About private connectivity
The private connection feature is available on the following dbt Enterprise tiers:
- Business Critical
- Virtual Private
To learn more about these tiers, contact us at sales@getdbt.com.
Private connections enables secure communication from any dbt environment to your data platform hosted on a cloud provider, such as AWS or Azure, using that provider’s private connection technology. Private connections allow dbt customers to meet security and compliance controls as it allows connectivity between dbt and your data platform without traversing the public internet. This feature is supported in most regions across North America, Europe, and Asia, but contact us if you have questions about availability.
Private connection endpoints can't connect across cloud providers. For a private connection to work, both dbt and the server (like a data platform) must be hosted on the same cloud provider. For example, dbt hosted on AWS cannot connect via PrivateLink to services hosted on Azure, and dbt hosted on Azure can’t connect via Private Link to services hosted on AWS.
Private connectivity feature matrix
| Connectivity Type | AWS MT | AWS ST | Azure MT | Azure ST |
|---|---|---|---|---|
| INGRESS (to dbt) | ||||
| Private dbt Ingress | ❌ | ✅ | ❌ | ✅ |
| Dual dbt Ingress | ❌ | ✅ | ❌ | ❌ |
| EGRESS - DW (from dbt) | ||||
| Snowflake | ✅ | ✅ | ✅ | ✅ |
| - Snowflake Internal Stage | ❌ | ❌ | ✅ | ✅ |
| Databricks | ✅ | ✅ | ✅ | ✅ |
| Postgres (self-hosted) | ✅ | ✅ | ✅ | ✅ |
| Redshift (Interface) | ✅ | ✅ | - | - |
| Redshift (Managed) | ✅ | ✅ | - | - |
| Redshift Severless (Interface) | ✅ | ✅ | - | - |
| Redshift Serverless (Managed) | ✅ | ✅ | - | - |
| Amazon Athena w/ AWS Glue | ❌ | ✅ | - | - |
| Azure Synapse | - | - | ✅ | ✅ |
| Azure Fabric (cross-tenant not supported by Azure) | - | - | ❌ | ❌ |
| Google BigQuery | - | - | - | - |
| Teradata - Database Server | ✅ | ✅ | ✅ | ✅ |
| EGRESS - VCS (from dbt) | ||||
| GitHub Enteprise Server | ✅ | ✅ | ✅ | ✅ |
| GitLab Enterprise | ✅ | ✅ | ✅ | ✅ |
| BitBucket | ✅ | ✅ | ✅ | ✅ |
| AWS CodeCommit | ❌ | ✅ | - | - |
| Azure DevOps Repos (not supported by Azure) | - | - | ❌ | ❌ |
Cross-region private connections
dbt Labs has globally connected private networks specifically used to host private endpoints, which are connected to dbt instance environments. This connectivity allows for dbt environments to connect to any supported region from any dbt instance within the same cloud provider network. To ensure security, access to these endpoints is protected by security groups, network policies, and application connection safeguards, in addition to the authentication and authorization mechanisms provided by each of the connected platforms.
Configuring private connections
dbt supports the following data platforms for use with the private connections feature. Instructions for enabling private connections for the various data platform providers are unique. The following guides will walk you through the necessary steps, including working with dbt Support to complete the connection in the dbt private network and setting up the endpoint in dbt.
- Snowflake AWS PrivateLink
- Snowflake Azure Private Link
- Databricks AWS PrivateLink
- Databricks Azure Private Link
- Redshift AWS PrivateLink
- Postgres AWS PrivateLink
- VCS
Using Environment variables when configuring private connection endpoints isn't supported in dbt. Instead, use Extended Attributes to dynamically change these values in your dbt environment.