I had a lot of trouble trying to connect AWS Quicksight with an RDS following this guide: https://docs.aws.amazon.com/quicksight/latest/user/enabling-access-rds.html
So here is my own guide for the next one trying to get the security groups in place. I still recommend to read the guide as I will not explain some basics here.
What we want to achieve is connecting quicksight to an RDS instance in a VPC without giving it public access.
So we need a user with enough permissions to modify quicksight, rds and security groups.
The diagram shows what we want to achieve:
These are the steps to achieve:
- Create a security group SG-1 “quicksight-vpc” to allow traffic incoming from quicksight to the RDS instance and outgoing traffic from the RDS instance to quicksight in two steps 1 and 3 as:
- Inbound rules: All TCP, TCP, 0–65535, -
- Outbound rules: Custom TCP, TCP, your RDS PORT, -
2. Create SG-2 “Quicksight-access” to allow incoming traffic from SG-1 to your RDS instance as:
- Inbound rules: Custom TCP, TCP, your RDS port, SG-1
- Outbound rules: All traffic, All, All, 0.0.0.0/0
3. Modify SG-1 to accept connections in both directions from SG-2 as:
- Inbound rules: All TCP, TCP, 0–65535, SG-2
- Outbound rules: Custom TCP, TCP, your RDS PORT, SG-2
4. Add SG-2 to your RDS instance security groups
5. Go to quicksight and create a VPC connection with the ID SG-1 and any subnet group which is used by your RDS instance
6. After this you can check that a network interface was created with SG-1 allowing the desired incoming and outgoing traffic
7. Go to quicksights > data source and use the created VPC connection to reach your RDS instance
To connect further RDS instances to quicksight we just need to add SG-2 to the instance security groups and modify SG-1 port(s)
This way we created a way to connect Quicksight to our RDS instance without making it public. I still have to find out how to implement this in CDK.
I hope this helps you!
If you liked this post, please follow me. I would be very grateful ;)