Configuring Amazon Redshift private link

info

Amazon Redshift private link is available to users on the Pro Plus plan.

Data Integration is a multi-tenant SaaS platform that offers secure and efficient connectivity to different AWS services, including Redshift, while keeping traffic within the AWS network, avoiding exposure to the public internet.

Since Redshift is an AWS resource, establish the connection within the AWS backbone to enhance security, maintain complete control over traffic, and achieve optimal network performance and cost efficiency.

Connect Data Integration to an AWS Redshift cluster in an external AWS account using the Redshift cluster endpoint through private link.

note

(Cross-AWS Account Connectivity Options) Different methods are available for connecting to a Redshift cluster. The table in the Database Connectivity Options document offers an overview of these methods, highlighting their advantages and disadvantages, Data Integration compatibility, and a brief description of each.

Configuring Redshift endpoint

AWS Redshift offers a built-in PrivateLink option, the recommended method for connecting to a Redshift cluster. This method ensures secure and private connectivity without exposing data to the internet.

Redshift endpoint requirements

• Applicable only for RA3+ cluster types.
• Requires enabling the “cluster relocation” option. To learn more about relocating your cluster, refer to Amazon's documentation on Relocating your cluster.
• Ensure you meet the general limitations for cluster endpoint creation. To learn more, refer to the AWS Redshift documentation: Cluster Endpoint Considerations.

Configuring a redshift endpoint

Procedure

1. Navigate to the Redshift Console and select the desired cluster.
2. Scroll down to Grant Accounts and select Grant Access under the Properties tab.
3. Provide Data Integration AWS account ID and choose the option to grant access to all VPCs.
4. Submit a support ticket to the Data Integration Support team, requesting them to create an endpoint on their side.

This establishes a connection to your Redshift cluster.

5. Receive the endpoint details from Data Integration to configure your Data Integration connection configuration.

Configuring a redshift interface-type private link

An alternative and recommended approach is to provision a Redshift interface-type private link. This method exposes an endpoint service to the Redshift Cluster Network Interface (NI), which enables secure communication within the AWS network.

Network interface behavior in a multi-availability zones deployment

• Primary and secondary availability zones:

• A Network Interface (NI) is initially assigned to the primary Availability Zone(s). If a failover occurs and the cluster switches to a secondary Availability Zone, a new NI is created for that zone.

• The original NI IP address remains functional, and the new NI IP address can be added to the Target group.

Update the Network Load Balancer (NLB) to incorporate the corresponding Availability Zones.

• Persistent network interfaces:

Once created, the Network Interfaces remain the same in each Availability Zone, even after failovers. AWS does not officially document this behavior, though it has been observed in testing.

Configuring redshift interface-type private link

Procedure

1. Navigate to the AWS Redshift console and select the desired Redshift cluster.
2. Use the IP addresses from the Redshift cluster’s Network Interfaces under Properties. While IP addresses listed in the Node IP addresses section will work, they might change.
3. Follow AWS Private Link best practices, refer to the Data Integration documentation on AWS private link to complete the process. Based on internal testing, provisioning a DNS update Lambda for Redshift is not required. AWS does not guarantee this behavior.