Lightup Cloud

Review details of the Lightup Cloud deployment model.

Sign up for an account

Contact Lightup Support to sign up for a Lightup Cloud account.

After you sign up, Lightup will send the following to you via email:

  • A login link dedicated to your account
  • A Lightup Cloud IP address you can whitelist

Access your Lightup account

If your data is publicly accessible, you are ready to access your Lightup Cloud account: use the dedicated login link you received (it usually looks like https://app.<your-organization>

If your data is hidden behind a corporate firewall or another access control mechanism (e.g., accessible only from within your corporate VPC or on your corporate VPN), you'll need to enable your Lightup Cloud instance to access your data:

  • If your data is accessible on a public endpoint but requires access from an authorized connection origin, we recommend you whitelist the Lightup Cloud IP address.
  • If your data is not accessible on a public endpoint at all, or if whitelisting is otherwise impractical, you can instead set up an SSH tunnel.

Whitelist the Lightup IP address (recommended)

If your data warehouse is accessible on a public endpoint (a public IP or host name like redshift.<your-org>.com)but access has been limited to authorized connection origins only, we recommend you modify your firewall rules to whitelist the Lightup IP address.

Lightup Cloud deploys as a single-tenant instance and originates data warehouse connections from a fixed IP address. You simply need to whitelist the Lightup IP address that's dedicated to your account. You can find this IP address in the account signup welcome email you receive from Lightup.

Set up an SSH tunnel

If your data warehouse is not accessible on a public endpoint or whitelisting the Lightup IP address is proving difficult, you can use this alternative. Send us a message at [email protected] (or on your Slack support channel) to request a Lightup connection server that looks like connect.<your-org> We will set up the connection server and provide you instructions for setting up SSH tunnel(s) that will unblock secure access from your Lightup Cloud instance to your data warehouse(s).

Default security measures

Lightup Cloud instances are deployed with the following default security measures:

  • No data copying: No data from the customer environment is copied over to the Lightup Cloud deployment.
  • Single-tenant deployments: Each customer is housed in a dedicated AWS VPC (single-tenant instances, no multi-tenancy). Dedicated EC2 machines and RDS databases are created on a per customer basis (also single-tenant resources, no multi-tenancy).
  • Minimal access: Those clusters are accessed by Lightup only for maintenance work such as upgrades. Access to Lightup VPC resources is limited, audited, logged and restricted to only within the Lightup VPN.

These default features make Lightup Cloud deployments extremely secure.

Optional additional security

Lightup also supports the following optional security configurations for a Cloud instance, available by request:

  1. Customer IP whitelisting: This configuration whitelists a customer CIDR block to restrict incoming access to the Lightup Cloud.
  2. VPC peering: Lightup Cloud instances are deployed as single-tenant VPCs under the Lightup AWS account. The dedicated VPC of a Lightup Cloud instance can be peered to the customer's AWS VPC to limit public endpoint visibility and allows routing between private IPs.

To request those additional security measures, please contact us at [email protected].

Connect to internal datasources

Lightup needs a network connection to any datasource you want to add to a workspace. In a Lightup Cloud deployment, datasources inside private environments aren't normally accessible to Lightup.

You can connect to datasources inside an AWS PrivateLink or by AWS VPC Peering.