Connecting with a VPC on AWS
To connect with a VPC on AWS, you need to collect the necessary information and hand it over to your Cube Cloud representative. Next, you'll have to accept a VPC peering request sent by Cube Cloud. Finally, you'll need to configure security groups and route tables to ensure Cube Cloud can connect to your data source.
Prerequisites
To allow Cube Cloud to connect to a VPC on AWS (opens in a new tab), the following information is required:
- AWS Account ID: The AWS account ID of the VPC owner. This can be found in the top-right corner of the AWS Console (opens in a new tab).
- AWS Region: The AWS region (opens in a new tab) that the VPC resides in.
- AWS VPC ID: The ID of the VPC that Cube Cloud will connect to, for
example,
vpc-0099aazz
- AWS VPC CIDR: The CIDR block (opens in a new tab) of the VPC that Cube Cloud
will connect to, for example,
10.0.0.0/16
Setup
VPC Peering Request
After receiving the information above, Cube Cloud will send a VPC peering request (opens in a new tab) that must be accepted. This can be done either through the AWS Web Console (opens in a new tab) or through an infrastructure-as-code tool.
To accept the VPC peering request (opens in a new tab) through the AWS Web Console, follow the instructions below:
- Open the Amazon VPC console (opens in a new tab).
Ensure you have the necessary permissions to accept a VPC peering request. If you are unsure, please contact your AWS administrator.
-
Use the Region selector to choose the Region of the accepter VPC.
-
In the navigation pane, choose Peering connections.
-
Select the pending VPC peering connection (the status should be
pending-acceptance
), then choose Actions, followed by Accept request.
Ensure the peering request is from Cube Cloud by checking that the AWS account ID, region and VPC IDs match those provided by your CSM.
-
When prompted for confirmation, choose Accept request.
-
Choose Modify my route tables now to add a route to the VPC route table so that you can send and receive traffic across the peering connection.
For more information about peering connection lifecycle statuses, check out the VPC peering connection lifecycle on AWS (opens in a new tab).
Updating security groups
The initial VPC setup will not allow traffic from Cube Cloud; this is because the security group (opens in a new tab) for the database will need to allow access from the Cube Cloud CIDR block.
This can be achieved by adding a new security group rule:
Protocol | Port Range | Source/Destination |
---|---|---|
TCP | 3306 | The Cube Cloud CIDR block for the AWS region. |
Update route tables
The final step is to update route tables in your VPC to allow traffic from Cube Cloud to reach your database. The Cube Cloud CIDR block must be added to the route tables of all subnets that connect to the database. To do this, follow the instructions on the AWS documentation (opens in a new tab).
Troubleshooting
Database connection issues with misconfigured VPCs often manifest as connection timeouts. If you are experiencing connection issues, please check the following:
- Verify that all security groups allow traffic from the Cube Cloud provided CIDR block.
- Verify that a route exists to the Cube Cloud provided CIDR block from the subnets that connect to the database.
Using dedicated pre-aggregation storage
On the Enterprise Premier product tier, you get an option to supply your own S3 bucket to be used as an underlying storage for Cube Store pre-aggregated data. This allows you to keep all data at-rest fully within your infrastructure while still leveraging the full power of the Cube Cloud for managed compute.
To activate this option, simply create an S3 bucket and generate a new AWS Access Key that would allow full bucket access for Cube Cloud. After it's done, request the dedicated pre-aggregation storage to be activated from your Customer Success Manager and share with them the following:
- AWS Access Key Id
- AWS Secret Access Key
- S3 Bucket ARN