Allowing Restricted IP Access to Redshift from dbt Cloud

To use dbt Cloud’s multi-tenant SaaS service with your Amazon Redshift database, the service will need access to your cluster. One way to achieve this is through firewall rules that allow traffic through dbt Cloud’s multi-tenant published IPs (,,


1. Ensure that your cluster isn’t already publicly accessible to the internet

I used netcat to run this command:

$ nc -vz [your redshift endpoint] 5439

The result was Operation timed out - in other words, I can’t access the server from my machine.

2. Turn on Public IP Addressing

From the AWS Console navigate to Amazon Redshift > Clusters > Your Cluster


Choose to Enable on a Elastic IP address.

Note: at this stage your cluster is available to the open internet, confirm this by running netcat command again, noting that it doesn’t fail

3. Edit the VPC Security Group

Under Cluster Properties find the Network and Security Settings section and follow the link to the VPC security group


Find the Inbound Rules and Edit them

Add three new inbound rules of type Redshiftwith the IP addresses from this page the format is IP ADDRESS/32

Save Rules, test again from your local network with netcat, (which should once again be unavailable to your IP), but available to connect via dbt Cloud!

Note: The “All Traffic” rule can continue to allow all traffic, the Redshift rules will supersede for Redshift traffic

What if IP Restrictions Aren’t Enough for My Company?

  • Use an SSH Tunnel Instead
  • Use a Single-Tenant dbt Cloud instance instead with VPC Peering/Private Link (Enterprise Plan Only)