Outbound Private Connect

Outbound Private Connect for AWS (Amazon Web Services) allows cloud administrators to create secure, private, and dedicated connections between Tableau Cloud and AWS-hosted data providers. These private connections are provisioned on top of AWS PrivateLink, using private IP address space, meaning that data traffic doesn't traverse the public internet. The private and secure nature of private connections addresses a key requirement of restricting data traffic to private networks.

Private Connection Diagram, including AWS and Tableau clouds, endpoint, endpoint service, and data provider

After the private connection is created and ready, creators use the connection address like any other database address in workbook and data source connection dialogs. Likewise, administrators and creators use the connection address when creating virtual connections.

Supported AWS data providers are:

  • Athena
  • Aurora MySQL
  • Databricks
  • Dremio
  • Heroku Postgres
  • MariaDB
  • Microsoft SQL
  • MySQL
  • Oracle
  • Palantir
  • PostgreSQL
  • Redshift
  • Snowflake
  • Teradata Vantage Cloud
  • Teradata Vantage On-Premise

Your ability to work with outbound private connections depends on your role:

  • Cloud administrators create outbound private connections in Tableau Cloud Manager (TCM), and assign them to sites. They can also provide connection information to creators and the groups that support them.
  • Site administrators have read-only access to information about the outbound private connections that are assigned to their site. They can also provide connection information to creators and the groups that support them.
  • Creators use outbound private connections to securely connect to data stored in AWS. Using an outbound private connection in a workbook, data source, or virtual connection is as simple as using a regular, non-private connection, except the creator uses a special connection address provided by the site administrator or cloud administrator. The data traffic doesn't traverse the public internet, but is instead restricted to private connections between AWS Virtual Private Clouds (VPCs).

Example use cases

Scenario 1: Avoid public internet

Your organization's data is in Snowflake. Network security policy prevents Tableau Cloud from reaching the Snowflake data over the public internet.

With Outbound Private Connect

You create an outbound private connection between your Tableau Cloud site and your Snowflake data. Data travels securely and privately between Tableau Cloud and Snowflake, without traversing the public internet.

Scenario 2: Migrate from bridge, use private address space

Your organization's data is in Redshift. Network security policy requires Tableau Cloud to reach the Redshift data using private IP addresses, so you use Tableau Bridge to connect to it. Tableau Bridge is free, but has management overhead.

With Outbound Private Connect

You create an outbound private connection between your Tableau Cloud site and your Redshift data. Data now travels securely and privately between Tableau Cloud and Redshift, using private IP addresses, without traversing the public internet, and without the need for Tableau Bridge. Management is simpler using Outbound Private Connect, though there is a cost for data transferred.

For information on migrating to Outbound Private Connect from Bridge or Data Connect, see Migrate from Tableau Bridge to Outbound Private Connect.

Licensing requirements

Outbound Private Connect works on Tableau Cloud with an Enterprise or Tableau+ license edition, and requires an add-on license for each private connection. For information on licensing and pricing, contact your account manager.

Outbound Private connection data usage is billed per terabyte. For information on Outbound Private Connect usage, see Private Connect Licensing.

High-level setup overview

An outbound private connection consists of:

  • the data provider (hosted at AWS)
  • the endpoint service (AWS)
  • the endpoint (Tableau Cloud)

For outbound private connections to Athena, Heroku Postgres, and Teradata Vantage Cloud, your Tableau Cloud site and AWS-hosted data provider must be in the same AWS region. For a table that includes Tableau Cloud pods and associated regions, see IP Addresses for Tableau Cloud(Link opens in a new window).

Data provider and AWS components

The AWS-hosted data provider and AWS endpoint service are configured in AWS.

In the case of most AWS-hosted data providers, the AWS endpoint service needs to explicitly allow the connection from your Tableau Cloud site. The AWS endpoint service identifies your Tableau Cloud site using an Identity and Access Management (IAM) Amazon Resource Name (ARN) for its region.

To allow access, the AWS endpoint service needs Tableau Cloud's IAM ARN added to the list of allowed principals.

Tableau Cloud component

The Tableau Cloud end of the outbound private connection is configured in Tableau Cloud Manager (TCM).

Tableau Cloud needs the AWS endpoint service name. Tableau Cloud may also need custom address information about the endpoint service if the data provider requires it.

Typical set up steps

The typical process to set up an outboud private connection is:

  1. AWS: Set up the data provider and create the endpoint service. (You may need to rely on a third party. More details are in the specific topics for individual data providers under Outbound Private Connection Set Up: AWS.)
  2. TCM: Get the Tableau Cloud IAM ARN for the region.
  3. AWS: Add the Tableau Cloud IAM ARN as an allowed principal on the endpoint service. (You may need to rely on a third party. More details are in the specific topics for individual data providers under Outbound Private Connection Set Up: AWS.)
  4. AWS: Get the endpoint service name.
  5. TCM: Create the outbound private connection using the AWS endpoint service name. (A custom connection address may also be required or allowed. More details are in the specific topics for individual data providers under Outbound Private Connection Set Up: AWS.)

Exceptions to the typical set up process depend on the data provider, and are in the specific topics for individual data providers under Outbound Private Connection Set Up: AWS.

After both ends are configured correctly and the private connection is ready, creators can use the private connection to connect securely and privately to the AWS-hosted data provider.

Create your outbound private connection

To create and configure an outbound private connection for your sites:

  1. See the subtopic for your AWS-hosted data provider under Outbound Private Connection Set Up: AWS
  2. See the topic Outbound Private Connection Set Up: Tableau Cloud.
Thanks for your feedback!Your feedback has been successfully submitted. Thank you!