AWS PrivateLink provides private connectivity from the Immuta SaaS platform to API gateway endpoints hosted on AWS. It ensures that all traffic to the configured endpoints only traverses private networks.

This feature is supported in all regions across Immuta's global segments (NA, EU, and AP); contact your Immuta representative if you have questions about availability.

Requirements

• You have an Immuta SaaS tenant.

• You have an .

• Your private API must exist in .

Configuring API gateway with AWS PrivateLink

1. to allow for access from the Immuta VPC endpoint in the applicable AWS region. The Immuta VPC endpoint IDs are listed in the table below.

Here is an example resource policy:

1. You should now be able to connect to your private API from your Immuta SaaS tenant using your API endpoint, i.e. <api-gateway-id>.execute-api.<region>.amazonaws.com/<stage>/<endpoint>.

Troubleshooting

Issue: I received a permissions error when trying to invoke my private API from Immuta

If you get an error similar to the following:

Check to make sure that the following is true:

• You have authorized the correct VPC endpoint for the region you are targeting in your resource policy.

• Your resource policy allows for execute-api:Invoke privileges on the endpoint you are making requests to from Immuta.

• You have deployed your API after making changes to your resource policy.

provides private connectivity from the Immuta SaaS platform to Databricks accounts hosted on AWS. It ensures that all traffic to the configured endpoints only traverses private networks.

This front-end PrivateLink connection allows users to connect to the Databricks web application, REST API, and Databricks Connect API over a VPC interface endpoint. For details about AWS PrivateLink in Databricks and the network flow in a typical implementation, explore the .

This feature is supported in most regions across Immuta's global segments (NA, EU, and AP); contact your Immuta representative if you have questions about availability.

This section contains information about private connectivity options for Immuta SaaS applications.

Overview

Immuta SaaS applications support private connectivity from customer networks. This allows organizations to meet security and compliance controls by ensuring that no users can access these endpoints outside of their internal networks.

Support for AWS PrivateLink is available in most regions across Immuta's global segments (NA, EU, and AP); contact your Immuta representative if you have questions about availability.

provides private connectivity from the Immuta SaaS platform, hosted on AWS, to Azure Databricks accounts. It ensures that all traffic to the configured endpoints only traverses private networks over the Immuta Private Cloud Exchange.

This front-end Private Link connection allows users to connect to the Databricks web application, REST API, and Databricks Connect API over an Azure Private Endpoint. For details about Azure Private Link for Databricks and the network flow in a typical implementation, explore the .

Support for Azure Private Link is available in .

The Immuta SaaS platform uses Private Service Connect for all BigQuery connections through the Immuta Private Cloud Exchange. This means that all connectivity to Google APIs, including BigQuery, are over a private network connection. This functionality is enabled by default and no customer configuration is required for the private connectivity (unless you have VPC Service Controls enabled). This feature is supported in all regions across Immuta's global segments (NA, EU, and AP).

Azure Private Link provides private connectivity from the Immuta SaaS platform, hosted on AWS, to Azure Synapse workspaces. It ensures that all traffic to the configured endpoints only traverses private networks over the Immuta private cloud exchange.

This uses the Sql Private Link connection to allow users to connect to the Azure Synapse dedicated SQL pools over an Azure Private Endpoint. For details about Azure Private Link for Azure Synapse and the network flow in a typical implementation, see the Azure Synapse documentation.

Support for Azure Private Link is available in .

Requirements

Ensure that your accounts meet the following requirements:

• You have an Immuta SaaS tenant.

• You have an Azure Synapse workspace with a dedicated SQL pool.

Configure Synapse workspace with Azure Private Link

1. Contact your Immuta representative and provide the following information for each Azure Synapse workspace you want to connect to:

   • Azure region

   • Azure Synapse workspace SQL

AWS PrivateLink provides private connectivity from the Immuta SaaS platform to Redshift clusters hosted on AWS. It ensures that all traffic to the configured endpoints only traverses private networks.

This feature is supported in most regions across Immuta's global segments (NA, EU, and AP); contact your Immuta representative if you have questions about availability.

