Reputation: 850
How to unblock Kinesis Firehose CIDR/IP on Redshift Cluster in a VPC?
We are trying to use AWS Kinesis Firehose with Redshift output. We have created the Firehose Delivery Stream. We have a Redshift Cluster in a VPC Security Group. But it seems like Firehose is not able to connect to the cluster.
This is a snippet where we create the VPC Security Group.
"RedshiftVPCSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"SecurityGroupIngress": [
{
"CidrIp": "52.19.239.192/27",
"FromPort": "5439",
"ToPort": "5439",
"IpProtocol": "tcp"
}
],
"VpcId": {
"Ref": "VpcId"
},
"GroupDescription": "Redshift VPC security group"
}
}
Following this link, We set an Ingress rule that allows connections from "52.19.239.192/27". But this does not seem to have worked and we still get the following error.
The connection to the specified Amazon Redshift cluster failed. Ensure that security settings allow Firehose connections, that the cluster or database specified in the Amazon Redshift destination configuration or JDBC URL is correct, and that the cluster is available.
Does anyone know what are we doing wrong?
Upvotes: 4
Views: 8887
Answers (2)
Reputation: 36043
When FireHose accesses your Redshift cluster, it does so from outside of your VPC.
In order for FireHose to access your Redshift cluster, the following must be configured:
- The Redshift cluster must be in a public subnet, meaning it's in a subnet with an Internet Gateway.
- The Redshift cluster must have a public IP address.
- Your security group must allow incoming access to FireHose on port 5439.
Without the above requirements met, nothing can access the Redshift cluster from outside your VPC.
Finally, to restrict outside access to only FireHose, you can limit the rule for port 5439 to the FireHose CIDR block:
- 52.70.63.192/27 in us-east-1
Upvotes: 10
Reputation: 61
I have been struggling with this same issue and have just found the solution. Make sure that the cluster subnet group created for the Redshift cluster contains only public subnets. When launching a new Redshift cluster, AWS will randomly select ONE of the subnets assigned to the cluster subnet group. If that subnet is private, then Firehose cannot reach your Redshift cluster (it's always outside your VPC). Choosing the "Make publicly available" option on the Redshift cluster won't help, nor will whitelisting Firehose IP addresses in ACL or security groups, etc. You must make the subnet public or relaunch the cluster using only public subnets.
Upvotes: 6
Related Questions
- Stop Kinesis Firehose delivery to redshift
- AWS Kinesis Firehose not inserting data in Redshift
- Not able to send records from kinesis firehose to private redshift
- How to use AWS Kinesis Firehose to push nested structure to Redshift
- Can't access my VPC in AWS console for creating my redshift cluster
- Unable to create cluster. VPC is greyed out when launching Redshift Cluster
- kinessis is not able to send data to redshift: Redshift.ConnectionFailed
- Access Redshift cluster deployed in a VPC
- Can not connect to my Redshift cluster in private subnet
- How to connect to a private cluster in Redshift?