After careful consideration, we decided to end support for Amazon FinSpace, effective October 7, 2026. Amazon FinSpace will no longer accept new customers beginning October 7, 2025. As an existing customer with an Amazon FinSpace environment created before October 7, 2025, you can continue to use the service as normal. After October 7, 2026, you will no longer be able to use Amazon FinSpace. For more information, see [Amazon FinSpace end of support](https://docs.aws.amazon.com/finspace/latest/userguide/amazon-finspace-end-of-support.html). 

# Managed kdb Insights environments
<a name="finspace-managed-kdb-environment"></a>

The Managed kdb Insights environment provides a logical container where you can launch and run clusters, and store data from kdb that can be used by the clusters.

All resources in the Managed kdb environment run in AWS managed accounts and not in the customer account. The Managed kdb environment dedicated account is not shared with the existing FinSpace dataset browser environment. 

# Managing kdb environments
<a name="using-kdb-environment"></a>

The following sections provide a detailed overview of the operations that you can perform by using a Managed kdb Insights environment.

## Creating a kdb environment
<a name="create-kdb-environment"></a>

**Note**  
You can only create one kdb environment per Region per AWS account.

**To create a kdb environment**

1. Sign in to the AWS Management Console and open the Amazon FinSpace console at [https://console.aws.amazon.com/finspace](https://console.aws.amazon.com/finspace/landing).

1. Choose **Kdb environments**.

1. On the getting started page, choose **Create kdb environment**.

1. On **Create kdb environment** page, enter the environment name and description.

1. Choose a symmetric encryption KMS key to encrypt data in your kdb environment. If a KMS key is not available in the Region where you want to create your FinSpace environment, create a new key.

   For more information, see [Creating keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html) in the *AWS Key Management Service Developer Guide*.

1. (Optional) Add a new tag to assign it to your kdb environment. For more information, see [AWS tags](https://docs.aws.amazon.com/finspace/latest/userguide/create-an-amazon-finspace-environment.html#aws-tags). 
**Note**  
You can only add up to 50 tags to your environment.

1. Choose **Create kdb environment**. The environment creation process begins and the environment details page opens. The environment creation process takes few minutes to finish in the background. 

   You can view the status of environment creation under the kdb environment configuration section.

   After the environment is successfully created, you can add network configuration, databases, and clusters to the environment.

## Updating a kdb environment
<a name="update-kdb-environment"></a>

**To update a kdb environment**

1. Sign in to the AWS Management Console and open the Amazon FinSpace console at [https://console.aws.amazon.com/finspace](https://console.aws.amazon.com/finspace/landing).

1. Choose **Kdb environments**.

1. From the kdb environments table, choose the name of the environment.

1. On the environment details page, choose **Edit**.

1. Edit the environment details.
**Note**  
You can only edit the **Name** and **Description** .

1. Choose **Update kdb environment**. You can view the updated details on the environment details page. 

## Viewing kdb environment details
<a name="view-kdb-environment"></a>

**To view and get details of a kdb environment**

1. Sign in to the AWS Management Console and open the Amazon FinSpace console at [https://console.aws.amazon.com/finspace](https://console.aws.amazon.com/finspace/landing).

1. Choose **Kdb environments**. 

1. From the kdb environments table, choose the name of the environment.

   The environment details page opens where you can view details about the environment, add or view network configuration, create new databases, and add clusters.

## Deleting a kdb environment
<a name="delete-kdb-environment"></a>

**Note**  
This action is irreversible. Deleting a kdb environment will delete all resources (users, clusters, and databases) and their metadata in the account. After you initiate a deletion request, the billing for resources in an environment will stop immediately.

**To delete a kdb environment**

1. Sign in to the AWS Management Console and open the Amazon FinSpace console at [https://console.aws.amazon.com/finspace](https://console.aws.amazon.com/finspace/landing).

1. Choose **Kdb environments**.

1. From the kdb environments table, choose the name of the environment.

1. On the environment details page, choose **Delete**.

1. On the confirmation dialog box, enter *confirm*.

1. Choose **Delete**.

# Managing environment network settings
<a name="manage-environment-network"></a>

For each Managed kdb Insights environment, you can configure a network connection to allow the Managed kdb clusters running in your environment infrastructure account to access resources in your internal network. You can create a connection by connecting your infrastructure account to an existing transit gateway in your organization. 