Requirements

• You have an Immuta SaaS tenant.

• You have set up an for your Redshift Cluster endpoints.

  • When creating the service, make sure that the Require Acceptance option is checked (this does not allow anyone to connect, all connections will be blocked until the Immuta service principal is added).

Configure Redshift with AWS PrivateLink

1. Open a support ticket with with the following information:

   • AWS region

   • AWS subnet availability zones IDs (e.g. use1-az3; these are not the account-specific identifiers like us-east-1a

AWS PrivateLink provides private connectivity from the Immuta SaaS platform to PostgreSQL database engines hosted on Amazon Aurora and Amazon RDS. It ensures that all traffic to the configured endpoints only traverses private networks.

This feature is supported in most regions across Immuta's global segments (NA, EU, and AP); contact your Immuta representative if you have questions about availability.

Requirements

Immuta SaaS hosts AWS PrivateLink services that organizations can configure Amazon VPC endpoint connections to, which ensures that all traffic to Immuta SaaS only traverses private networks.

This feature is supported in most regions across Immuta's global segments (NA, EU, and AP); contact your Immuta representative if you have questions about availability.

Configuring AWS PrivateLink connections to the Govern app

Requirements

• You have an Immuta SaaS tenant.

• You have an Amazon VPC in one of the supported regions listed in the below.

• Clients (users or services) can access the Amazon VPC network where the AWS PrivateLink endpoint will be created.

Create PrivateLink endpoint

You will need to create an AWS PrivateLink endpoint to connect directly to your tenant over the Immuta SaaS network. Please refer to the for instructions on creating an endpoint.

Immuta has a set of that you can connect to in different global segments. When creating your endpoint, please choose the service in the same region as your tenant. If you do not know what region your tenant is in, please contact your Immuta representative.

NA global segment

EU global segment

AP global segment

Configuring security group access

VPC endpoints must be associated with at least one security group upon creation. Please ensure that traffic from your clients to port 443 is allowed.

Configure privatelink.immutacloud.com DNS

In order to direct traffic to your PrivateLink endpoint for your tenant hostname, you will need to set up DNS resolution in your network for the privatelink.immutacloud.com domain. For instructions on how to do this, please refer to your internal DNS provider's documentation.

Once you have resolution for the domain configured, you will need to create a CNAME DNS record that resolves <tenant name>.privatelink.immutacloud.com to your newly-created VPC endpoint's DNS name.

For example, if your tenant's hostname is example.hosted.immutacloud.com and your VPC endpoint DNS name is vpce-0d363d9ea82658bec-e4wo04x9.vpce-svc-0d12345ddd89101112.us-east-1.vpce.amazonaws.com, you should create a CNAME record that resolves example.privatelink.immutacloud.com to your VPC endpoint DNS name.

The end result should be that, inside your network, DNS resolution for your tenant hostname will direct traffic to your VPC Endpoint.

Have your connection request accepted

Once you have configured DNS, you will need to contact your Immuta representative with the following information in order to have your VPC endpoint connection request accepted and PrivateLink enabled for your tenant:

• Tenant name

• AWS region

• VPC endpoint ID

After the request is completed, please continue to use your standard hostname (e.g. example.hosted.immutacloud.com) to access your tenant. An Immuta-managed CNAME record will direct that traffic to your PrivateLink hostname (e.g. example.privatelink.immutacloud.com).

Configuring SCIM integrations that require public endpoints

Identity providers that support SCIM often require that the endpoints that they interact with are publicly accessible. In order to accommodate this traffic, Immuta can configure a separate, SCIM-only public traffic ingress for your tenant.

If needed, request a public SCIM ingress when you contact your Immuta representative to have Immuta SaaS private networking enabled.

Configuring private networking for multiple tenants

If you have multiple Immuta SaaS tenants that you need to enable Immuta SaaS private networking for, you only need to configure one endpoint per global segment. For example, if all your tenants are in the EU global segment, you only need to create a VPC endpoint in one of the EU regions from the table above.

