Toggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Start Here

Start with a Sundeck SaaS Account

To install and use Sundeck’s Private Broker, you must first have a Sundeck tenant account set up on our SaaS. If you don’t already have a Sundeck account, you can quickly set one up for free.

If you are new to Sundeck and want to learn more about the product and its features, we recommend our Getting Started documentation, as well as the information available on the Sundeck website.

Obtain the Private Broker Docker Image

Please reach out to Sundeck Support at to request the private broker Docker image. We’ll direct you to the appropriate location to download the image.

Decide how you’ll deploy the Private Broker

The private broker is provided as a Docker image, and can be deployed within your own infrastructure using the Docker hosting or orchestration solution of your choice. Many customers will begin by running the Sundeck Broker in Docker on a standalone ec2 instance, and then move to some form of orchestration (Kubernetes, EKS, ECS, OpenShift, etc) for their production solution.

Create or obtain an SSL cert

The private broker requires an SSL certificate to secure the communication between the broker and the client applications. You can use a self-signed certificate for testing purposes, but for production use, you should obtain a certificate from a trusted certificate authority. The Private Broker does not provide SSL termination, so you will need to configure a load balancer (such as an ALB) or the service & networking layer of your container orchestration platform to handle SSL termination

Configure Networking

The private broker must be able to communicate with the Sundeck control plane, as well as with the Snowflake backend. You will need to ensure that the private broker has network access to these services, and that the necessary ports are open in your network security groups.

In addition, SQL Client applications will need to be able to communicate with the private broker (via the ALB or other load balancer, or via a network address provisioned in your orchestration framework) on port 443. The ALB or orchestration framework will terminate inbound SSL connections (using the cert discussed above), then redirect traffic to the Private Broker’s http port (configured during setup, typically 80 or 8080).

Often, customers will want to route traffic from external SQL tools (such as dbt Cloud, Hex, Tableau Cloud, etc) to Snowflake via Sundeck’s Private Broker. This will require configuration of external routes (typically restricted by source IP address to only those used by the desired external cloud platforms) to the load balancer address.

For ease of use, setup of a DNS name (such as sundeck-broker.organization.internal or for external services) can be quite helpful.

Generate a Private Broker Token

The private broker requires a token to authenticate with the Sundeck control plane. You can generate a token in the Sundeck UI, under the “Tokens” section of the “Settings” page. Note that this token can only be viewed once, so be sure to copy it to a secure location. You will provide this token during Private Broker configuration.