About private connectivity
The private connection feature is available on the following dbt Enterprise tiers:
- Business Critical
- Virtual Private
To learn more about these tiers, contact us at sales@getdbt.com.
Private connections enables secure communication from any dbt environment to your data platform hosted on a cloud provider, such as AWS or Azure, using that provider’s private connection technology. Private connections allow dbt customers to meet security and compliance controls as it allows connectivity between dbt and your data platform without traversing the public internet. This feature is supported in most regions across North America, Europe, and Asia, but contact us if you have questions about availability.
Private connection endpoints can't connect across cloud providers (AWS, Azure, and GCP). For a private connection to work, both dbt and the server (like a data platform) must be hosted on the same cloud provider. For example, dbt hosted on AWS cannot connect to services hosted on Azure, and dbt hosted on Azure can’t connect to services hosted on GCP.
Private connectivity feature matrix
The following charts outline private connectivity options across dbt multi-tenant (MT) and single-tenant (ST) deployments.
Legend:
- ✅ = Available
- ❌ = Not currently available
- - = Not applicable
- * = Shared endpoint (all others are dedicated)
Availability indicates whether a private endpoint can be established at the network layer. dbt evaluates common configurations, authentication methods, and integration patterns when determining support. However, due to the wide range of customizations possible in customer environments, not every configuration may be covered. If you have questions about a specific use case, contact dbt Support.
Connecting to dbt Cloud
Your services can connect to dbt over private connectivity. This is available on Single-Tenant deployments only. All connections to dbt Cloud use the dbt-provisioned model.
| Loading table... |
Connecting dbt Cloud to data platforms
dbt can establish private connections to your data platforms.
| Service | AWS MT | AWS ST | Azure MT | Azure ST | GCP MT | Provisioning |
|---|---|---|---|---|---|---|
| Snowflake | ✅ | ✅ | ✅ | ✅ | ✅ | Vendor |
| Snowflake Internal Stage | ✅ | ✅ | ✅ | ✅ | ❌ | Vendor |
| Databricks | ✅ | ✅ | ✅ | ✅ | ❌ | Vendor |
| Redshift | ✅ | ✅ | - | - | - | Native |
| Redshift Serverless | ✅ | ✅ | - | - | - | Native |
| Amazon Athena w/ AWS Glue* | ❌ | ✅ | - | - | - | Native |
| Azure Database for PostgreSQL Flexible Server | - | - | ✅ | ✅ | - | Native |
| Azure Synapse | - | - | ✅ | ✅ | - | Native |
| Azure Fabric | - | - | ❌ | ❌ | - | - |
| Google BigQuery* | - | - | - | - | ✅ | Native |
| Teradata VantageCloud | ✅ | ✅ | ✅ | ✅ | ✅ | Vendor |
Connecting dbt Cloud to self-hosted services
dbt can establish private connections to your self-hosted services. All self-hosted connections use the customer-provisioned model.
| Loading table... |
For services not explicitly listed above, you can establish private connectivity using the same customer-provisioned approach. This model supports any service that can be placed behind a load balancer and exposed via your cloud platform's private connectivity technology.
To inquire about private connectivity to additional platforms, contact your account team.
Prerequisites by cloud platform:
| Loading table... |
Once you create the private connectivity resource, share the resource ID (endpoint service name, alias, or service attachment URI) with dbt to establish the connection.
Setup guides:
- AWS PrivateLink for self-hosted services
- Azure Private Link for self-hosted services
- GCP Private Service Connect for self-hosted services
If you have questions about whether your configuration is supported, contact dbt Support.
Setting up private connectivity
Cross-region private connections
dbt Labs has globally connected private networks specifically used to host private endpoints, which are connected to dbt instance environments. This connectivity allows for dbt environments to connect to any supported region from any dbt instance within the same cloud provider network. To ensure security, access to these endpoints is protected by security groups, network policies, and application connection safeguards, in addition to the authentication and authorization mechanisms provided by each of the connected platforms.
Some GCP services, such as BigQuery, may have regional restrictions for Private Service Connect endpoints. Refer to Google's Private Service Connect documentation for service-specific regional availability.
Configuring private connections
dbt supports the following data platforms for use with the private connections feature. Instructions for enabling private connections for the various data platform providers are unique. The following guides will walk you through the necessary steps, including working with dbt Support to complete the connection in the dbt private network and setting up the endpoint in dbt.
AWS
Azure
GCP
Using Environment variables when configuring private connection endpoints isn't supported in dbt. Instead, use Extended Attributes to dynamically change these values in your dbt environment.
Terminology
Parties
| Loading table... |
Provisioning models
These models describe who acts as the service producer (the party that provisions the service that dbt Cloud connects to or that you connect to).
| Loading table... |
Was this page helpful?
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