While having at least one is required, it is possible to configure multiple endpoints, either for redundancy or to support traffic to your tenants from distinct, isolated networks. If you do create multiple VPC endpoints, please provide all the VPC endpoint IDs from your connection requests to your Immuta representative.

You will still need to create a privatelink.immutacloud.com CNAME record for each tenant. Please ensure that, if you've created separate VPC endpoints per tenant, the CNAME record references the correct VPC endpoint DNS name.

Configuring AWS PrivateLink connections to the Request app

Requirements

• You have an Immuta SaaS tenant.

• You have an Amazon VPC in one of the supported regions listed in the above.

• Clients (users or services) can access the Amazon VPC network where the AWS PrivateLink endpoint will be created.

Configure Request app DNS

Immuta SaaS Private Networking for the Request app will use the same VPC endpoint as the one created for the Govern app, so the only required additional configuration is DNS-related.

In order to direct traffic to your PrivateLink endpoint for the Request app, you will need to set up DNS resolution in your network for the following domains:

• app.immutacloud.com

• marketplace-fe.immutacloud.com

For instructions on how to do this, refer to your internal DNS provider's documentation.

Once you have resolution for the domain configured, you will need to create a CNAME DNS record that resolves those domains to your PrivateLink VPC endpoint's DNS name (the same endpoints used for the Governance PrivateLink).

For example, if your VPC endpoint DNS name is vpce-0d363d9ea82658bec-e4wo04x9.vpce-svc-0d12345ddd89101112.us-east-1.vpce.amazonaws.com, you should create CNAME records that resolve app.immutacloud.com and marketplace-fe.immutacloud.com to your VPC endpoint DNS name.

The end result should be that, inside your network, DNS resolution to app.immutacloud.com and marketplace-fe.immutacloud.com will direct traffic to your VPC endpoint, and the Request app should be accessible along with your tenant.

This section contains information about private connectivity options for Databricks integrations.

Overview

The Immuta SaaS platform supports private connectivity to Databricks on AWS and the Azure Databricks Service. This allows organizations to meet security and compliance controls by ensuring that traffic to data sources from Immuta SaaS only traverses private networks, never the public internet.

• Support for AWS PrivateLink is available in most regions across Immuta's global segments (NA, EU, and AP); contact your Immuta representative if you have questions about availability.

• Support for Azure Private Link is available in .

Configuration guides

Immuta SaaS supports two different kinds of private networking:

• Data connection private networking: Enables private connectivity from the Immuta SaaS network and a user's data platforms or private APIs over either AWS PrivateLink or Azure Private Link. This is useful for organizations with security and compliance policies that require that their data platforms and APIs are not routable over the public internet (even with a firewall in place).

• Immuta SaaS private networking: Enables private connectivity from a user's network to an Immuta SaaS tenant. It will require Immuta SaaS users to connect over a private endpoint. This is useful for organizations with security and compliance policies that require that the SaaS applications they use are not publicly accessible.

A simple way to understand the difference between these two features: Data connection private networking is outbound from Immuta to an organization's data sources, where the organization creates the private service endpoint for Immuta SaaS to connect to. Immuta SaaS private networking is inbound to Immuta from an organization's network, where Immuta creates the private service endpoint for users to connect to.

Data connection private networking

Although AWS PrivateLink and Azure Private Link differ in their implementation details, they are fundamentally similar offerings. Organizations can expose private services on AWS or Azure networks that Immuta SaaS can establish a connection to. How this is done can vary significantly by both data platform and hosting cloud provider, which is why this documentation has been broken down into specific instructions for each combination in the support matrix below.

Over time, the breadth and depth of private networking support will continue to grow. If there are specific data platforms and/or cloud providers that you require, which are either not listed or not yet supported, please contact your Immuta representative.

Private networking across regions and global segments

Immuta SaaS's global network is divided into large geographic regions called . All Immuta SaaS tenants are deployed into an AWS region inside their chosen segment.

Occasionally, it may be required to connect to data sources outside of a specific region. To meet those needs, Immuta SaaS supports both cross-region and cross-global-segment connectivity.

Cross-region private networking

This involves connecting to data sources in a different region within a given global segment.

