Enabling an AWS PrivateLink between ThoughtSpot Cloud and your Starburst data warehouse
Learn how to deploy an AWS PrivateLink between your Starburst data warehouse and the ThoughtSpot Cloud tenant.
Your data’s security is important. ThoughtSpot encrypts all your data by default. For an additional layer of security and network reliability, you can use an AWS PrivateLink. This option is currently available for your Amazon Redshift, Databricks, Dremio, Oracle, SAP HANA, Snowflake, Starburst, or Teradata data warehouse connections.
This article details how to enable a PrivateLink for Starburst; to enable it for other data warehouses, refer to:
You can only enable one PrivateLink for each cluster. |
To deploy an AWS PrivateLink, you must work with ThoughtSpot Support and follow the procedure in this article.
Prerequisites
-
The Starburst data warehouse is running inside your AWS account.
-
The ThoughtSpot cluster must be in the same AWS region as your Starburst account.
-
You must obtain the ThoughtSpot AWS Account Amazon Resource Name (ARN) from ThoughtSpot Support. You may need a separate ARN for staging or dev environments. This is required for step 7 of Configure the Endpoint Service. For example:
arn:aws:iam::999999999999:root
Enable an AWS PrivateLink for Starburst
To deploy an AWS PrivateLink between your Starburst data warehouse and the ThoughtSpot Cloud tenant, follow these steps.
Configure the Endpoint Service in your AWS Console
After completing the prerequisites, you must configure the Endpoint Service.
-
Log into the AWS Console.
-
Create a Network Load Balancer (NLB) routing TCP traffic to your Starburst database.
-
Note the number of the port you used to route the TCP traffic. You must provide ThoughtSpot Support with this information later.
-
Navigate to
. -
Select the NLB you created in step 2.
-
Optionally, you can select Require Acceptance for Endpoint.
-
Select prerequisites. You may need a separate ARN for staging or dev environments.
. Add the ThoughtSpot AWS Account Amazon Resource Name (ARN) that you obtained from ThoughtSpot Support in the -
Select Endpoint Service.
-
Write down the values for:
-
Service name: for example, com.amazonaws.vpce.us-west-2.vpce-svc-0123456789abcdef
-
Port number: for example, 5439
-
Availability zones and availability zone IDs: for example, us-west-2a (usw2-az1)
You must provide the service name, port number, availability zones, and availability zone IDs to ThoughtSpot Support.
-
Exchange AWS and ThoughtSpot information with ThoughtSpot Support
-
Send the Service name, Port number, Availability zones, and Availability zone IDs you gathered in step 9 of Configure the Endpoint Service in your AWS Console to ThoughtSpot Support.
-
After ThoughtSpot Support configures the AWS PrivateLink in ThoughtSpot, ask them to send you the PrivateLink Endpoint DNS name.
Accept the PrivateLink Request
-
Navigate to
. -
Select the Endpoint Service you created in Configure the Endpoint Service in your AWS Console.
-
Select Endpoint Connections.
-
Select the connection from the ThoughtSpot AWS Account. Its status should be Pending Acceptance.
-
Select
.
Configure Connections
Configure Connections for Starburst, using the PrivateLink Endpoint DNS name from ThoughtSpot Support for the Host field. For example, vpce-12345a9c7e43959d-xxo2u2xx.vpce-svc-037b1f73d3de3a5b4.us-west-2.vpce.amazonaws.com
.