4
4
Table of Contents

Recently, a customer exploring Amazon QuickSight asked us:

“We have recently started exploring AWS QuickSight and noticed that the Amazon QuickSight URL is publicly accessible. We would like to understand if it is possible to restrict access and make the URL private. Additionally, we want to explore the options for enforcing corporate SSO login for Amazon QuickSight users.”

This real-world query prompted us to evaluate Amazon QuickSight’s access control mechanisms. In the process, we also encountered and addressed a critical consideration: the fact that AWS QuickSight’s home region cannot be changed once created.

Problem Statement

When adopting Amazon QuickSight for business intelligence, enterprises often realize that the AWS QuickSight URL is publicly accessible by default. While AWS QuickSight provides user-level permissions, many organizations require stricter controls to ensure that Amazon QuickSight is accessible only from corporate VPN or private networks.

In parallel, enterprises want to enforce SSO login so that users authenticate only through their existing identity providers.

During implementation, another challenge emerged: when attempting to configure a Virtual Private Connection in us-east-1, Amazon QuickSight prompted us to switch to us-west-2 (Oregon), indicating that the account’s home region is fixed and cannot be changed. This creates limitations when VPCs are deployed in regions different from the AWS QuickSight home region.

Challenges include:

Quicksight

Solution Overview

To address these concerns, we evaluated three approaches:

  1. IP Range Restrictions
    Configure Amazon QuickSight to allow access only from approved VPN or office IP addresses.
  2. VPC Endpoint Restrictions (PrivateLink)
    Use AWS PrivateLink to enforce QuickSight access through an Interface VPC Endpoint.
    Any traffic outside of approved VPCs is blocked from reaching the QuickSight console.
  3. SSO Enforcement
    Integrate Amazon QuickSight with AWS IAM Identity Center or SAML federation so that all logins flow through the enterprise IdP. This ensures MFA and corporate authentication policies are applied consistently.

After careful evaluation, we selected VPC endpoint–based restrictions as the preferred approach, since they provide the strongest network isolation and compliance guarantees.

IP and VPC endpoint screenshot

Architecture Overview

Access Restriction

  • IP Allow-listing
    In Security & Permissions → IP and VPC endpoint restrictions, add your corporate VPN or office egress CIDRs to ensure only traffic from those ranges can access AWS QuickSight.
  • VPC Endpoint via PrivateLink

Create an Interface VPC Endpoint for:

 com.amazonaws.<region>.quicksight-website

  • Update corporate DNS so that <region>.quicksight.aws.amazon.com resolves to the VPC endpoint.
  • In AWS QuickSight, add the endpoint ID under restrictions and enforce it.
    This ensures QuickSight is accessible only through approved VPCs, eliminating public internet exposure.

Identity & Authentication

  • IAM Identity Center (Recommended)

  • Add AWS QuickSight as a customer-managed application.
  • Integrate with your enterprise IdP (e.g., Okta, Azure AD).
  • All logins are routed through SSO, ensuring MFA and conditional access policies are applied.

  • SAML Federation

    If Identity Center is not available or supported in the Amazon QuickSight region, configure SAML federation directly from your IdP to IAM roles that provide AWS QuickSight access. This still enforces enterprise SSO and MFA policies.

SAML Federation screenshot Quicksight

Region Limitations & Migration Considerations

During testing, we attempted to create a VPC connection in us-east-1, but AWS QuickSight redirected us to us-west-2 (Oregon).

This behavior highlights an important limitation:

  • Amazon QuickSight home region is fixed at account creation.
  • Account-level operations (VPC connections, SPICE capacity, account settings) can only be performed in the home region.
  • VPC connections are region-bound and must exist in the same region as AWS QuickSight’s home region.

Workarounds:

  • If Amazon QuickSight is tied to us-west-2, either:

    a) Place data sources in that region, or

    b) Use cross-region networking (PrivateLink/peering) to connect east-coast resources.

  • If the long-term strategy requires AWS QuickSight in us-east-1, unsubscribe from Amazon QuickSight in us-west-2 and re-subscribe in us-east-1.

    a) This migration requires re-creating datasets, analyses, dashboards, and permissions.

Amazon Quicksight screenshot

Performance & Cost Considerations

Performance (SPICE vs. Direct Query)

  • Direct Query → Sends queries directly to the data source each time.
  • SPICE → In-memory cache with scheduled refreshes; faster performance, reduced load on the database.

Best practices:

  • Use SPICE where possible for a faster user experience.
  • Keep refresh schedules aligned with business needs.
  • Reserve Direct Query for real-time requirements.

SLA

  • Amazon QuickSight provides 99.9% uptime SLA for the service.
  • Data source availability depends on the underlying infrastructure.

Pricing

  • User roles directly affect cost (Pro vs. Reader vs. Author/Admin).
  • Plan license types carefully to optimize spend.
  • Reference: Amazon QuickSight Pricing

Results

With this solution, we achieved:

  • Private URL access – Amazon QuickSight is reachable only via VPN/corporate IP or approved VPC endpoint.
  • SSO enforcement – All users authenticate via corporate IdP, ensuring governance and MFA.
  • Secure data access – Data sources accessed via VPC connection, not exposed to the internet.
  • Awareness of regional design limitations – Clear understanding of AWS QuickSight’s home region impact.
  • Optimized performance and cost – Balanced use of SPICE, Direct Query, and user roles.

This approach delivers secure, governed, and enterprise-ready Amazon QuickSight deployments, ensuring both compliance and user productivity.

Conclusion

Enterprises adopting Amazon QuickSight must address both network isolation and identity enforcement to ensure secure deployments. By implementing VPC endpoint restrictions and federated SSO login, we created a design that meets enterprise security, compliance, and usability requirements.

If your organization is looking to secure Amazon QuickSight with private connectivity and SSO, CloudKeeper can help.

You may also like

Thumbnail

99% of companies saved up to 15% monthly with this plan & achieved peak performance.

Download Whitepaper
12
Let's discuss your cloud challenges and see how CloudKeeper can solve them all!
Connect with us
Meet the Author
  • Anjali Jain
    Anjali Jain
    DevOps Engineer

    Anjali Jain is a cloud enthusiast specializing in Amazon Web Services (AWS) solutions.

Leave a Comment

Speak with our advisors to learn how you can take control of your Cloud Cost

Contact Us
  • 1
  • 2
  • 3
  • 5
  • 6
  • 8
  • 9
  • 10