Examples

• a tenant in us-east-1 needs to connect to a Snowflake account in AWS'sus-east-2 region.

• a tenant in us-west-2 needs to connect to an Azure Databricks workspace in the westus2 region.

Cross-global-segment private networking

This involves connecting to data sources in a region outside of the tenant's global segment.

Examples

• a tenant in the EU Global Segment needs to connect to a Snowflake account in us-east-2.

• a tenant in the AP Global Segment needs to connect to a Starburst instance hosted in Azure's eastus2 region.

Immuta SaaS private networking

The fundamental mechanism that underlies Immuta SaaS private networking is an Immuta SaaS private endpoint service (e.g. an ) which organizations can establish a connection to via a private endpoint (e.g. an ).

Once the endpoint-service connection is established, organizations then configure DNS resolution in their network to resolve their governance private FQDN (e.g.<tenant>.privatelink.immutacloud.com) to their private endpoint. Organizations can continue to access their Immuta SaaS tenants using their standard governance FQDN (e.g. <tenant>.hosted.immutacloud.com), which will now automatically resolve to their private FQDN.

As with data connection private networking the specifics of configuring Immuta SaaS private networking can vary by the cloud provider the source network is hosted on. Please consult the support matrix below for specific instructions.

Immuta can enforce policies on data in your dashboards when your BI tools are connected directly to your compute layer.

This page provides recommendations for configuring the interaction between your database, BI tools, and users.

Connect directly to the database instead of extracts or imports

To ensure that Immuta applies access controls to your dashboards, connect your BI tools directly to the compute layer where Immuta enforces policies without using extracts. Different tools may call this feature different names (such as live connections in Tableau or DirectQuery in Power BI).

Connecting your tools directly to the compute layer without using extracts will not impact performance and provides host of other benefits. For details, see .

Use personal credentials to authenticate and query data

Personal credentials need to be used to query data from the BI tool so that Immuta can apply the correct policies for the user accessing the dashboard. Different authentication mechanisms are available, depending on the BI tool, connector, and compute layer. However, Immuta recommends to use one of the following methods:

• Use OAuth single sign (SSO) on when available, as it offers the best user experience.

• Use username and password authentication or personal access tokens as an alternative if OAuth is not supported.

• Use impersonation if you cannot create and authenticate individual users in the compute layer. Impersonation allows users to query data as another Immuta user. For details, see the .

For configuration guidance, see and .

Authentication method matrix

Immuta has verified several popular BI tool and compute platform combinations. The table below outlines these combinations and their recommended authentication methods. However, since these combinations depend on tools outside Immuta, consult the platform documentation to confirm these suggestions.

provides private connectivity from the Immuta SaaS platform, hosted on AWS, to Snowflake Accounts on Azure. It ensures that all traffic to the configured endpoints only traverses private networks over the Immuta Private Cloud Exchange.

Support for Azure Private Link is available in .

Requirements

Specify authentication method

When creating a data source in Power BI, specify Microsoft Account as the authentication method, if available. This setting allows you to use your enterprise SSO to connect to your compute platform.

Set up DirectQuery

After connecting to the compute platform and the tables to use for your data source, select DirectQuery to connect to the data source. This setting is required for Immuta to enforce policies.

Publish data

After you publish the datasets to the Power BI service, force users to use their personal credentials to connect to the compute platform by following the steps below.

1. Enable SSO in the tenant admin portal under Settings -> Admin portal -> Integration settings.

2. Find the option to manage Data source credentials under Settings -> Datasets.

3. For most connectors you can enable OAuth2 as the authentication method to the compute platform.

Resources

• Snowflake guides:

The system status tab allows administrators to export a zip file called the Immuta status bundle. This bundle includes information helpful to assess and solve issues within an Immuta tenant by providing a snapshot of Immuta, associated services, and information about the remote source backing any of the selected data sources.

1. Click the App Settings icon.

2. Select the System Status tab.

AWS PrivateLink provides private connectivity from the Immuta SaaS platform to Starburst (Trino) Clusters hosted on AWS. It ensures that all traffic to the configured endpoints only traverses private networks.

