Enabling an AWS PrivateLink between ThoughtSpot Cloud and your Databricks data warehouse

Learn how to deploy an AWS PrivateLink between your Databricks data warehouse and the ThoughtSpot Cloud tenant.

AWS PrivateLink is only available to Enterprise Edition users.

Your data’s security is important. ThoughtSpot encrypts all your data by default. For an additional layer of security and network reliability, you can use an AWS PrivateLink. This option is currently available for your Amazon Aurora MySQL, Amazon Aurora PostgreSQL, Amazon RDS MySQL, Amazon RDS PostgreSQL, Amazon Redshift, Databricks, Denodo, Dremio, Oracle, PostgreSQL, SAP HANA, Snowflake, SQL Server, Starburst, or Teradata data warehouse connections.

ThoughtSpot supports a maximum of five PrivateLinks in your environment, in any combination of supported cloud data warehouses. For example, you could have a PrivateLink for Denodo, one for Databricks, and one for Starburst in the same environment.

This article details how to enable a PrivateLink for Databricks; to enable it for other data warehouses, refer to:

You can enable a maximum of five PrivateLinks in your environment.

To deploy an AWS PrivateLink, you must work with ThoughtSpot Support and follow the procedure in this article.

Prerequisites

  • You must have a Databricks Enterprise account.

  • The ThoughtSpot cluster must be in the same AWS region as your Databricks account.

  • You must have Databricks Account Admin credentials.

    The Databricks Account admin is different from the Workspace Admin. The Account admin is able to sign in to https://accounts.cloud.databricks.com/.
  • You must obtain the VPC Endpoint ID from ThoughtSpot Support. This is required before you can complete Step 1: Register the VPC Endpoint.

To deploy an AWS PrivateLink between your Databricks data warehouse and the ThoughtSpot Cloud tenant, follow these steps.

Step 1: Register the VPC Endpoint with the Databricks Account API

After completing the prerequisites, you must configure the register the VPC Endpoint. Follow these steps:

  1. Obtain the VPC Endpoint ID from ThoughtSpot Support, if you did not do so in the prerequisites.

  2. Complete Step 3: Register your VPC endpoint IDs with the Account API in the Databricks AWS PrivateLink documentation. You need the VPC Endpoint ID from ThoughtSpot Support to complete this step.

Step 4: Create or update the Databricks workspace

  1. Complete Step 7: Create or update a workspace with PrivateLink configurations using the Account API in the Databricks AWS PrivateLink documentation.

  2. Make a note of your Databricks Workspace URL. You must send it to ThoughtSpot Support in the next step. This URL is in the format https://xxx.cloud.databricks.com/.

Step 5: Contact ThoughtSpot Support

After you complete steps 1-4 in this document, contact ThoughtSpot Support. They must finish the PrivateLink configuration.

Make sure you send ThoughtSpot Support your Databricks Workspace URL. This URL is in the format https://xxx.cloud.databricks.com/.

After ThoughtSpot Support finishes the configuration, they will contact you, and you can move on to Step 6: Configure Connections.

Step 6: Configure Connections

Create a Databricks connection. Note that Databricks connections use the same host name regardless of whether they are created through PrivateLink. When PrivateLink is configured, ThoughtSpot switches the internal DNS resolution for the hostname to point to the PrivateLink endpoint IP. For example, if your customer Databricks account is https://myaccount.cloud.databricks.com, you would use the same name when configuring a connection that uses PrivateLink.