AWS PrivateLink Connections

If your Sigma organization runs on AWS, you can securely connect to your data using AWS PrivateLink. AWS PrivateLink is a security feature available for AWS users. It will allow you to create connections between your AWS Virtual Private Cloud (VPC) without sending traffic over the public internet.

Visit Amazon’s resources to learn more about the security advantages and internals of PrivateLink.

Summary of Content

Requirements
Connecting to your Data with PrivateLink
    PrivateLink Connection Methods
    Connect to PrivateLink with Snowflake’s PrivateLink Integration
    Connect to PrivateLink using your own VPC
Frequently Asked Questions
Related Resources

Requirements

  • A Sigma organization running on AWS.
  • Admin privileges in your Sigma organization. Learn about user account types.
  • An Amazon VPC-deployed Snowflake (self-managed or VPS), Redshift or Postgres data warehouse, or custom proxy server in any United States AWS region. Please note: This feature does not support BigQuery warehouses or self-managed warehouses running on Azure, GCP, or VMWare clouds.

Connecting to your Data with PrivateLink

PrivateLink Connection Methods

The process you follow to connect your data to Sigma with PrivateLink is determined by your warehouse connection. 

If you are a Snowflake customer, not using VPS or a proxy server, you can connect to PrivateLink using Snowflakes PrivateLink integration. Please follow the instructions under Connect to PrivateLink with Snowflake’s PrivateLink Integration.

If you manage your own Redshift or Postgres warehouse, use Snowflake’s VPS, or connect to your warehouse using a proxy server (eg SecuPi), please follow the instructions under Connect to PrivateLink using your own VPC.

Connect to PrivateLink with Snowflake’s PrivateLink Integration

How does it work?

When this feature is configured, Sigma will create a secure connection over PrivateLink directly to the Snowflake Virtual Private Cloud (VPC) that is housing your data. Once this secure tunnel exists, you may add and/or update your associated connections in your Sigma Admin Portal. Traffic between Sigma and your Snowflake warehouse will travel exclusively on the AWS backbone.

You do not need an Amazon account or VPC of your own; only the warehouse managed by Snowflake must reside in AWS VPC.

Eligibility

  • Snowflake requires a minimum of a Business Critical account for PrivateLink support.
    Please note: If your Snowflake account uses VPS or you connect Sigma to Snowflake with a proxy server, you will need to use your own VPC Endpoint Service.
  • Please confirm your Sigma organization’s PrivateLink eligibility with your Sigma Account Executive.

Set up PrivateLink for your Snowflake Connection

  1. Contact Snowflake to request access to your data over PrivateLink. You will need to provide them with Sigma’s AWS PrivateLink account number: 1854-9775-9670. 
  2. Snowflake will then provide you with a VPC Endpoint Service name. This may take one or two business days.
  3. Once you have received your VPC Endpoint Service name from Snowflake, please contact your Sigma Account Executive to install your PrivateLink connection with Sigma. 
  4. Installation may take up to a few days. You will be contacted once installation is complete; however, please don't hesitate to contact your Account Executive if you have any questions.
  5. After installation is complete, you will need to include PrivateLink in your connection(s) Account field in Sigma. Existing connections will continue to work, but will not use PrivateLink until this step has been completed.
    If you are updating an existing Snowflake connection, visit the connection page in your organization’s Admin Portal, and set the Host field to ‘<your-account-name>.<aws-region>.privatelink’.
    Creating a new connection? Follow these instructions, setting the Account to ‘<your-account-name>.<aws-region>.privatelink’.
    Screen_Shot_2020-09-14_at_2.09.46_PM.png

 

Connect to PrivateLink using your own VPC

How does it work?

When this feature is configured, Sigma will create a secure connection over PrivateLink directly to the Virtual Private Cloud (VPC) that you have deployed to house your data warehouse. Once this secure tunnel exists, you may add and/or update your associated connections in your Sigma Admin Portal. Traffic between Sigma and your warehouse will travel exclusively on the AWS backbone between your VPC and Sigma’s.

Eligibility

  • You will need an AWS account with a warehouse instance or some other addressable service that houses your data warehouse. 
  • Please also confirm your Sigma organization’s PrivateLink eligibility with your Sigma Account Executive.

Setting up PrivateLink for your Connection

  1. Create a VPC Endpoint Service using the Amazon VPC console or the command line.  Learn how. 
  2. Authorize Sigma to connect to the VPC Endpoint Service. Learn how.
    In this step, you will need to provide Sigma’s Amazon Resource Name (ARN). The ARN for our AWS account principal is ‘arn:aws:iam::185497759670:root’.
  3. Please contact your Sigma Account Executive to install your PrivateLink connection. They will need the VPC Endpoint Service name of your new service.
  4. Installation may take up to a few days. You will be contacted once installation is complete and provided a host name for your connection (step 6). Please don't hesitate to contact your Account Executive if you have any questions during this waiting period.
  5. If your VPC Endpoint Service requires acceptance of new connections, you will now need to accept Sigma’s new endpoint connection.
  6. After installation is complete, you will need to include PrivateLink in your connection(s) Host field in Sigma. Existing connections will continue to work, but will not use PrivateLink until this step has been completed.
    If you are updating an existing connection, visit the connection page in your organization’s Admin Portal, and set the Host field to the host name provided to you by Sigma.
    Creating a new connection? Follow these instructions, setting the Host field to the host name provided to you by Sigma.

Frequently Asked Questions

Does Sigma support PrivateLink for my warehouse’s AWS region?

We currently support PrivateLink for all Amazon US regions.

Do I need my own Virtual Private Cloud (VPC)?

This depends on your warehouse. If you are a Business Critical Snowflake customer, you may connect to PrivateLink using Snowflake’s PrivateLink integration and Sigma. However, you will need to set up your own VPC Endpoint Service if your data is stored in Redshift, Postgres or VPS, or if you are using a proxy server. Learn how.

Is my Sigma organization eligible for AWS PrivateLink? 

Please contact your Sigma Account Representative to confirm eligibility. 

Related Resources

Create a Connection