This feature is supported in most regions across Immuta's global segments (NA, EU, and AP); contact your Immuta account manager if you have questions about availability.

Requirements

• You have an Immuta SaaS tenant.

• Your Starburst (Trino) Cluster is hosted on AWS.

• You have set up an for your Starburst Cluster endpoints.

  • When creating the service, make sure that the Require Acceptance option is checked (this does not allow anyone to connect; all connections will be blocked until the Immuta Service Principal is added).

  • Only TCP connections over IPv4 are supported.

• Your Starburst (Trino) cluster endpoints are secured with TLS certificates for encryption in-transit.

  • The presented certificate must have the Fully-Qualified Domain Name (FQDN) of your cluster hostname as a Subject Alternative Name (SAN). This can either be a wildcard (e.g. *.example.com) or specific to the host (e.g. starburst.example.com)

Configure Starburst (Trino) with AWS PrivateLink

1. Open a support ticket with with the following information:

   • AWS region

   • AWS subnet availability zones IDs (e.g. use1-az3; these are not the account-specific identifiers like us-east-1a

These sections contain information about private connectivity options from Immuta to various data platforms and APIs.

Data platform connectivity guides

• AWS PrivateLink for API gateway

Use Existing Identity Access Manager

See the Identity managers documentation for how-to guides for your IAM protocol.

Set Default Permissions

To set the default permissions granted to users when they log in to Immuta, click the Default Permissions dropdown menu, and then select permissions from this list.

Link External Catalogs

See the .

Add a Project Workspace

1. Click the App Settings icon in the navigation menu.

2. Select Add Workspace.

3. Use the dropdown menu to select the Databricks Workspace Type.

Add An Integration

Integration settings

Follow the to set up the integration.

Global Integration Settings

Snowflake Audit Sync Schedule

Requirements: See the requirements for Snowflake audit on the .

To configure the ,

1. Click the App Settings icon in the navigation menu.

2. Navigate to the Global Integration Settings section and within that the Snowflake Audit Sync Schedule.

3. Enter an integer into the textbox. If you enter 12, the audit sync will happen once every 12 hours, so twice a day.

Databricks Unity Catalog Configuration

Audit

Requirements: See the requirements for Databricks Unity Catalog audit on the .

To configure the ,

1. Click the App Settings icon in the navigation menu.

2. Navigate to the Global Integration Settings section and within that the Databricks Unity Catalog Configuration.

3. Enter an integer into the textbox. If you enter 12, the audit sync will happen once every 12 hours, so twice a day.

Additional privileges required for access

By default, Immuta will revoke Immuta users' USE CATALOG and USE SCHEMA privileges in Unity Catalog for users that do not have access to any of the resources within that catalog/schema. This includes any USE CATALOG or USE SCHEMA privileges that were granted outside of Immuta.

To disable this setting,

1. Click the App Settings icon in the navigation menu.

2. Navigate to Global Integration Settings > Databricks Unity Catalog Configuration.

3. Click the Revoke additional privileges required for access checkbox to disable the setting.

See the for details about this setting.

Initialize Kerberos

To configure Immuta to protect data in a kerberized Hadoop cluster,

1. Click the App Settings icon in the navigation menu.

2. Upload your Kerberos Configuration File, and then you can modify the Kerberos configuration in the edit window.
3. Upload your Keytab File.

Generate System API Key

1. Click the App Settings icon in the navigation menu.

2. Click the Generate Key button.

3. Save this API key in a secure location.

Audit Settings

Enable Exclude Query Text

By default, query text is included in query audit events from Snowflake, Databricks, and Starburst (Trino).

When query text is excluded from audit events, Immuta will retain query event metadata such as the columns and tables accessed. However, the query text used to make the query will not be included in the event. This setting is a global control for all configured integrations.

To exclude query text from audit events,

1. Click the App Settings icon in the navigation menu.

2. Scroll to the Audit section.

3. Check the box to Exclude query text from audit events.

Configure Governor and Admin Settings

These options allow you to restrict the power individual users with the GOVERNANCE and USER_ADMIN permissions have in Immuta. Click the checkboxes to enable or disable these options.

