Amazon Redshift will no longer support the creation of new Python UDFs starting Patch 198. Existing Python UDFs will continue to function until June 30, 2026. For more information, see the [ blog post ](https://aws.amazon.com/blogs/big-data/amazon-redshift-python-user-defined-functions-will-reach-end-of-support-after-june-30-2026/).
# Redshift-managed VPC endpoints
By default, an Amazon Redshift cluster or an Amazon Redshift Serverless workgroup is provisioned in a virtual private cloud (VPC). The VPC can be accessed from another VPC or subnet when you either allow public access or set up an internet gateway, a NAT device, or an AWS Direct Connect connection to route traffic to it. You can also access a cluster or workgroup by setting up a Redshift-managed VPC endpoint (powered by AWS PrivateLink).
You can set up a Redshift-managed VPC endpoint as a private connection between a VPC that contains a cluster or workgroup and a VPC where a client tool is running. If the cluster or workgroup is in another account, the account owner (grantor) must grant access to the connecting account (grantee). With this approach, you can access the data warehouse without using a public IP address or routing traffic through the internet.
These are common reasons to allow access using a Redshift-managed VPC endpoint:
+ AWS account A wants to allow a VPC in AWS account B to have access to a cluster or workgroup.
+ AWS account A wants to allow a VPC that is also in AWS account A to have access to a cluster or workgroup.
+ AWS account A wants to allow a different subnet in the VPC within AWS account A to have access to a cluster or workgroup.
The workflow to set up a Redshift-managed VPC endpoint to access a cluster or workgroup in another account is as follows:
1. The owner account grants access authorization to another account and specifies the AWS account ID and VPC identifier (or all VPCs) of the grantee.
1. The grantee account is notified that they have permission to create a Redshift-managed VPC endpoint.
1. The grantee account creates a Redshift-managed VPC endpoint.
1. The grantee account accesses the cluster or workgroup of the owner account using the Redshift-managed VPC endpoint.
You can do this using the Amazon Redshift console, the AWS CLI, or the Amazon Redshift API.
## Considerations when using Redshift-managed VPC endpoints
**Note**
To create or modify Redshift-managed VPC endpoints, you need permission `ec2:CreateVpcEndpoint` or `ec2:ModifyVpcEndpoint` in your IAM policy, in addition to other permissions specified in the AWS managed policy `AmazonRedshiftFullAccess`.
When using Redshift-managed VPC endpoints, keep the following in mind:
+ If you're using a provisioned cluster, it must have the RA3 node type. An Amazon Redshift Serverless workgroup works for setting up a VPC endpoint too.
+ For provisioned clusters, make sure that the cluster is enabled for either cluster relocation or Multi-AZ. For information about requirements to turn on cluster relocation, see [Relocating a cluster](managing-cluster-recovery.md). For information about enabling Multi-AZ, see [Setting up Multi-AZ when creating a new cluster](create-cluster-multi-az.md).
+ Make sure that the cluster or workgroup to access through its security group is available within the valid port ranges 5431-5455 and 8191-8215. The default is 5439.
+ You can modify the VPC security groups associated with an existing Redshift-managed VPC endpoint. To modify other settings, delete the current Redshift-managed VPC endpoint and create a new one.
+ The number of Redshift-managed VPC endpoints that you can create is limited to your VPC endpoint quota.
+ The Redshift-managed VPC endpoints aren't accessible from the internet. A Redshift-managed VPC endpoint is accessible only within the VPC where the endpoint is provisioned or from any VPCs peered with the VPC where the endpoint is provisioned as permitted by the route tables and security groups.
+ You can't use the Amazon VPC console to manage Redshift-managed VPC endpoints.
+ When you create a Redshift-managed VPC endpoint for a provisioned cluster, the VPC you choose must have a subnet group. To create a subnet group, see [Creating a cluster subnet group](create-cluster-subnet-group.md).
+ If an Availability Zone is down, Amazon Redshift does not create a new elastic network interface in another Availability Zone. You might need to create a new endpoint in this case.
For information about quotas and naming constraints, see [Quotas and limits in Amazon Redshift](amazon-redshift-limits.md).
For information about pricing, see [AWS PrivateLink pricing](https://aws.amazon.com/privatelink/pricing/).
# Granting access to a VPC
If the VPC that you want to access your cluster or workgroup is in another AWS account, make sure to authorize it from the owner's (grantor's) account.
**To allow a VPC in another AWS account to have access to your cluster or workgroup**
1. Sign in to the AWS Management Console and open the Amazon Redshift console at [https://console.aws.amazon.com/redshiftv2/](https://console.aws.amazon.com/redshiftv2/).
1. On the navigation menu, choose **Clusters**. For Amazon Redshift Serverless, choose **Serverless dashboard**.
1. For a cluster that you want to allow access to, view the details by choosing the cluster name. Choose the **Properties** tab of the cluster.
The **Granted accounts** section displays the accounts and corresponding VPCs that have access to your cluster. For an Amazon Redshift Serverless workgroup, choose the workgroup. **Granted accounts** are available under the **Data access** tab.
1. Choose **Grant access** to display a form to enter **Grantee information** to add an account.
1. For **AWS account ID**, enter the ID of the account you are granting access. You can grant access to specific VPCs or all VPCs in the specified account.
1. Choose **Grant access** to grant access.
# Creating a Redshift-managed VPC endpoint
If you own a cluster or workgroup, or you have been granted access to manage it, you can create a Redshift-managed VPC endpoint for it.
**To create a Redshift-managed VPC endpoint**
1. Sign in to the AWS Management Console and open the Amazon Redshift console at [https://console.aws.amazon.com/redshiftv2/](https://console.aws.amazon.com/redshiftv2/).
1. On the navigation menu, choose **Configurations**.
The **Configurations** page displays the Redshift-managed VPC endpoints that have been created. To view details for an endpoint, choose its name. For Amazon Redshift Serverless, the VPC endpoints are under the **Data access** tab, when you choose the workgroup.
1. Choose **Create endpoint** to display a form to enter information about the endpoint to add.
1. Enter values for **Endpoint name**, the 12-digit **AWS account ID**, the **Virtual private cloud (VPC)** where the endpoint is located, the **Subnet** and the **VPC security group**.
The subnet in **Subnet** defines the subnets and IP addresses where Amazon Redshift deploys the endpoint. Amazon Redshift chooses a subnet that has IP addresses available for the network interface associated with the endpoint.
The security group rules in **VPC security group** define the ports, protocols, and sources for inbound traffic that you are authorizing for your endpoint. You allow access to the selected port via the security group or the CIDR range where your workloads run.
1. Choose **Create endpoint** to create the endpoint.
After your endpoint is created, you can access the cluster or workgroup through the URL shown in **Endpoint** URL in the configuration settings for your Redshift-managed VPC endpoint.