Use AWS PrivateLink with GoodData Cloud

  • 6 March 2023
  • 1 reply

We are now able to set up AWS PrivateLink with GoodData Cloud. If you have an AWS account that runs an Amazon Redshift database, you can privately tunnel your data directly to your GoodData analytics.

If you want to set up AWS PrivateLink with GoodData, you need to first set up a VPC Endpoint Service on your AWS account. Once you do that, you will get a “service name” that you can provide to us, so that we can finalize setting up your instance of GoodData Cloud to use the private link.

This article describes how to set up the VPC Endpoint Service on your AWS account.

You need to do the following two steps:

  1. Reach out to GoodData support, letting us know you want to set up PrivateLink.
    We will provide you with your GoodData account ID. You will need this ID for when you are setting up your VPC endpoint.

  2. Create a load balancer, see below.

  3. Create VPC endpoint service, see below.

  4. Pass the name of your VPC endpoint service to us, we will finalize setting up the AWS PrivateLink connection on our end.

  5. Create an Amazon Redshift data source where the REDSHIFT_HOST is the DNS we will provide you with.

A strong password still needs to be used for data sources, even when they are accessed via PrivateLink.

We encourage you to consult the up to date AWS documentation if you have any difficulties, or reach out to us directly. 


Create a load balancer

Create load balancer with targets to your database and ensure you apply the following configuration:

  • internal, IPv4, mapped to the same AZs as the database

  • listener TCP/DB_PORT

  • target groups - database connection endpoint, TCP/DB_PORT

  • monitoring TCP (port the same as the service)

  • target group type - “IP addresses”

  • security groups - entire VPC CIDR (or private IP addresses used by the load balancer nodes)

Create target group - Specify group details
Create target group - Register targets
Create New Network Load Balancer

Create a VPC endpoint service

Create a VPC endpoint service and ensure you apply the following configuration:

  • type - network, IPv4, use NLB configured above

  • add AllowPrincipals - arn:aws:iam::{GoodData account ID}:root

  • note the Service name

Create endpoint service
Locate the Allow principals tab
Allow principals


1 reply

PrivateLink  can be used in general for any service that communicates via TCP and establishes a connection only in the direction from GDC, it is not limited only to Redshift.