> ## Documentation Index
> Fetch the complete documentation index at: https://cubed3-feat-druid-driver-streaming.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Setting up VPC Peering on AWS

> End-to-end checklist for VPC peering Cube's Dedicated Infrastructure with your AWS VPC for private data access.

<Note>
  This page covers **backend connectivity** — Cube reaching into your network to
  query data sources, auth providers, BI APIs targeted by Semantic Layer Sync,
  and other upstream services. See
  [Backend and frontend connectivity][backend-frontend] for the full picture.
  For **frontend connectivity** (exposing Cube's APIs to your applications,
  browsers, BI tools, and embedded analytics clients), see
  [Private API Connectivity on AWS][aws-private-api-connectivity].
</Note>

To set up AWS VPC Peering between Cube's Dedicated Infrastructure and your
VPC, you collect the information below and hand it over to your Cube
representative. Next, you accept a VPC peering request initiated by Cube, then
configure security groups and route tables so that Cube can reach your data
source.

## Information required by Cube

To allow Cube to peer with a [VPC on AWS][aws-docs-vpc], please share the
following with the Cube team:

* **AWS Account ID:** The AWS account ID of the VPC owner. This can be found
  in the top-right corner of [the AWS Console][aws-console].
* **AWS Region:** [The AWS region][aws-docs-regions] that the VPC resides in.
* **AWS VPC ID:** The ID of the VPC that Cube will connect to, for example
  `vpc-0099aazz`.
* **AWS VPC CIDR:** The [CIDR block][wiki-cidr-block] of the VPC that Cube
  will connect to, for example `10.0.0.0/16`.
* **Cube Region:** VPC Peering requires Cube to be hosted on
  [Dedicated Infrastructure][cube-region]. Specify which Cube Region should
  host your Dedicated Infrastructure.

## Setup

### Accepting the peering request

After receiving the information above, Cube will send a
[VPC peering request][aws-docs-vpc-peering] that must be accepted. This can
be done either through the [AWS Web Console][aws-console] or through an
infrastructure-as-code tool.

To [accept the VPC peering request][aws-docs-vpc-peering-accept] through the
AWS Web Console, follow the instructions below:

1. Open the [Amazon VPC console](https://console.aws.amazon.com/vpc/).

   <Warning>
     Ensure you have the necessary permissions to accept a VPC peering
     request. If you are unsure, please contact your AWS administrator.
   </Warning>

2. Use the Region selector to choose the Region of the accepter VPC.

3. In the navigation pane, choose **Peering connections**.

4. Select the pending VPC peering connection (the status should be
   `pending-acceptance`), then choose **Actions**, followed by
   ​**Accept request**.

   <Warning>
     Ensure the peering request is from Cube by checking that the **AWS
     account ID**, **region**, and **VPC IDs** match those provided by your
     CSM.
   </Warning>

5. When prompted for confirmation, choose **Accept request**.

6. Choose **Modify my route tables now** to add a route to the VPC route
   table so that you can send and receive traffic across the peering
   connection.

<Info>
  For more information about peering connection lifecycle statuses, check out
  the [VPC peering connection lifecycle on AWS][aws-docs-vpc-peering-lifecycle].
</Info>

### Updating security groups

The initial VPC setup will not allow traffic from Cube; this is because
[the security group][aws-docs-vpc-security-group] for the database will need
to allow access from the Cube VPC CIDR block.

This can be achieved by adding a new security group rule:

| Protocol | Port Range | Source/Destination                          |
| -------- | ---------- | ------------------------------------------- |
| TCP      | 3306       | The Cube VPC CIDR block for the AWS region. |

<Info>
  The Cube VPC CIDR block is shared with you by the Cube team alongside the
  peering request, and is also visible in the AWS Console on the **Peering
  connections** → **\<your peering>** → **Details** page as the
  **Requester VPC CIDR**.
</Info>

### Updating route tables

The final step is to update route tables in your VPC to allow traffic from
Cube to reach your database. The Cube VPC CIDR block must be added to the
route tables of all subnets that connect to the database. To do this, follow
the instructions on [the AWS documentation][aws-docs-vpc-peering-routing].

## Troubleshooting

Database connection issues with misconfigured VPCs often manifest as
connection timeouts. If you are experiencing connection issues, please check
the following:

* Verify that
  [all security groups allow traffic](#updating-security-groups) from the
  Cube VPC CIDR block.
* Verify that
  [a route exists to the Cube VPC CIDR block](#updating-route-tables) from
  the subnets that connect to the database.

## Supported Regions

VPC Peering is available in all AWS commercial regions where Dedicated
Infrastructure can be provisioned. AWS China (`cn-north-1`, `cn-northwest-1`)
and AWS GovCloud (`us-gov-east-1`, `us-gov-west-1`) are not supported.

[aws-console]: https://console.aws.amazon.com/

[aws-docs-regions]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions

[aws-docs-vpc]: https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html

[aws-docs-vpc-peering]: https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html

[aws-docs-vpc-peering-accept]: https://docs.aws.amazon.com/vpc/latest/peering/create-vpc-peering-connection.html#different-account-different-region

[aws-docs-vpc-peering-lifecycle]: https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-basics.html#vpc-peering-lifecycle

[aws-docs-vpc-peering-routing]: https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-routing.html

[aws-docs-vpc-security-group]: https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html

[wiki-cidr-block]: https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_blocks

[cube-region]: /admin/deployment/infrastructure#understanding-cube-cloud-region

[aws-private-api-connectivity]: /admin/deployment/dedicated/aws/private-api-connectivity

[backend-frontend]: /admin/deployment/dedicated#backend-and-frontend-connectivity