After you add a network, you can also specify details for the DNS servers that your Managed kdb clusters will use to resolve resources outside of your Managed kdb environment. After your Managed kdb environment is connected to your network, you can optionally configure your network to allow outbound traffic from your environment to the internet. This connectivity is managed by your network infrastructure. Managed kdb doesn't support direct internet access (inbound or outbound).

## Prerequisites
<a name="managed-env-network-prereq"></a>

Before you proceed, complete the following prerequisites:
+ Make sure that a kdb environment has been created. For more information, see [Creating a kdb environment](using-kdb-environment.md#create-kdb-environment).
+ Make sure that a transit gateway has been created in AWS Transit Gateway. For more information, see [Create the transit gateway](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-getting-started.html#step-create-tgw) in the *AWS Transit Gateway User Guide*.
+ Make sure that you have a */26 (64)* IP address range from the *100.64.0.0/10* range that you can allocate to the subnets that connect to your transit gateway.

## Creating a network connection
<a name="create-network-connection"></a>

You can configure a network connection to allow the Managed kdb clusters running in your environment infrastructure account to access resources in your internal network. 

Optionally, you can also define how you manage the outbound traffic from kdb network to your internal network. You do this by configuring the attachment network access control lists (ACLs).

A network ACL allows or denies specific outbound traffic at the subnet level. You can use the default network ACL for your VPC. Alternatively, to add an additional layer of security to your VPC, you can create a custom network ACL for your VPC with rules that are similar to the rules for your security groups. For more information, see the [Network ACL rules](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-rules) in the *Amazon VPC User Guide*.

**Note**  
You can only configure one network connection per Managed kdb environment.
You cannot delete a network connection. To remove the existing network and the network ACL attachments, delete the Managed kdb environment.

**To create a network connection**

1. Sign in to the AWS Management Console and open the Amazon FinSpace console at [https://console.aws.amazon.com/finspace](https://console.aws.amazon.com/finspace/landing).

1. Choose **Kdb environments**.

1. From the kdb environments table, choose the name of the environment.

1. On the environment details page, under **Network** tab, choose **Add network configuration**.

1. On **Add network configuration** page, enter a transit gateway ID and the CIDR range that will be used for the subnets connecting to your internal network. For more information, see the [*Amazon VPC Transit Gateways User Guide*.](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html#create-tgw)
**Note**  
When you add a transit gateway without creating a network ACL, all outbound traffic is allowed by default.

1. (Optional) Add rules to define how you want to manage the outbound traffic from kdb network to your internal network. Choose **Add new rule** to allow or deny outbound traffic for each port range and destination. 
**Note**  
When you create a network ACL rule, by default all the other traffic are denied.
We process the ACL rules according to the rule numbers, in ascending order.

1. Choose **Save**. The connection creation process begins and the environment details page opens from where you can check the status under the **Network** tab.

## Editing a network
<a name="edit-network"></a>

**Note**  
You can't edit the transit gateway ID and CIDR routable space for your network.
You only edit the network ACL configurations for your network.

**To edit a network connection**

1. Sign in to the AWS Management Console and open the Amazon FinSpace console at [https://console.aws.amazon.com/finspace](https://console.aws.amazon.com/finspace/landing).

1. Choose **Kdb environments**.

1. From the kdb environments table, choose the name of the environment.

1. On the environment details page, under **Network** tab, choose **Edit network**.

1. On **Edit network** page, add or modify the network ACL rules as required.

1. Choose **Save changes**. The updates are available on the environment details page.

## Adding DNS details
<a name="network-connection-dns"></a>

You can set the DNS resolver that the Managed kdb Insights compute nodes will use for resolving IP addresses. This is useful if you want to connect from your Managed kdb compute clusters to resources like on-premises kdb ticker plants or other resources. We recommend you add DNS details only after you have successfully configured a network in your Managed kdb environment.

**Note**  
You can only add one DNS server and IP address per Managed kdb environment.

**To add DNS details**

1. Sign in to the AWS Management Console and open the Amazon FinSpace console at [https://console.aws.amazon.com/finspace](https://console.aws.amazon.com/finspace/landing).

