Amazon QuickSight and interface VPC endpoints (AWS PrivateLink) - Amazon QuickSight

Amazon QuickSight and interface VPC endpoints (AWS PrivateLink)

You can establish a private connection between your VPC and Amazon QuickSight by creating an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology that enables you to privately access the QuickSight website without leaving the Amazon network. Instances in your VPC don't need public IP addresses to communicate with QuickSight website, but still need access to certain domains other than QuickSight so that static assets, reports, and other files can be downloaded. For a list of domains that QuickSight needs to access, see Domains accessed by QuickSight.

Each interface endpoint is represented by one or more Elastic Network Interfaces in your subnets.

For more information, see Interface VPC endpoints (AWS PrivateLink) in the Amazon VPC User Guide.

Considerations for QuickSight VPC endpoints

Before you set up an interface VPC endpoint for QuickSight, ensure that you review Interface endpoint properties and limitations in the Amazon VPC User Guide.

The following considerations apply to VPC endpoint restrictions in QuickSight:

  • The VPC endpoint that you create for QuickSight only works for the QuickSight website. QuickSight API calls are not supported through VPC endpoints.

  • QuickSight supports data sources from AWS services including Amazon S3, Amazon Redshift, and Athena. QuickSight needs access to the resources from your AWS accounts to retrieve this data. If you want traffic to other AWS services to be routed through the VPC endpoint, you need to create VPC endpoint connections for each service that your QuickSight account is configured to. For more information about connecting to a VPC connection with QuickSight, see Connecting to a VPC with Amazon QuickSight.

  • IP and VPC endpoint rules precede all other rules in QuickSight. If you have embedded dashboards or visuals that are visible to the public (anyone on the internet) and restrict traffic to the QuickSight website through a VPC endpoint, public dashboards can only be shared through the VPC endpoint. For more information on public embedding, see Turning on public access to visuals and dashboards with a 1-click embed code.

  • QuickSight VPC endpoints are not available in China regions.

  • QuickSight VPC endpoints are not available in GovCloud regions.

Creating an interface VPC endpoint for QuickSight

You can create a VPC endpoint for the QuickSight website using either the Amazon VPC console or the AWS Command Line Interface (AWS CLI). For more information, see Creating an interface endpoint in the Amazon VPC User Guide.

Create a VPC endpoint for QuickSight using the following service name:

  • com.amazonaws.region.quicksight-website

The private DNS names for the QuickSight website are not same as the public URL for QuickSight. To reach QuickSight through the public URL, create an A record for the website in the format <region>.quicksight.aws.amazon.com and point it to the VPC endpoint. For more information about routing to a VPC endpoint, see Routing traffic to an Amazon Virtual Private Cloud interface endpoint by using your domain name.

The management of certain administrator features require that an administrator sign in to QuickSight as an IAM user. If you sign in through the VPC endpoint, you need to create the following VPC endpoints for the AWS Management Console.

  • com.amazonaws.region.console

  • com.amazonaws.region.signin

For more information about VPC endpoints for the AWS Management Console, see Required VPC endpoints and DNS configuration.

Creating a VPC endpoint policy for QuickSight

You can attach an endpoint policy to your VPC endpoint to restrict usage of the endpoint to specific QuickSight accounts or to accounts under specific AWS organizations. The AWS account IDs that are allow–listed or deny–listed are the AWS accounts in which the QuickSight account is created. In most cases, this is the same account ID in which the VPC endpoint is created. The policy specifies the following information:

  • The principal that can perform actions.

  • The actions that can be performed.

  • The resources on which actions can be performed.

For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.

Example: VPC endpoint policy for QuickSight actions

The following is an example of an endpoint policy for QuickSight. When attached to an endpoint, this policy grants access to all QuickSight actions for all principals on all resources.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": "*", "Condition": { "StringEquals": { "aws:PrincipalAccount": [ "012345678901" ] } } } ] }

Policies for the QuickSight website must have the values of the Principal, Action, and Resource fields set to "*". A condition may be specified only against the aws:PrincipalAccount or the aws:OrgId attributes. These conditions are evaluated on all requests to the QuickSight website after the user signs in.

Restricting access to the QuickSight website

You can choose to restrict access to your QuickSight account to only allow traffic from an approved VPC endpoint. This prevents general internet users from accessing your QuickSight account. Before you can make this change, make sure that you're an IAM user with the UpdateIpRestriction permission. For more information on the permissions that are required to restrict access with a VPC endpoint, see Turning on IP and VPC endpoint restrictions in Amazon QuickSight.

Use the following procedure to restrict access with a VPC endpoint in QuickSight.

  1. Open the QuickSight console.

  2. Choose Manage QuickSight, and then choose Security & permissions.

  3. On the Security & permissions page that opens, navigate to IP and VPC endpoint restrictions and choose Manage.

  4. Turn on the Enforce restrictions switch to turn on your VPC endpoint restrictions.

You can also perform this action with the QuickSight APIs. The following example turns on the enforcement of a VPC endpoint restriction.

aws quicksight update-ip-restriction \ --aws-account-id AWSACCOUNTID \ --region REGION \ --enabled \ --vpc-endpoint-id-restriction-rule-map vpce-001122def=MyVpcEndpointAllowed

Domains accessed by QuickSight

The table below lists all URLs that are accessed by Amazon QuickSight from your browser. Make sure that you have established connectivity for all of domins listed in the table.

URL Reason Has VPC endpoint support?

region.quicksight.aws.amazon.com

The bulk of traffic to QuickSight flows through this domain.

Yes

signin.aws.amazon.com

To sign in to the AWS console if the account uses IAM identities.

Yes

region.signin.aws

To sign in to the AWS console if the account uses or QuickSight native users for identity management.

No

*.cloudfront.net

To download static assets, for example CSS orr JS.

No

*.s3.region.amazonaws.com

To download reports and thumbnails.

Yes

*.execute-api.region.amazonaws.com

To access client-side metrics.

No