Enabling an AWS PrivateLink between ThoughtSpot Cloud and your Starburst data warehouse

Learn how to deploy an AWS PrivateLink between your Starburst data warehouse and the ThoughtSpot Cloud tenant.

Your data’s security is important. ThoughtSpot encrypts all your data by default. For an additional layer of security and network reliability, you can use an AWS PrivateLink. This option is currently available for your Amazon Redshift, Databricks, Dremio, Oracle, SAP HANA, Snowflake, Starburst, or Teradata data warehouse connections.

This article details how to enable a PrivateLink for Starburst; to enable it for other data warehouses, refer to:

You can only enable one PrivateLink for each cluster.

To deploy an AWS PrivateLink, you must work with ThoughtSpot Support and follow the procedure in this article.

Prerequisites

  • The Starburst data warehouse is running inside your AWS account.

  • The ThoughtSpot cluster must be in the same AWS region as your Starburst account.

  • You must obtain the ThoughtSpot AWS Account Amazon Resource Name (ARN) from ThoughtSpot Support. You may need a separate ARN for staging or dev environments. This is required for step 7 of Configure the Endpoint Service. For example: arn:aws:iam::999999999999:root

Enable an AWS PrivateLink for Starburst

To deploy an AWS PrivateLink between your Starburst data warehouse and the ThoughtSpot Cloud tenant, follow these steps.

  1. Configure the VPC Endpoint Service in your AWS Console

  2. Exchange AWS and ThoughtSpot information with ThoughtSpot Support

  3. Accept the PrivateLink Request

  4. Configure Connections

Configure the Endpoint Service in your AWS Console

After completing the prerequisites, you must configure the Endpoint Service.

  1. Log into the AWS Console.

  2. Create a Network Load Balancer (NLB) routing TCP traffic to your Starburst database.

  3. Note the number of the port you used to route the TCP traffic. You must provide ThoughtSpot Support with this information later.

  4. Navigate to AWS VPC Console  Endpoint Services  Create Endpoint Service.

  5. Select the NLB you created in step 2.

  6. Optionally, you can select Require Acceptance for Endpoint.

  7. Select Endpoint Service  Whitelist principles  Add principles to whitelist. Add the ThoughtSpot AWS Account Amazon Resource Name (ARN) that you obtained from ThoughtSpot Support in the prerequisites. You may need a separate ARN for staging or dev environments.

  8. Select Endpoint Service.

  9. Write down the values for:

    • Service name: for example, com.amazonaws.vpce.us-west-2.vpce-svc-0123456789abcdef

    • Port number: for example, 5439

    • Availability zones and availability zone IDs: for example, us-west-2a (usw2-az1)

      You must provide the service name, port number, availability zones, and availability zone IDs to ThoughtSpot Support.

Exchange AWS and ThoughtSpot information with ThoughtSpot Support

  1. Send the Service name, Port number, Availability zones, and Availability zone IDs you gathered in step 9 of Configure the Endpoint Service in your AWS Console to ThoughtSpot Support.

  2. After ThoughtSpot Support configures the AWS PrivateLink in ThoughtSpot, ask them to send you the PrivateLink Endpoint DNS name.

Accept the PrivateLink Request

  1. Navigate to VPC  Endpoint Services.

  2. Select the Endpoint Service you created in Configure the Endpoint Service in your AWS Console.

  3. Select Endpoint Connections.

  4. Select the connection from the ThoughtSpot AWS Account. Its status should be Pending Acceptance.

  5. Select Actions  Accept endpoint connection request.

Configure Connections

Configure Connections for Starburst, using the PrivateLink Endpoint DNS name from ThoughtSpot Support for the Host field. For example, vpce-12345a9c7e43959d-xxo2u2xx.vpce-svc-037b1f73d3de3a5b4.us-west-2.vpce.amazonaws.com.