1. Choose **Kdb environments**.

1. From the kdb environments table, choose the name of the environment.

1. Under **DNS details**, choose **Add details**.

1. On **Add DNS details** page, enter the DNS server name and IP address that the clusters running in the Managed kdb environment will use.

1. Choose **Add DNS details**. The **environment details** page opens and the DNS details are added in the **DNS details** section, from where you can edit the DNS details.

# Tutorial: Configuring and validating outbound network connectivity through transit gateway
<a name="tutorial-outbound-ntw-tgw"></a>

Amazon FinSpace Managed kdb environment allows you to connect to kdb or q processes in your account through transit gateway, without going over the internet. This section demonstrates how to setup outbound network connectivity from FinSpace Managed kdb environment to your virtual private cloud (VPC) and validate connectivity from an RDB cluster to a q process on an Amazon EC2 instance in your network.

**Topics**
+ [

## Prerequisites
](#prereq-kdb-tgw)
+ [

## Setup diagram
](#tgw-setup-diag)
+ [

# Step 1: Configuring a network connection to create FinSpace VPC transit gateway attachment
](step1-config-ntw.md)
+ [

# Step 2: Adding DNS details to your network connection
](step2-dns-details.md)
+ [

# Step 3: Setting up a transit gateway VPC attachment from your VPC
](step3-setup-tgw-attachment.md)
+ [

# Step 4: Configuring routes in your VPC route tables
](step4-config-routing-tgw.md)
+ [

# Step 5: Configuring security group inbound rules
](step5-config-inbound-rule.md)
+ [

# Step 6: Validating network connectivity
](step6-validate-ntw.md)
+ [

# Step 7: Validating connection using the DNS server configuration
](step7-validate-connection-dns-server.md)

## Prerequisites
<a name="prereq-kdb-tgw"></a>

Before you proceed, complete the following prerequisites:
+ Create a kdb environment. For more information, see [Creating a kdb environment](using-kdb-environment.md#create-kdb-environment).
**Note**  
Note down the `Availability Zone Ids` after creating a kdb environment. You will need them when you create an attachment from your VPC to a transit gateway. 
+ Make sure that you create a transit gateway in AWS Transit Gateway. For more information, see [Creating the transit gateway](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-getting-started.html#step-create-tgw) in the *Amazon VPC Transit Gateways User Guide*.
**Note**  
When creating the transit gateway, you only need to specify the name and description. For the rest of the fields, choose the default values. For example, for DNS-Support, VPN ECMP support, Default route table association, and Default route table propagation options should be selected by default.
+ Make sure you are familiar with the process of [Creating a kdb environment](using-kdb-environment.md#create-kdb-environment), [Creating a kdb user](finspace-managed-kdb-users.md#create-kdb-user), and [Creating a Managed kdb Insights cluster](create-kdb-clusters.md). 

## Setup diagram
<a name="tgw-setup-diag"></a>

This diagram shows a high level of configuration steps that are further described in the following sections.

![\[A diagram that shows steps to set up transit gateway.\]](http://docs.aws.amazon.com/finspace/latest/userguide/images/11-managed-kx/tgw-setup-diag.png)


# Step 1: Configuring a network connection to create FinSpace VPC transit gateway attachment
<a name="step1-config-ntw"></a>

**To create a network connection**

1. Sign in to the AWS Management Console and open the Amazon FinSpace console at [https://console.aws.amazon.com/finspace](https://console.aws.amazon.com/finspace/landing).

1. Choose **Kdb environments**.

1. From the kdb environments table, choose the name of the environment.

1. On the environment details page, under **Network** tab, choose **Add network configuration**.

1. On **Add network configuration** page, enter a transit gateway ID and the CIDR range that will be used for the subnets connecting to your internal network. For more information, see the [*Amazon VPC Transit Gateways User Guide*.](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html#create-tgw)
**Note**  
When you add a transit gateway without creating a network ACL, all outbound traffic is allowed by default.

1. <a name="nacl"></a>(Optional) Add rules to define how you want to manage the outbound traffic from kdb network to your internal network. Choose **Add new rule** to allow or deny outbound traffic for each port range and destination. 
**Note**  
When you create a network ACL rule, by default all the other traffic are denied.
We process the ACL rules according to the rule numbers, in ascending order.

