Documentation Index
Fetch the complete documentation index at: https://docs.cube.dev/llms.txt
Use this file to discover all available pages before exploring further.
This page covers backend connectivity — Cube reaching into your network to
query data sources, auth providers, BI APIs targeted by Semantic Layer Sync,
and other upstream services. See
Backend and frontend connectivity for the full picture.
For frontend connectivity (exposing Cube’s APIs to your applications,
browsers, BI tools, and embedded analytics clients), see
Private API Connectivity on AWS.
Preparing the Endpoint Service
There are two common scenarios for preparing the Endpoint Service:- Connecting to a service in your AWS infrastructure
- Connecting to a service provided by a third party such as Snowflake, Databricks, Altinity Cloud, etc.
Allowing the Cube principal
Cube needs to be added to the list of principals allowed to discover your Endpoint Service. To do so, please go to AWS Console → VPC → Endpoint Services → Your service → Allow principals and addarn:aws:iam::331376342520:root to the list.
331376342520 is the AWS account ID of Cube’s PrivateLink consumer account.
Adding its root principal authorizes Cube to discover your endpoint service
and create a private endpoint against it; nothing else in Cube’s AWS estate
gains access to your network.Gathering required information
To request establishing a PrivateLink connection, please share the following information with the Cube team:- Service Name (such as
com.amazonaws.vpce.us-west-2.vpce-svc-abcde) - Reference Name for the record (such as “Snowflake-prod” or “clickhouse-dev”)
- Ports: a list of ports that will be accessed through this connection
- DNS Name(s): see DNS and TLS below
- Cube Region: PrivateLink requires Cube to be hosted on Dedicated Infrastructure. Specify which Cube Region should host your Dedicated Infrastructure.
DNS and TLS
How your data source is addressed inside Cube depends on whether it speaks TLS:- If the service uses TLS (HTTPS, JDBC
sslmode=require, etc.), share the DNS name(s) the certificate is issued for — typically the same hostname your in-network clients already use to reach it. Cube creates internal DNS overrides inside the Dedicated Infrastructure so that the same hostname resolves to the PrivateLink endpoint. Keeping the original hostname is what preserves TLS validity: the certificate’s CN/SAN keeps matching what Cube dials. - If the service does not use TLS and you don’t supply a DNS name, the Cube team will share back an internal endpoint hostname (e.g. an AWS-assigned interface-endpoint DNS name) that you can configure as the upstream when you wire the connection into Cube.
Accepting the connection
The Cube team will notify you once the connection request is sent. You can accept it by going to AWS Console → VPC → Endpoint Services → Your Service → Endpoint Connections and clicking Accept Connection Request.Using the connection
Once the connection is established, you can access your data source by addressing it via the DNS name(s) you supplied (TLS case) or the internal endpoint hostname returned to you by the Cube team (non-TLS case).Supported Regions
AWS PrivateLink is available in all AWS commercial regions where Dedicated Infrastructure can be provisioned. AWS China (cn-north-1, cn-northwest-1)
and AWS GovCloud (us-gov-east-1, us-gov-west-1) are not supported.