About private connectivity

Available to certain Enterprise tiers

The private connection feature is available on the following dbt Enterprise tiers:

• Business Critical
• Virtual Private

To learn more about these tiers, contact us at sales@getdbt.com.

Private connections enables secure communication from any dbt environment to your data platform hosted on a cloud provider, such as AWS or Azure, using that provider’s private connection technology. Private connections allow dbt customers to meet security and compliance controls as it allows connectivity between dbt and your data platform without traversing the public internet. This feature is supported in most regions across North America, Europe, and Asia, but contact us if you have questions about availability.

Private connection endpoints can't connect across cloud providers (AWS, Azure, and GCP). For a private connection to work, both dbt and the server (like a data platform) must be hosted on the same cloud provider. For example, dbt hosted on AWS cannot connect to services hosted on Azure, and dbt hosted on Azure can’t connect to services hosted on GCP.

The following charts outline private connectivity options across dbt multi-tenant (MT) and single-tenant (ST) deployments.

Scope of this matrix

This matrix focuses on one question: can a private endpoint be established between dbt Cloud and the service at the network layer? Availability (✅) means dbt Cloud supports creating a private endpoint to that service using the cloud platform's private connectivity technology (AWS PrivateLink, Azure Private Link, or GCP Private Service Connect).

Beyond the network layer, the possibilities for application-layer configurations, authentication methods, and custom architectures are extensive. Not every combination has been tested. This matrix does not account for:

• Application-layer configurations or feature-specific requirements
• Custom architectures unique to your environment
• Service-specific limitations that may affect functionality after the private endpoint is established

For detailed setup instructions, refer to the individual configuration guides. If you have a custom configuration and are unsure whether it's supported, contact dbt Support.

Legend:

• ✅ = Available
• ❌ = Not currently available
• ST = Single-Tenant only
• - = Not applicable

Terminology

Parties and roles

Term	Definition
Cloud platform	The underlying cloud infrastructure: AWS, Azure, or GCP.
Service provider	The party that publishes a service for private access. This can be a third-party vendor (Snowflake, Databricks) or the cloud platform itself (Redshift, Synapse, BigQuery). When dbt Cloud is the service provider, your services connect to dbt Cloud.
Consumer	The party that creates a private endpoint to connect to a service. When dbt Cloud is the consumer, it connects to your services.

Loading table...

Provisioning models

Term	Definition
Native	The cloud platform provisions the private connectivity infrastructure for its own services (Redshift, Synapse, BigQuery). You obtain the resource ID from the cloud platform and share it with dbt; dbt creates the endpoint.
Vendor	A third-party vendor (Snowflake, Databricks, Teradata) provisions the private connectivity infrastructure. You obtain the resource ID from the vendor and share it with dbt; dbt creates the endpoint.
Customer-provisioned	You create and manage the private connectivity infrastructure. You generate your own resource ID (endpoint service name, alias, or service attachment URI) and share it with dbt.

Loading table...

Endpoint types

Term	Definition	Isolation model
Dedicated endpoint	A private endpoint created specifically for your account. Used with Native, Vendor, and Customer-provisioned setups.	Network isolation + access controls (authentication, authorization, etc.)
Shared endpoint	A private endpoint maintained by dbt that multiple customers use. Traffic is routed through a common endpoint.	Access controls only (authentication, authorization, etc.)

Loading table...

---

Connecting dbt Cloud to your services

dbt Cloud can establish private connections to your services. The table below shows all supported services with their provisioning model and endpoint type.

Service	AWS	Azure	GCP	Provisioning	Endpoint
Amazon Athena w/ AWS Glue	✅	-	-	Native	Shared
Azure Database for PostgreSQL Flexible Server	-	✅	-	Native	Shared
Databricks	✅	✅	-	Vendor	Dedicated
Google BigQuery	-	-	✅	Native	Shared
Redshift	✅	-	-	Native	Dedicated
Redshift Serverless	✅	-	-	Native	Dedicated
Snowflake	✅	✅	✅	Vendor	Dedicated
Snowflake Internal Stage	✅	✅	❌	Vendor	Dedicated
Teradata VantageCloud	✅	✅	✅	Vendor	Dedicated

Loading table...

Customer-provisioned connections

For customer-provisioned connectivity, you create and manage the private connectivity infrastructure and share access with dbt. This model supports any service that can be placed behind a load balancer and exposed via the cloud platform's private connectivity technology. All customer-provisioned connections use dedicated endpoints.

Prerequisites:

Your service must be exposed via the cloud platform's private connectivity technology:

Cloud	Load balancer requirement	Resource you create
AWS	Network Load Balancer	VPC Endpoint Service
Azure	Standard Load Balancer	Private Link Service
GCP	Internal Proxy Load Balancer*	Service Attachment

Loading table...

*Other GCP load balancer types may be compatible, but Internal Proxy Load Balancer is the only type tested by dbt.

You must be able to grant dbt access to your endpoint.

Setup guides:

• AWS PrivateLink for self-hosted services
• Azure Private Link for self-hosted services
• GCP Private Service Connect for self-hosted services

If you have questions about whether your configuration is supported, contact dbt Support.

---

Connecting to dbt Cloud

Your services can connect to dbt Cloud over private connectivity. This is available on Single-Tenant deployments only.

Connectivity type	AWS ST	Azure ST
Private dbt access	✅	✅
Dual access (public + private)	✅	❌

Loading table...

Cross-region private connections

dbt Labs has globally connected private networks specifically used to host private endpoints, which are connected to dbt instance environments. This connectivity allows for dbt environments to connect to any supported region from any dbt instance within the same cloud provider network. To ensure security, access to these endpoints is protected by security groups, network policies, and application connection safeguards, in addition to the authentication and authorization mechanisms provided by each of the connected platforms.

Configuring private connections

dbt supports the following data platforms for use with the private connections feature. Instructions for enabling private connections for the various data platform providers are unique. The following guides will walk you through the necessary steps, including working with dbt Support to complete the connection in the dbt private network and setting up the endpoint in dbt.

AWS

• Snowflake
• Databricks
• Redshift
• Postgres
• VCS

Azure

• Snowflake
• Databricks
• Database for Postgres Flexible Server
• Synapse
• Self-hosted services

GCP

• Snowflake
• BigQuery
• Self-hosted services

Environment variables

Using Environment variables when configuring private connection endpoints isn't supported in dbt. Instead, use Extended Attributes to dynamically change these values in your dbt environment.

Was this page helpful?

Privacy policyCreate a GitHub issue

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.