About private connectivity
The private connection feature is available on the following dbt Enterprise tiers:
- Business Critical
- Virtual Private
To learn more about these tiers, contact us at sales@getdbt.com.
Private connections enables secure communication from any dbt environment to your data platform hosted on a cloud provider, such as AWS or Azure, using that provider's private connection technology. Private connections allow dbt customers to meet security and compliance controls as it allows connectivity between dbt and your data platform without traversing the public internet. This feature is supported in most regions across North America, Europe, and Asia, but contact us if you have questions about availability.
Private connection endpoints can't connect across cloud providers (AWS, Azure, and GCP). For a private connection to work, both dbt and the server (like a data platform) must be hosted on the same cloud provider. For example, dbt hosted on AWS cannot connect to services hosted on Azure, and dbt hosted on Azure can’t connect to services hosted on GCP.
Private connectivity feature matrix
The following charts outline private connectivity options across dbt multi-tenant (MT) and single-tenant (ST) deployments.
Legend:
- ✅ = Available
- ❌ = Not currently available
- - = Not applicable
- * = Shared endpoint (all others are dedicated)
- Beta = Reported working but not yet directly tested by dbt
Availability indicates whether a private endpoint can be established at the network layer. dbt evaluates common configurations, authentication methods, and integration patterns when determining support. However, due to the wide range of customizations possible in customer environments, not every configuration may be covered. If you have questions about a specific use case, contact dbt Support.
Connecting to dbt Cloud
Your services can connect to dbt over private connectivity. This is available on Single-Tenant deployments only. All connections to dbt Cloud use the dbt-provisioned model.
| Connectivity type | AWS ST | Azure ST |
|---|---|---|
| Private dbt access | ✅ | ✅ |
| Dual access (public + private) | ✅ | ❌ |
Connecting dbt Cloud to data platforms
dbt can establish private connections to your data platforms.
| Service | AWS MT | AWS ST | Azure MT | Azure ST | GCP MT | Provisioning |
|---|---|---|---|---|---|---|
| Snowflake | ✅ | ✅ | ✅ | ✅ | ✅ | Vendor |
| Snowflake Internal Stage | ✅ | ✅ | ✅ | ✅ | ❌ | Vendor |
| Databricks | ✅ | ✅ | ✅ | ✅ | ❌ | Vendor |
| Redshift | ✅ | ✅ | - | - | - | Native |
| Redshift Serverless | ✅ | ✅ | - | - | - | Native |
| Amazon Athena w/ AWS Glue* | ❌ | ✅ | - | - | - | Native |
| Azure Database for PostgreSQL Flexible Server | - | - | ✅ | ✅ | - | Native |
| Azure Synapse | - | - | ✅ | ✅ | - | Native |
| Azure Fabric | - | - | ❌ | ❌ | - | - |
| Google BigQuery* | - | - | - | - | ✅ | Native |
| Teradata VantageCloud | ✅ | ✅ | ✅ | ✅ | ✅ | Vendor |
Connecting dbt Cloud to self-hosted services
dbt can establish private connections to your self-hosted services. All self-hosted connections use the customer-provisioned model.
| Service | AWS MT | AWS ST | Azure MT | Azure ST | GCP MT |
|---|---|---|---|---|---|
| GitHub Enterprise Server | ✅ | ✅ | ✅ | ✅ | ❌ |
| GitLab Self-Managed | ✅ | ✅ | ✅ | ✅ | ❌ |
| Bitbucket Data Center | ✅ | ✅ | ✅ | ✅ | ❌ |
| Azure DevOps Server | ✅ Beta | ✅ Beta | ✅ | ✅ | ✅ Beta |
| AWS CodeCommit | ❌ | ✅ | - | - | - |
| Postgres | ✅ | ✅ | ✅ | ✅ | ✅ |
| Spark | ✅ | ✅ | - | - | - |
| Starburst / Trino | ✅ | ✅ | ✅ | ✅ | ✅ |
| Teradata (self-hosted) | ✅ | ✅ | ✅ | ✅ | ✅ |
For services not explicitly listed above, you can establish private connectivity using the same customer-provisioned approach. This model supports any service that can be placed behind a load balancer and exposed via your cloud platform's private connectivity technology.
To inquire about private connectivity to additional platforms, contact your account team.
Prerequisites by cloud platform:
| Cloud | Load balancer requirement | Resource you create |
|---|---|---|
| AWS | Network Load Balancer | VPC Endpoint Service |
| Azure | Standard Load Balancer | Private Link Service |
| GCP | Internal Proxy Load Balancer | Service Attachment |
Once you create the private connectivity resource, share the resource ID (endpoint service name, alias, or service attachment URI) with dbt to establish the connection.
Setup guides:
- AWS PrivateLink for self-hosted services
- Azure Private Link for self-hosted services
- GCP Private Service Connect for self-hosted services
If you have questions about whether your configuration is supported, contact dbt Support.
Setting up private connectivity
Cross-region private connections
dbt Labs has globally connected private networks specifically used to host private endpoints, which are connected to dbt instance environments. This connectivity allows for dbt environments to connect to any supported region from any dbt instance within the same cloud provider network. To ensure security, access to these endpoints is protected by security groups, network policies, and application connection safeguards, in addition to the authentication and authorization mechanisms provided by each of the connected platforms.
Some GCP services, such as BigQuery, may have regional restrictions for Private Service Connect endpoints. Refer to Google's Private Service Connect documentation for service-specific regional availability.
Configuring private connections
dbt supports the following data platforms for use with the private connections feature. Instructions for enabling private connections for the various data platform providers are unique. The following guides will walk you through the necessary steps, including working with dbt Support to complete the connection in the dbt private network and setting up the endpoint in dbt.
AWS
Azure
GCP
Using Environment variables when configuring private connection endpoints isn't supported in dbt. Instead, use Extended Attributes to dynamically change these values in your dbt environment.
Terminology
Parties
| Term | Definition |
|---|---|
| Consumer | The party that creates a private endpoint to connect to a service. The consumer initiates the connection. |
| Service producer | The party that provisions and manages the service that the consumer connects to. The service producer publishes a resource ID that the consumer uses to finalize and establish the connection. |
Provisioning models
These models describe who acts as the service producer (the party that provisions the service that dbt Cloud connects to or that you connect to).
| Term | Definition |
|---|---|
| Native | The cloud platform (AWS, Azure, GCP) is the service producer for its own services (Redshift, Synapse, BigQuery). You obtain the resource ID from the cloud platform and share it with dbt; dbt is the consumer and creates the private endpoint. |
| Vendor | A third-party vendor (Snowflake, Databricks, Teradata) is the service producer. You obtain the resource ID from the vendor and share it with dbt; dbt is the consumer and creates the private endpoint. |
| Customer-provisioned | You are the service producer. You generate your own resource ID (endpoint service name, alias, or service attachment URI) and share it with dbt; dbt is the consumer and creates the private endpoint. |
| dbt-provisioned | dbt is the service producer. You are the consumer and create the private endpoint in your environment to connect to dbt Cloud. This applies only to connections TO dbt Cloud. |
Was this page helpful?
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