1. Choose **Save**. The connection creation process begins and the environment details page opens from where you can check the status under the **Network** tab.

**Note**  
When you configure a network connection, make sure that you have a /26 (64) IP address range from the *100.64.0.0/10* range. The CIDR range should not be used in your network or any other environments that are connected by this TGW. A few valid examples of this CIDR range are *100.64.0.0/26*, *100.64.1.0/26*, *100.64.2.0/26*, *100.64.3.0/26*. We will pick *100.64.0.0/26* for this tutorial.
This step creates a transit gateway VPC attachment to connect FinSpace environment to the transit gateway. After you configure a network, check the **Network** tab for details of your network.

# Step 2: Adding DNS details to your network connection
<a name="step2-dns-details"></a>

The **Network** tab on the Kdb environments details page allows you to add custom DNS server name and IP address. This is used when you have a custom DNS server that you want to query for internal host names. The DNS server IP is used for DNS resolution of queries. 

**To add DNS details**

1. Sign in to the AWS Management Console and open the Amazon FinSpace console at [https://console.aws.amazon.com/finspace](https://console.aws.amazon.com/finspace/landing).

1. Choose **Kdb environments**.

1. From the kdb environments table, choose the name of the environment.

1. Under **DNS details**, choose **Add details**.

1. On **Add DNS details** page, enter *example.com* as the DNS server name and *173.31.0.2* as the DNS server IP. This means that any DNS queries for *example.com* from the FinSpace clusters will return the DNS resolver at *172.31.0.2* in the your VPC.
**Note**  
The IP *172.31.0.2* is the second IP address in the default VPC CIDR and corresponds to the IP of the DNS Resolver for an Amazon VPC. Any DNS queries for *example.com* from the FinSpace clusters will return the DNS resolver at *172.31.0.2* in your custom VPC.

1. Choose **Add DNS details**. The **environment details** page opens and the DNS details are added in the **DNS details** section, from where you can edit the DNS details.

# Step 3: Setting up a transit gateway VPC attachment from your VPC
<a name="step3-setup-tgw-attachment"></a>

**Note**  
It may take a few minutes for [Step 1](step1-config-ntw.md) and [Step 2](step2-dns-details.md) to complete. Wait till these steps are successful before proceeding.

In the previous step you created a network connectivity from FinSpace environment to your transit gateway but FinSpace cannot reach into your network unless you create a VPC attachment from your VPC to Transit Gateway and set up routing and rules for the traffic to flow into your network. 

In this step, you create a transit gateway attachment and validate that it is associated in the transit gateway associations.

**To create a transit gateway VPC attachment from your VPC**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. On the navigation pane, choose **Transit Gateway Attachments**.

1. Choose **Create transit gateway attachment**.

1. For **Transit gateway ID**, choose the transit gateway for the attachment that you created in [step 1](step1-config-ntw.md) of this tutorial.

1. For **Attachment type**, choose **VPC**.

1. For **VPC ID**, choose the [default VPC](https://docs.aws.amazon.com/vpc/latest/userguide/default-vpc.html) to attach to the transit gateway. This VPC must have at least one subnet associated with it. 
**Note**  
There is a default VPC for every AWS account. The default VPC ID is the value of the VPC ID column of the VPC table. To view your default VPC:  
Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
In the navigation pane, choose **Your VPCs**.
In the **Default VPC** column, look for a value of **Yes**. Take note of the ID of the default VPC.

1. For **Subnet IDs**, choose 3 subnets from the availability zones where the environment is created. 

   To check the availability zones ID mapping for your AWS account, go to the AWS Resource Access Manager in your account. Navigate to the product console, find the AZ ID at the bottom right of the page.

**To validate the TGW associations**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Transit Gateway ID** for transit gateway that you created earlier. 

1. Under **Details**, choose **Association route table ID**. The **Association** tab shows the two VPC attachments, one from FinSpace infrastructure VPC and the other from your VPC.

# Step 4: Configuring routes in your VPC route tables
<a name="step4-config-routing-tgw"></a>

With a VPC, you must create routes to send traffic to the transit gateway. The following steps show how you can update your default VPC route tables to have an entry for traffic to return to FinSpace VPC.

