connection
**Important**
Amazon FinSpace Dataset Browser will be discontinued on *March 26, 2025*. Starting *November 29, 2023*, FinSpace will no longer accept the creation of new Dataset Browser environments. Customers using [Amazon FinSpace with Managed Kdb Insights](https://aws.amazon.com/finspace/features/managed-kdb-insights/) will not be affected. For more information, review the [FAQ](https://aws.amazon.com/finspace/faqs/) or contact [AWS Support](https://aws.amazon.com/contact-us/) to assist with your transition.
After your connection is set up, you can test connectivity to your network. There are two types of connectivity testing available.
+ Basic testing – You can use the `curl` command in the SageMaker AI Studio notebook environment that is included with FinSpace for basic testing.
+ Advanced testing – You can use the file upload capability in the SageMaker AI Studio notebook to upload your own network diagnostic utilities to test.
## Basic connectivity testing using Amazon FinSpace notebooks
If you're testing connectivity to an HTTP/HTTPS endpoint, you can use a FinSpace notebook to test basic connectivity using curl.
**To validate the connection using a notebook**
1. Sign in to the FinSpace web application. For more information, see [Signing in to the Amazon FinSpace web application](signing-into-amazon-finspace.md).
1. Open a FinSpace notebook. For more information, see [Opening the notebook environment](opening-the-notebook-environment.md).
1. From the notebook menu bar, choose the plus (\$1) icon to create a new cell. In the cell, run the `curl` command in the shell to test connectivity to the host.
`%local`
` !curl `
For example, run the following command:
`%local`
`!curl www.google.com`
**Tip**
Keep your cursor in the cell and choose the (>) arrow button from the notebook menu to run the command.
If successful, the results of the `curl` command display in your notebook.
**Note**
After the VPC connectivity is set up for the environment, the internet connection is disabled by default. This is the default unless you have an explicit static route entry in your transit gateway route table that specifies forwarding all traffic `0.0.0.0/0` to your VPC attachment that has an internet gateway.
## Configuring internet access
**To ensure FinSpace can connect to your internet gateway**
1. Check that your transit gateway attachment has a private subnet and public subnet with a NAT gateway. The private subnet should be attached to the transit gateway attachment.
1. Check that the VPC attachment has all Availability Zones (AZ) included in the FinSpace response.
1. Add a route for private subnets for directing traffic destined to `100.64.0.0/26` to the dedicated account VPC attachment.
1. Create a transit gateway static route to direct traffic destined to `0.0.0.0/0` to the customer account attachment. For more information, see [Create a static route](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-route-tables.html#tgw-create-static-route) in the *AWS Transit Gateway User Guide*.
Wait a few minutes before running the next command because there might be a delay before the routes are installed.
# Monitoring IP traffic
You can use the transit gateway flow logs to monitor traffic coming from FinSpace. For more information, see [Logging network traffic using Transit Gateway Flow Logs](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-flow-logs.html) in the *AWS Transit Gateway User Guide*.