Create Custom Permissions

You can create custom permissions that can then be assigned to users and leveraged when building subscription policies. Note: You cannot configure actions users can take within the console when creating a custom permission, nor can the actions associated with existing permissions in Immuta be altered.

To add a custom permission, click the Add Permission button, and then name the permission in the Enter Permission field.

Create Custom Data Source Access Requests

To create a custom questionnaire that all users must complete when requesting access to a data source, fill in the following fields:

1. Click the App Settings icon in the navigation menu.

2. Opt for the questionnaire to be required.

3. Key: Any unique value that identifies the question.

Create Custom Login Message

To create a custom message for the login page of Immuta,

1. Click the App Settings icon in the navigation menu.

2. Enter text in the Enter Login Message box. Note: The message can be formatted in markdown.

3. Opt to adjust the Message Text Color and Message Background Color by clicking in these dropdown boxes.

Prevent Automatic Table Statistics

To disable the automatic collection of statistics with a particular tag,

1. Click the App Settings icon in the navigation menu.

2. Use the Select Tags dropdown to select the tag(s).

3. Click Save.

Randomized response

When a randomized response policy is applied to a data source, the columns targeted by the policy are queried under a fingerprinting process. To enforce the policy, Immuta generates and stores predicates and a list of allowed replacement values that may contain data that is subject to regulatory constraints (such as GDPR or HIPAA) in Immuta's metadata database.

The location of the metadata database depends on your deployment:

• Self-managed Immuta deployment: The metadata database is located in the server where you have your external metadata database deployed.

• SaaS Immuta deployment: The metadata database is located in the AWS global segment you have chosen to deploy Immuta.

To ensure this process does not violate your organization's data localization regulations, you need to first activate this masking policy type before you can use it in your Immuta tenant.

1. Click the App Settings icon in the navigation menu.

2. Navigate to the Other Settings section and scroll to the Randomized Response feature.

3. Select the Allow users to create masking policies using Randomized Response checkbox to enable use of these policies for your organization.

Advanced Settings

Preview Features

If you enable any Preview features, provide feedback on how you would like these features to evolve.

Complex Data Types

1. Click the App Settings icon in the navigation menu.

2. Navigate to the Advanced Settings section, and scroll to the Preview Features.

3. Check the Allow Complex Data Types checkbox.

AWS PrivateLink provides private connectivity from the Immuta SaaS platform to Snowflake accounts hosted on AWS. It ensures that all traffic to the configured endpoints only traverses private networks.

This feature is supported in most regions across Immuta's global segments (NA, EU, and AP); contact your Immuta representative if you have questions about availability.

Requirements

• You have an Immuta SaaS tenant.

• Your Snowflake account is hosted on AWS.

• Your Snowflake account is on the .

• You have ACCOUNTADMIN role on your Snowflake account to configure the Private Link connection.

• You have enabled .

Using Snowflake network policies with AWS PrivateLink

allow you to limit access to your Snowflake service endpoints. can be used with those network policies to define the specific IP CIDR blocks or AWS VPC endpoints that are allowed. Immuta supports both, but we highly recommend that you configure your network rules to reference our VPC endpoints and not our CIDR block.

VPC endpoint network rule

With a network rule type of AWSVPCEID, you can use the following table of Immuta's VPC endpoints by AWS region to configure access from Immuta SaaS to your Snowflake service:

IPv4 network rule

With a network rule type of IPV4, you must configure an IP address block of 10.0.0.0/8.

This size of block is required because traffic could come from anywhere in Immuta's network. Immuta has globally distributed compute and does not assign static IP addresses to any workloads. This is why you should use VPC endpoint network rules instead.

Configure Snowflake with AWS PrivateLink

1. In your Snowflake environment, run the following SQL query, which will return a JSON object with the connection information you will need to include in your support ticket:

2. Copy the returned JSON object into a support ticket with to request for the feature to be enabled on your Immuta SaaS tenant.

