How-to | Protect data sources#

Dataiku Cloud enables Launchpad administrators to protect access to data sources in a variety of ways, including through fixed IP addresses, a VPN server, and AWS PrivateLink (for Amazon S3 or Snowflake).

Restrict access to Dataiku Cloud IP addresses#

Dataiku Cloud always connects to data sources with fixed IP addresses.

To protect access, you can configure an allow list in your data source firewall. Make sure to allow both IP addresses and add them to any database grant.

The IP addresses depend on your instance’s AWS region and are listed in the Launchpad connection forms.


Do not hesitate to contact us if you need assistance.

Access data sources through a VPN server#

You can configure an OpenVPN tunnel between Dataiku and your network to access your private data sources. The OpenVPN server is under your control and it exposes your data sources. Dataiku uses an OpenVPN client to establish the VPN connection and reach them.


  • VPN is a feature of the Dataiku Cloud Enterprise edition.

  • Dataiku Cloud only supports OpenVPN servers.

  • The private subnets exposed by your OpenVPN server should not overlap the following CIDR ranges:,, or

To configure the VPN:

  1. Go to Launchpad’s Extensions panel.

  2. Add the VPN extension.

  3. Provide an OpenVPN configuration file for clients.

You can choose between:

Routing all traffic

If this option is selected, all outgoing traffic from Dataiku will go through the VPN tunnel. In this case, ensure that all your data sources are accessible from your VPN server, and that your VPN server can also route traffic to the internet so your Cloud instance can function properly.

Routing the traffic to a list of IP ranges

If you deselected the all traffic option, you must list all addresses or ranges for which the traffic will be routed through the VPN.

Optionally, a private DNS server can be used. This let you use your own DNS server to resolve the domains of your private data sources that are accessed through the VPN. You have to fill in the IP address of this DNS server, and the list of domains that should be resolved using this DNS server. The other domains will still be resolved by the regular Dataiku DNS servers.


To enable VPN tunneling, the Dataiku instance needs to be restarted. This operation could take up to 15 minutes.