Configure IPSec VPN for your cloud data connection

Learn how to configure secure access from ThoughtSpot Cloud to your data in your cloud data warehouse, through your IPSec VPN server.

You can make your data in your cloud data warehouse even more secure by connecting to your IPSec VPN server. This feature is also available for data in any of ThoughtSpot’s supported cloud data warehouses. To see a list of supported cloud data warehouses, see About connections in ThoughtSpot Cloud.

Your company may have a policy that prohibits exposing your cloud data to the internet. In this case, you can set up a VPN connection between your ThoughtSpot Cloud cluster and your data warehouse.

Prerequisites

You must complete the following prerequisites before you can set up the IPSec VPN connection.

  • Your cloud data warehouse must be available in a private network over IPSec VPN.

  • Your VPN gateway must support tunnel mode.

  • Your cloud data warehouse must have a static IP address inside your private network.

  • You must complete a network architecture review with the ThoughtSpot team. This review ensures that ThoughtSpot is compatible with your IPSec VPN provider.

  • Collect the information required in Provide information for the connection to the ThoughtSpot team.

Enable IPSec VPN

To enable IPSec VPN between your cloud data warehouse and the ThoughtSpot Cloud tenant, follow these steps.

Provide information for the connection to the ThoughtSpot team

You must provide the following information to your ThoughtSpot Support contact to allow them to set up your IPSec VPN connection:

  • Pre-shared secret key (PSK)

  • Remote public IP address: The public IP address of your VPN gateway.

  • Domain name, internal IP address and TCP port of the Data Warehouse

  • [Optional] NAT (Network Address Translation) IP: All TCP connections coming from ThoughtSpot into your network have this address as source IP address. This must not collide with any existing network resource. By default, if no value is specified, ThoughtSpot will allocate a Public IP address to avoid routing conflicts.

  • [Optional] BGP ASNs (Border Gateway Protocol Autonomous System Numbers) - remote and local: If you require dynamic routing, you must provide the ASN value for your BGP server.

  • [Optional] Two link-local IP addresses for the tunnel: one for the ThoughtSpot side and one for your side. They must include the subnet CIDR prefix.

Configure the VPN gateway

Before you can configure the VPN gateway, you must receive the Public IP from ThoughtSpot, after the team has completed their configuration. You need the Public IP to complete your configuration.

VPN gateway configuration varies greatly depending on your network architecture and your IPSec VPN provider. Configure the VPN gateway using the Public IP provided by ThoughtSpot. Refer to your IPSec VPN provider’s documentation for configuration assistance.

Exchange information with the ThoughtSpot team

  1. After you configure the VPN gateway, you must send ThoughtSpot Support the DNS name you configured.

  2. After ThoughtSpot verifies the VPN connection, the team will inform you that you can begin to configure the connection to your cloud data warehouse.

Configure Connections

Configure the connection to your cloud data warehouse. Refer to About connections in ThoughtSpot Cloud. Use the DNS name of the VPN connection as the domain name.

Advanced configuration

Provide any additional configuration requirements to ThoughtSpot Support.