**To configure route tables**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. On the navigation pane, choose **Route Tables**.

1. Choose the route table for the default VPC ID.

1. Choose **Edit routes**.

1. On **Edit routes** page, choose **Add route** and enter *100.64.0.0/26* as the **Destination**. This value is the same as the CIDR range that you added while creating the network connectivity in [Step 1: Configuring a network connection to create FinSpace VPC transit gateway attachment](step1-config-ntw.md).

1. For **Target** choose **Transit Gateway** and select your transit gateway ID.

1. Choose **Save changes**.

# Step 5: Configuring security group inbound rules
<a name="step5-config-inbound-rule"></a>

After you set up routing, you need to add inbound rule for the default security group to allow inbound traffic. The default security group comes with your AWS account. For more information, see [Default security groups](https://docs.aws.amazon.com/vpc/latest/userguide/default-security-group.html) in the *Amazon VPC User Guide*. 

A security group acts as a firewall that controls the traffic allowed to and from the resources in your VPC. You can choose the ports and protocols to allow for inbound traffic or outbound traffic. For each security group, you add separate sets of rules for inbound traffic and outbound traffic. For more information, see [Security group rules](https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html) in the *Amazon VPC User Guide*.

As an example, add an entry to allow TCP traffic for port *5005* to connect to a q process in your account running on port *5005*. This makes port *5005* of any host launched with the default security group to be reachable.

**To create an inbound rule**

1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).

1. On the navigation pane, choose **Security Groups**.

1. Under the **Inbound rules** tab, choose **Edit inbound rules**.

1. On **Inbound rules** page, choose **Add rules**.

1. For **Type**, choose *Custom TCP*.

1. For **Port range** enter *5005*.

   As another example, you can also allow all traffic from FinSpace to all ports. To allow all ports by default, follow the above steps of creating an inbound rule. In step 5, for **Type**, choose *All TCP*.
**Note**  
If you need to restrict outbound traffic to specific ports and destination, add [network ACL](step1-config-ntw.md#nacl) while creating a network connection to deny outbound traffic from FinSpace for each port range and destination.
When you create an Amazon EC2 instance, you need to specify the default security group for these inbound rules to apply. See next section for an example of how an Amazon EC2 instance is created with this security group.  
If you have hosts with different port rules you can create a security group for each host. When you launch an EC2 instance, use the security group with the port rules for your host.

# Step 6: Validating network connectivity
<a name="step6-validate-ntw"></a>

After you’ve successfully created an outbound network connectivity between FinSpace VPC and your VPC using transit gateway, you can validate the network configuration. To do this, run a test to connect to a customer EC2 instance q process from an RDB cluster in the FinSpace environment. 

The following procedure shows how to connect to an RDB cluster and then connect to a q/kdb process running on EC2 instance in the your VPC account. In this step, you will create two EC2 instances:
+ **customerEc2Instance** – This is a q process to which the RDB would connect to.
+ **clientEc2Instance** – This is a q client to connect to the RDB cluster.

## Create an RDB Cluster
<a name="step6a-create-rdb"></a>

Create an RDB cluster with a single-AZ mode by following the steps in [this](create-kdb-clusters.md) tutorial.

## Create an EC2 instance
<a name="step6b-ec2-first"></a>

Use the following command to create an EC2 instance with a name *customerEc2Instance* instance to which an RDB would connect to.

```
echo '{"Version": "2012-10-17",		 	 	 "Statement":[{"Effect":"Allow","Principal":{"Service":"ec2.amazonaws.com"},"Action":"sts:AssumeRole"}]}' > policy.json
aws iam create-role --role-name ssmrole --assume-role-policy-document file://policy.json
aws iam attach-role-policy --role-name ssmrole --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess
aws iam attach-role-policy --role-name ssmrole --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
aws iam attach-role-policy --role-name ssmrole --policy-arn arn:aws:iam::aws:policy/AmazonSSMPatchAssociation
aws iam create-instance-profile --instance-profile-name "SSMRole"
aws iam add-role-to-instance-profile --instance-profile-name SSMRole --role-name ssmrole

aws ec2 run-instances \
--count 1 \
--instance-type t2.micro \
--security-group-ids <SecurityGroup>\
--subnet-id <SUBNET> \
--iam-instance-profile Name=SSMRole \
--tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=CustomerEc2Instance}]" \
--image-id $(aws ssm get-parameters --names /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 --region us-east-2 | jq ".Parameters[0].Value" -r) \
--metadata-options "HttpEndpoint=enabled,HttpTokens=required"
```

## Start a q process and listen on port 5005
<a name="step6c-start-q"></a>

1. Connect to the *CustomerEc2Instance* instance. For more information, see [this](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/connecting_to_windows_instance.html#session-manager) section.

