# Managing VPC connection in Amazon Quick Managing VPC | | | --- | |  Applies to: Enterprise Edition  | | | | --- | |    Intended audience: System administrators and Amazon Quick administrators  | With Amazon Quick Enterprise Edition, account admins can configure a secure, private VPC connection to a Amazon Quick account from the Amazon Quick console or from the Amazon Quick CLI. Read the following walkthroughs on how to create, edit, and delete a VPC connection from a Amazon Quick account. **Topics** + [ # Configuring the VPC connection in the Amazon Quick console ](vpc-creating-a-connection-in-quicksight-console.md) + [ # Configuring the VPC connection with the Amazon Quick CLI ](vpc-creating-a-connection-in-quicksight-cli.md) + [ # Testing the connection to your VPC data source ](vpc-creating-a-quicksight-data-source-profile.md) # Configuring the VPC connection in the Amazon Quick console To create a secure private connection to the Amazon VPC service from the Amazon Quick console, use the following procedure. **Prerequisites** + Sign in to Amazon Quick as a Amazon Quick admin to set up a VPC connection in Amazon Quick. To verify that you're a Amazon Quick administrator, choose your profile icon in the upper-right. If your profile menu contains the option **Manage Amazon Quick**, then you're a Amazon Quick administrator. Make sure your admin role in IAM includes the following permissions. The `"iam:PassRole"` permission needs to be applied only to the execution role that is created in the procedures below. + `"quicksight:ListVPCConnections"` + `"quicksight:CreateVPCConnection"` + `"quicksight:DescribeVPCConnection"` + `"quicksight:DeleteVPCConnection"` + `"quicksight:UpdateVPCConnection"` + `"ec2:describeSubnets"` + `"ec2:describeVpcs"` + `"ec2:describeSecurityGroups"` + `"iam:ListRoles"` + `"iam:PassRole"` The following example shows an IAM policy that applies `"iam:PassRole"` only to the execution role. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::111122223333:role/vpc-role-for-qs" } ] } ``` ------ + Before you begin, make sure that you have the following information available to copy and paste into the **VPC Connection** screen. For more information, see [Finding information to connect to a VPC](https://docs.aws.amazon.com/quicksight/latest/user/vpc-finding-setup-information.html). + AWS Region – The AWS Region where you plan to create a connection to your data source. + VPC ID – The ID of the VPC that contains the data, the subnets, and the security groups that you plan to use. + Execution role– An IAM role that contains a trust policy that allows Amazon Quick to create, update, and delete network infrastructure in your account. This policy is required for all VPC connections. At minimum, the IAM policy needs the following Amazon EC2 permissions: + `DescribeSecurityGroups` + `DescribeSubnets` + `CreateNetworkInterface` + `DeleteNetworkInterface` + `ModifyNetworkInterfaceAttribute` The following example shows an IAM policy that you can add to an existing IAM role to create, delete, or modify a VPC connection: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DeleteNetworkInterface", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource": "*" } ] } ``` ------ After you add the necessary permissions to an IAM role, attach a trust policy to allow Amazon Quick to configure the VPC connection to your account. The following example shows a trust policy that you can add to an existing IAM role to allow Amazon Quick access to the role: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "quicksight.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } ``` ------ + Subnet IDs – The IDs of the subnets that the Amazon Quick network interface is using. Each VPC connection needs at least two subnets. + Security group IDs – The IDs of the security groups. Each VPC connection needs at least one security group. **To create a secure private connection to the Amazon VPC service from Quick Enterprise edition** 1. In Amazon Quick, choose your profile icon in the upper-right, then choose **Manage Amazon Quick**. Only Amazon Quick administrators can view the **Manage Amazon Quick** option. If you don't see this option on your profile menu, you're not an administrator. In this case, contact your Amazon Quick account administrators for assistance. 1. In the left navigation pane, choose **Manage VPC connections**. 1. On the **Manage VPC connections** page that opens, choose **Add VPC connection**. 1. For **VPC connection name**, enter a unique descriptive name of your choice. This name doesn't need to be an actual VPC ID or name. 1. In the **VPC ID** dropdown menu, choose the ID of the VPC in Amazon EC2 that you want to connect to your Amazon Quick account. This field can't be changed later. 1. In the **Execution role** dropdown menu, choose the appropriate IAM role to use for the VPC connection. The **Execution role** dropdown only shows IAM policies that contain a trust policy that allows Amazon Quick to configure the VPC connection to your account. 1. In the **Subnets** table, choose a subnet ID from the **Subnet ID** dropdown menu of at least two of the listed **Availability zones**. The Availability Zones listed in the **Subnets** table are determined based on how you configured the VPC connection in the Amazon EC2 console. 1. (Optional) If you aren't using DNS resolver endpoints, skip to the next step. If your database host IP address must be resolved through private DNS servers in your AWS account, enter IP addresses for Route 53 Resolver inbound endpoints (one per line). Make sure that you are entering an endpoint, rather than a database address like the one you plan to use in Amazon Quick. Most databases that are hosted by AWS don't need to resolve DNS queries between VPCs and a customer's network. For more information, see [Resolving DNS queries between VPCs and your network](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html) in the *Amazon Route 53 Developer Guide.