To use dbt Cloud’s multi-tenant SaaS service with your Amazon Redshift database, the service will need access to your cluster. One way to achieve this is through firewall rules that allow traffic through dbt Cloud’s multi-tenant published IPs (52.45.144.63, 54.81.134.249, 52.22.161.231)
How?
1. Ensure that your cluster isn’t already publicly accessible to the internet
I used netcat to run this command:
$ nc -vz [your redshift endpoint].redshift.amazonaws.com 5439
The result was Operation timed out
- in other words, I can’t access the server from my machine.
2. Turn on Public IP Addressing
From the AWS Console navigate to Amazon Redshift > Clusters > Your Cluster
Choose to Enable on a Elastic IP address.
Note: at this stage your cluster is available to the open internet, confirm this by running netcat command again, noting that it doesn’t fail
3. Edit the VPC Security Group
Under Cluster Properties find the Network and Security Settings section and follow the link to the VPC security group
Find the Inbound Rules and Edit them
Add three new inbound rules of type Redshift
with the IP addresses from this page the format is IP ADDRESS/32
Save Rules, test again from your local network with netcat, (which should once again be unavailable to your IP), but available to connect via dbt Cloud!
Note: The “All Traffic” rule can continue to allow all traffic, the Redshift rules will supersede for Redshift traffic
What if IP Restrictions Aren’t Enough for My Company?
- Use an SSH Tunnel Instead
- Use a Single-Tenant dbt Cloud instance instead with VPC Peering/Private Link (Enterprise Plan Only)