Enabling an AWS PrivateLink between ThoughtSpot Cloud and your Starburst data warehouse

Learn how to deploy an AWS PrivateLink between your Starburst data warehouse and the ThoughtSpot Cloud tenant.

AWS PrivateLink is only available to Enterprise Edition users.

Your data’s security is important. ThoughtSpot encrypts all your data by default. For an additional layer of security and network reliability, you can use an AWS PrivateLink. This option is currently available for your Amazon Aurora MySQL, Amazon Aurora PostgreSQL, Amazon RDS MySQL, Amazon RDS PostgreSQL, Amazon Redshift, Databricks, Denodo, Dremio, Oracle, PostgreSQL, SAP HANA, Snowflake, SQL Server, Starburst, or Teradata data warehouse connections.

ThoughtSpot supports a maximum of five PrivateLinks in your environment, in any combination of supported cloud data warehouses. For example, you could have a PrivateLink for Denodo, one for Databricks, and one for Starburst in the same environment.

This article details how to enable a PrivateLink for Starburst; to enable it for other data warehouses, refer to:

You can enable a maximum of five PrivateLinks in your environment.

To deploy an AWS PrivateLink, you must work with ThoughtSpot Support and follow the procedure in this article.

Prerequisites

  • The Starburst data warehouse is running inside your AWS account.

  • The ThoughtSpot cluster must be in the same AWS region as your Starburst account.

  • You must obtain the ThoughtSpot AWS Account Amazon Resource Name (ARN) from ThoughtSpot Support. This is required for step 7 of Configure the Endpoint Service. For example: arn:aws:iam::999999999999:root

To deploy an AWS PrivateLink between your Starburst data warehouse and the ThoughtSpot Cloud tenant, follow these steps.

Configure the Endpoint Service in your AWS Console

After completing the prerequisites, you must configure the Endpoint Service.

  1. Sign in to the AWS Console.

  2. Create a Network Load Balancer (NLB) routing TCP traffic to your Starburst database.

  3. Note the number of the port you used to route the TCP traffic. You must provide ThoughtSpot Support with this information later.

  4. Navigate to AWS VPC Console  Endpoint Services  Create Endpoint Service.

  5. Select the NLB you created in step 2.

  6. Optionally, you can select Require Acceptance for Endpoint.

  7. Select Endpoint Service  Whitelist principles  Add principles to whitelist. Add the ThoughtSpot AWS Account Amazon Resource Name (ARN) that you obtained from ThoughtSpot Support in the prerequisites.

  8. Select Endpoint Service.

  9. Write down the values for:

    • Service name: for example, com.amazonaws.vpce.us-west-2.vpce-svc-0123456789abcdef

    • Port number: for example, 5439

    • Availability zones and availability zone IDs: for example, us-west-2a (usw2-az1)

      You must provide the service name, port number, availability zones, and availability zone IDs to ThoughtSpot Support.

Exchange AWS and ThoughtSpot information with ThoughtSpot Support

  1. Send the Service name, Port number, Availability zones, and Availability zone IDs you gathered in step 9 of Configure the Endpoint Service in your AWS Console to ThoughtSpot Support.

  2. After ThoughtSpot Support configures the AWS PrivateLink in ThoughtSpot, ask them to send you the PrivateLink Endpoint DNS name.

Accept the PrivateLink Request

  1. Navigate to VPC  Endpoint Services.

  2. Select the Endpoint Service you created in Configure the Endpoint Service in your AWS Console.

  3. Select Endpoint Connections.

  4. Select the connection from the ThoughtSpot AWS Account. Its status should be Pending Acceptance.

  5. Select Actions  Accept endpoint connection request.

Configure Connections

Configure Connections for Starburst, using the PrivateLink Endpoint DNS name from ThoughtSpot Support for the Host field. For example, vpce-12345a9c7e43959d-xxo2u2xx.vpce-svc-037b1f73d3de3a5b4.us-west-2.vpce.amazonaws.com.