* You only need this endpoint if you can't resolve the IP address that connects to your database by using the public DNS server system. 1. Review your choices, then choose **ADD**. When you finish creating a VPC connection, the new connection appears in the **Manage VPC connections** table. In some cases, the status of the new VPC might be **UNAVAILABLE** until the connection is configured on the backend. After Amazon Quick is finished configuring the new connection, the status of the connection switches to **AVAILABLE**, which indicates that the connection has been established. The following table describes the different **Status** values for a VPC connection. | Status | Description | | --- | --- | | **AVAILABLE** | The VPC connection is established and can be used. | | **PARTIALLY AVAILABLE** | One of the network interfaces that is configured to the VPC connection is unavailable. The VPC connection can still be used. | | **UNAVAILABLE** | The VPC connection is not established and can't be used. | To see a summary of a VPC connection, choose a VPC connection from the **VPC connection name** row of the **Manage VPC connections** table. The pop-up box that appears shows information about the network interfaces associated with the VPC connection. The following table describes the different **Status** values for a network interface. | Status | Description | | --- | --- | | **CREATING** | The network interface creation is in progress. | | **AVAILABLE** | The network interface is available for use. | | **CREATION\$1FAILURE** | The network interface couldn't be created. | | **UPDATING** | The security group associated with the network inferface is updating. | | **UPDATE\$1FAILED** | The security group associated with the network interface did not update successfully. | | **DELETING** | The network interface is in the process of being deleted. | | **DELETED** | The network interface is deleted and can no longer be used. | | **DELETION\$1FAILED** | The network interface deletion failed and can still be used. | | **DELETION\$1SCHEDULED** | This network interface is scheduled for deletion. | | **ATTACHMENT\$1FAILED\$1ROLLBACK\$1FAILED** | The elastic interface failed to attach and Amazon Quick was unable to delete the elastic network interface that was created within your account. | When you delete a network interface from a VPC connection, the status of the connection changes to **PARTIALLY AVAILABLE** to indicate the loss of a network interface. To make changes to an existing VPC connection, choose the more actions (three-dots) button to the right of the connection that you want to modify, and choose **Edit**. In the **Edit VPC connection** window that appears, make your changes, and then choose **SAVE**. To delete a VPC connection, choose the more actions (three-dots) button to the right of the connection that you want to delete and choose **Delete**. In the **Delete Amazon Quick VPC Connection** pop-up that appears, confirm that you want to delete the connection, and then choose **Delete**. # Configuring the VPC connection with the Amazon Quick CLI To create a secure private connection to the Amazon VPC service from Quick with the Amazon Quick CLI, use the following procedure: **Prerequisites** + Before you begin, make sure that you have the following information available to copy and paste into the **VPC Connection** page. For more information, see [Finding information to connect to a VPC](https://docs.aws.amazon.com/quicksight/latest/user/vpc-finding-setup-information.html). + AWS Region – The AWS Region where you plan to create a connection to your data source. + VPC ID – The ID of the VPC that contains the data, the subnets, and the security groups that you plan to use. + Execution role– An IAM role that contains a trust policy that allows Amazon Quick to create, update, and delete network infrastructure in your account. This policy is required for all VPC connections. At minimum, the IAM policy needs the following Amazon EC2 permissions: + `DescribeSecurityGroups` + `DescribeSubnets` + `CreateNetworkInterface` + `DeleteNetworkInterface` + `ModifyNetworkInterfaceAttribute` The following example shows an IAM policy that you can add to an existing IAM role to create, delete, or modify a VPC connection: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DeleteNetworkInterface", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource": "*" } ] } ``` ------ After you add the necessary permissions to an IAM role, attach a trust policy to allow Amazon Quick to configure the VPC connection to your account. The following shows an example trust policy that you can add to an existing IAM role to allow Amazon Quick access to the role: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "quicksight.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } ``` ------ + Subnet IDs – The IDs of the subnets that the Amazon Quick network interface is using. Each VPC connection needs at least two subnets. + Security group IDs – The IDs of the security groups. Each VPC connection needs at least one security group. ## Using the AWS CLI The following example creates a VPC connection. ``` aws quicksight create-vpc-connection \ --aws-account-id 123456789012\ --vpc-connection-id test \ --name test \ --subnet-ids '["subnet-12345678", "subnet-12345678"]' \ --security-group-ids '["sg-12345678"]' \ --role-arn arn:aws:iam::123456789012:role/test-role \ --region us-west-2 ``` After you create a VPC connection, you can update, delete, or request a summary of the VPC connection. The following example updates a VPC connection. ``` aws quicksight update-vpc-connection \ --aws-account-id 123456789012 \ --vpc-connection-id test \ --name test \ --subnet-ids '["subnet-12345678", "subnet-12345678"]' \ --security-group-ids '["sg-12345678"]' \ --role-arn arn:aws:iam::123456789012:role/test-role \ --region us-west-2 ``` The following example deletes a VPC connection. ``` aws quicksight delete-vpc-connection \ --aws-account-id 123456789012 \ --vpc-connection-id test \ --region us-west-2 ``` The following example describes a VPC connection. ``` aws quicksight describe-vpc-connection \ --aws-account-id 123456789012 \ --vpc-connection-id test \ --region us-west-2 ``` The following table describes the different **Status** values for a network interface that `describe-vpc-connection` returns. | Status | Description | | --- | --- | | **CREATING** | The network interface creation is in progress. | | **AVAILABLE** | The network interface is available for use. | | **CREATION\$1FAILURE** | The network interface couldn't be created. | | **UPDATING** | The security group associated with the network inferface is updating. | | **UPDATE\$1FAILED** | The security group associated with the network interface did not update successfully. | | **DELETING** | The network interface is in the process of being deleted. | | **DELETED** | The network interface is deleted and can no longer be used. | | **DELETION\$1FAILED** | The network interface deletion failed and can still be used. | | **DELETION\$1SCHEDULED** | This network interface is scheduled for deletion. | | **ATTACHMENT\$1FAILED\$1ROLLBACK\$1FAILED** | The elastic interface failed to attach and Amazon Quick was unable to delete the elastic network interface that was created within your account. | You can also use the AWS CLI to generate a list of all VPC connections in your Amazon Quick account. ``` aws quicksight list-vpc-connections \ --aws-account-id 123456789012 \ --region us-west-2 ``` # Testing the connection to your VPC data source Testing the connection | | | --- | |  Applies to: Enterprise Edition  | | | | --- | |    Intended audience: Amazon Quick administrators and authors  | To test whether you can connect to your data source through an existing Quick VPC connection, use the following procedure. Before you begin, collect the information you need to connect. If you plan to copy and paste settings from a file, make sure that it doesn't contain any of the following: formatting (list bullets or numbers), blank space (spaces, tabs), or invisible "gremlin" (non-ASCII, null (ASCII 0), or control) characters. 1. On the Amazon Quick start page, choose **Manage data**. 1. On the **Datasets** page, choose **New data set**. 1. In the **FROM NEW DATA SOURCES** section of the **Create a data set** page, choose a supported data source that you want to connect to. For a list of data sources that support VPC, see [Identify the data sources to use](https://docs.aws.amazon.com/quicksight/latest/user/vpc-finding-setup-information.html#vpc-data-sources). Your data source instance must use the same VPC that you used to create the VPC connection. Also, the associated security group must be properly configured. For more information, see [Setting up a VPC to use with Amazon Quick](https://docs.aws.amazon.com/quicksight/latest/user/vpc-setup-for-quicksight.html). 1. Enter the connection information for the data source. The fields for the data source are sometimes displayed in different order depending on which data source you choose. For more information, see [Creating a data source](https://docs.aws.amazon.com/quicksight/latest/user/create-a-data-source.html). + For **Data source name**, enter a descriptive name for the new data source. This name appears beside the data source logo on a tile on the **Create a data set** page. For testing purposes, name it **"VPC test-"** followed by the database name or location, whichever is unique. + For **Connection Type**, choose the name of the VPC connection that has a route to your data source. If the correct VPC is missing from the list, ask a Amazon Quick administrator to verify that the VPC connection is correct in Amazon Quick. If it looks correct, ask a system administrator to verify that the data source and VPC are set up for this purpose. + The name or other identifier for the server or instance to connect to. The descriptors vary depending on which one you're connecting to, but it's usually one or more of the following: hostname, IP address, cluster ID, instance ID, connector, or site based URL. + **Database name** shows the default database for the **Instance ID** cluster or instance. If you want to use a different database on that cluster or instance, enter its name. + The name of the collection of data that you want to use. The descriptor varies depending on the provider, but it's usually one of the following: database, warehouse, or catalog. In this topic, we use the word "database" as a generic term. + For **Credentials**, enter a username and password to use for everyone who connects from Amazon Quick using this data source. The username must have permissions to do the following: + Access the target database. + Read (perform a `SELECT` statement on) all of the tables that you want to use in that database. 1. Choose **Validate connection** to verify your connection information is correct. If your connection doesn't validate, correct the connection information and try again. If the information looks correct but doesn't validate, do one or all of the following: + Contact your data source administrator to verify your connection settings. + Contact your Amazon Quick administrator to verify the settings in the Amazon Quick VPC connection. + Contact your AWS administrator to verify that the VPC is correctly configured for use with Amazon Quick. 1. After the connection validates, choose **Create data source** to save the connection profile. Or, choose **Cancel** if you don't need to save it (recommended) after testing is complete.