About private connectivity
The private connection feature is available on the following dbt Enterprise tiers:
- Business Critical
- Virtual Private
To learn more about these tiers, contact us at sales@getdbt.com.
Private connections enables secure communication from any dbt environment to your data platform hosted on a cloud provider, such as AWS or Azure, using that provider’s private connection technology. Private connections allow dbt customers to meet security and compliance controls as it allows connectivity between dbt and your data platform without traversing the public internet. This feature is supported in most regions across North America, Europe, and Asia, but contact us if you have questions about availability.
Private connection endpoints can't connect across cloud providers (AWS, Azure, and GCP). For a private connection to work, both dbt and the server (like a data platform) must be hosted on the same cloud provider. For example, dbt hosted on AWS cannot connect to services hosted on Azure, and dbt hosted on Azure can’t connect to services hosted on GCP.
Private connectivity feature matrix
The following charts outline private connectivity options across dbt multi-tenant (MT) and single-tenant (ST) deployments.
Legend:
- ✅ = Available
- ❌ = Not currently available
- - = Not applicable
- * = Shared endpoint (all others are dedicated)
Availability indicates whether a private endpoint can be established at the network layer. dbt evaluates common configurations, authentication methods, and integration patterns when determining support. However, due to the wide range of customizations possible in customer environments, not every configuration may be covered. If you have questions about a specific use case, contact dbt Support.
Connecting to dbt Cloud
Your services can connect to dbt over private connectivity. This is available on Single-Tenant deployments only. All connections to dbt Cloud use the dbt-provisioned model.
| Loading table... |
Connecting dbt Cloud to data platforms
dbt can establish private connections to your data platforms.
| Data platform | AWS MT | AWS ST | Azure MT | Azure ST | GCP MT | Provisioning |
|---|---|---|---|---|---|---|
| Snowflake | ✅ | ✅ | ✅ | ✅ | ✅ | Vendor |
| Snowflake Internal Stage | ✅ | ✅ | ✅ | ✅ | ❌ | Vendor |
| Databricks | ✅ | ✅ | ✅ | ✅ | ❌ | Vendor |
| Redshift | ✅ | ✅ | - | - | - | Native |
| Redshift Serverless | ✅ | ✅ | - | - | - | Native |
| Amazon Athena w/ AWS Glue* | ❌ | ✅ | - | - | - | Native |
| Azure Database for PostgreSQL Flexible Server | - | - | ✅ | ✅ | - | Native |
| Azure Synapse | - | - | ✅ | ✅ | - | Native |
| Google BigQuery* | - | - | - | - | ✅ | Native |
| Teradata VantageCloud | ✅ | ✅ | ✅ | ✅ | ✅ | Vendor |
Connecting dbt Cloud to VCS
dbt can establish private connections to your self-hosted version control systems. All VCS connections use the customer-provisioned model.
| Loading table... |
Self-hosted services
For services not explicitly listed above, you can establish private connectivity using a customer-provisioned approach. This model supports any service that can be placed behind a load balancer and exposed via your cloud platform's private connectivity technology.
Examples: AWS EMR (Spark, Hive, Presto), self-managed databases (MySQL, PostgreSQL, SQL Server), custom applications, or any service running in your VPC.
Prerequisites by cloud platform:
| Loading table... |
Once you create the private connectivity resource, share the resource ID (endpoint service name, alias, or service attachment URI) with dbt to establish the connection.
Setup guides:
- AWS PrivateLink for self-hosted services
- Azure Private Link for self-hosted services
- GCP Private Service Connect for self-hosted services
If you have questions about whether your configuration is supported, contact dbt Support.
Terminology
Parties
| Loading table... |
Provisioning models
These models describe who acts as the service producer (the party that provisions the service that dbt Cloud connects to or that you connect to).
| Loading table... |
Setting up private connectivity
Cross-region private connections
dbt Labs has globally connected private networks specifically used to host private endpoints, which are connected to dbt instance environments. This connectivity allows for dbt environments to connect to any supported region from any dbt instance within the same cloud provider network. To ensure security, access to these endpoints is protected by security groups, network policies, and application connection safeguards, in addition to the authentication and authorization mechanisms provided by each of the connected platforms.
Configuring private connections
dbt supports the following data platforms for use with the private connections feature. Instructions for enabling private connections for the various data platform providers are unique. The following guides will walk you through the necessary steps, including working with dbt Support to complete the connection in the dbt private network and setting up the endpoint in dbt.
AWS
Azure
GCP
Using Environment variables when configuring private connection endpoints isn't supported in dbt. Instead, use Extended Attributes to dynamically change these values in your dbt environment.
Was this page helpful?
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