3. using the privatelink-account-url from the JSON object in step one as the Host.

The Immuta SaaS platform uses AWS PrivateLink for S3 to provide private connectivity for all S3 services in AWS. Immuta is utilizing S3 Gateway VPC endpoints for private connectivity from all SaaS networks, so connections to S3 connect over PrivateLink by default without any extra configuration. This feature is supported in all regions across Immuta's global segments (NA, EU, and AP).

Azure Private Link provides private connectivity from the Immuta SaaS platform, hosted on AWS, to Starburst (Trino) clusters on Azure. It ensures that all traffic to the configured endpoints only traverses private networks over the Immuta Private Cloud Exchange.

Support for Azure Private Link is available in all Azure regions.

Prerequisites

• You have an Immuta SaaS tenant.

• Your Starburst (Trino) cluster is hosted on Azure.

• You have set up an for your Starburst cluster.

  • The Private Link Service's should be set to Restricted by Subscription.

Configure Starburst (Trino) with Azure Private Link

1. Open a support ticket with with the following information:

   • Azure region

   • Azure Private Link service resource ID or alias

Specify authentication method

When creating the data source in Tableau, specify the authentication method as Sign in using OAuth. This setting will allow you to use your enterprise SSO to connect to your compute platform.

Set up a live connection

After connecting to the compute platform, select the tables you will use for your data source. Then, select Live connection. This setting is required for Immuta to enforce policies.

Credential prompt

To share your dashboard to your organization, publish your data sources. During this process, set the authentication method to Prompt user. This option ensures that dashboard viewers will see the data according to their personal policies.

Resources

• Snowflake guide:

• Databricks guides:

This section contains information about private connectivity options for Snowflake integrations.

Overview

The Immuta SaaS platform supports private connectivity to Snowflake accounts hosted in both AWS and Azure. This allows organizations to meet security and compliance controls by ensuring that traffic to data sources from Immuta SaaS only traverses private networks, never the public internet.

• Support for AWS PrivateLink is available in most regions across Immuta's global segments (NA, EU, and AP); contact your Immuta representative if you have questions about availability.

• Support for Azure Private Link is available in .

Configuration guides

GCP Private Service Connect provides private connectivity from the Immuta SaaS platform to Databricks accounts hosted on Google Cloud Platform (GCP). It ensures that all traffic to the configured endpoints only traverses private networks over the Immuta private cloud exchange. This front-end Private Service Connect connection allows users to connect to the Databricks web application, REST API, and Databricks Connect API over a VPC endpoint.

Requirements

Ensure that your accounts meet the following requirements:

• You have an Immuta SaaS tenant.

• Your Databricks workspace is hosted on Google Cloud Platform (GCP) that has .

• You have your Databricks Enterprise account ID.

This process will require configuring a service account in GCP and administrative access to the Databricks account in GCP. For details about Databricks authentication with Google Identity, see the .

Configure Databricks with GCP Private Service Connect

Follow these steps to establish private connectivity between Immuta and your Databricks environment:

1. Create a service account in GCP. Ensure that a principal (either a user or a different service account) has the roles/iam.serviceAccountTokenCreator role attached for this newly created service account. For more information, refer to the .

2. Add the newly created service account email to your Databricks account with admin rights to be able to add network endpoints. For guidance, see the .

3. Open an and provide the following information:

1. Validate that any private access settings attached to your workspaces that need connectivity have the newly created endpoints added (either accepting the Account level or ).

After these steps, you should be able to connect your Immuta tenant to Databricks workspaces in GCP under the connected account.

This section contains information about private connectivity options for Starburst (Trino) integrations.

Overview

The Immuta SaaS platform supports private connectivity to Starburst (Trino) clusters hosted in both AWS and Azure. This allows organizations to meet security and compliance controls by ensuring that traffic to data sources from Immuta SaaS only traverses private networks, never the public internet.

• Support for AWS PrivateLink is available in most regions across Immuta's global segments (NA, EU, and AP); contact your Immuta representative if you have questions about availability.

• Support for Azure Private Link is available in .

Configuration guides