Subnets and Security Groups
  • Dark

Subnets and Security Groups

  • Dark


Your agent must be deployed within a customer private cloud and requires subnets that allow outbound access to the relevant data sources and destinations, as well as to ECR and to the Matillion CDC websocket endpoint.

This installation guide assumes you have an AWS account and customer private cloud ready to use. Indeed, AWS accounts come with a default customer private cloud, although we recommend creating one for CDC use. These can be easily created with minimal input via the AWS console but should only be done with the supervision of your cloud administrator. It is not possible for Matillion to give exact guidance in this area since the security requirements of your organization are a determining factor to the configuration you will use.

Required access

Your installation will require a subnet (with NAT Gateway or instance) and Security Group with no inbound rules and outbound access to:

  • Matillion Data Loader
  • Secrets Manager
  • Source database
  • Target staging area
  • The CDC agent image on the ECR Public Repository

It is highly recommended to give open outbound access from the CDC agent where possible.

Locking down outbound traffic

If you must lock down traffic to your subnet, we advise consulting with your cloud/network administrator, security team and Matillion support to help solve the issues you will face. The Matillion CDC agent installation requires regular outbound access to the CDC agent image stored on the Amazon ECR public repository, the address of which is not within Matillion's control and may update with new releases. This usually involves automation to regularly pull the image and store it in a private repository.

In addition to the above, and on top of access to your Secrets Manager, source database and target staging area, the following outbound Global Accelerator IP addresses are always required by the CDC agent.

What's Next