1. Install the q client. For more information on installation, see [Installing kdb\$1](https://code.kx.com/q/learn/install/).

1. Launch a q process and run the following command to listen on port *5005*.

   ```
   q) \p 5005
   ```

## Create another EC2 instance
<a name="step6d-ec2-second"></a>

Create another instance with a name *clientEc2Instance*, which you can use to connect to the RDB cluster. The EC2 instance should use the same security group and subnet that you chose for the cluster. 

```
aws ec2 run-instances \
--count 1 \
--instance-type t2.micro \
--security-group-ids <security group> \
--subnet-id <SUBNET> \
--iam-instance-profile Name=SSMRole \
--tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=Bastion}]" \
--image-id $(aws ssm get-parameters --names /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 --region us-east-1 | jq ".Parameters[0].Value" -r) \
--metadata-options "HttpEndpoint=enabled,HttpTokens=required"
```

## Test the connection
<a name="step6e-test-connection"></a>

Test the connection from q process on EC2 instance to the RDB cluster.

Create an RDB cluster with a single-AZ mode by following the steps in [this](create-kdb-clusters.md) tutorial.

1.  Connect to the *clientEc2Instance* by following the steps in [this](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/connecting_to_windows_instance.html#session-manager) section. 

1.  Install the q client. For more information on installation, see [Installing kdb\$1](https://code.kx.com/q/learn/install/). 

1.  Start a q process and connect to the RDB cluster on port *5005* by using the following example command. 

   ```
   q)cs_rdb1: <RDB cluster connection string> 
               q)cs_rdb1: ssr[cs_rdb1;"\n";""] 
               q)conn: hopen cs_rdb1 
               q)conn hopen(":<Private IP DNS name
               of customerEc2Instance
               5005"; 10)
   ```

    The following section explains the sample code: 
   +  *cs\$1rdb1* has a cluster connection string. For more information on how to get a connection string, see the [Interacting with a kdb cluster](https://docs.aws.amazon.com/finspace/latest/userguide/interacting-with-kdb-clusters.html) section. 
   +  *hopen* command opens a connection to the RDB cluster and gets a connection handle. 
   +  Use connection handle to run *hopen* connection test to the *customerEc2Instance* q process listening on port *5005* to test connectivity from RDB cluster to *customerEc2Instance*.

 You should be able to successfully connect to port *5005*.

Repeat the steps for [starting a q process](#step6c-start-q) and [ testing connection](#step6e-test-connection) with port *5006*. You will fail to connect because only port *5005* is allowed in the in-bound rules of the security groups. 

# Step 7: Validating connection using the DNS server configuration
<a name="step7-validate-connection-dns-server"></a>

 As an example, create a private hosted zone in your account that has an A record rule for *example.com* and Private IP DNS name of *customerEc2Instance*. 

 To create a private hosted zone, see [Creating a private hosted zone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-creating.html) in the *Amazon Route 53 User Guide*. To create a record rule, see [this](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-creating.html) section. 

 Start a q process and connect to the RDB cluster on port *5005* by using the following example command. 

```
q)cs_rdb1: <RDB cluster connection string> 
q)cs_rdb1: ssr[cs_rdb1;"\n";""] 
q)conn: hopen cs_rdb1 
q)conn hopen(":<Private IP DNS name of customerEc2Instance 5005"; 10)
```

 Next, run the following command to test connection on port *5005* by using the DNS name *example.com*. 

```
q)cs_rdb1: <RDB cluster connection string> 
q)cs_rdb1: ssr[cs_rdb1;"\n";""] 
q)conn: hopen cs_rdb1 
q)conn hopen(":example.com:5005"; 10)
```

 The connection test using the DNS name should work successfully.