Analytics Toolbox Gateway
The Analytics Toolbox Gateway (AT Gateway) is the component that enables Analytics Toolbox functions to communicate with the CARTO platform. Modules such as Location Data Services (LDS) — which provide geocoding, routing, and isoline generation — require making external calls from your data warehouse to CARTO's APIs. The AT Gateway acts as a bridge that routes these calls between your data warehouse and the CARTO platform.
How the AT Gateway is deployed depends on whether you are using CARTO SaaS or CARTO Self-hosted, and whether the CARTO platform is publicly accessible or restricted to a private network.
SaaS (CARTO-hosted AT Gateway)
In a standard CARTO SaaS deployment, CARTO provides and manages the AT Gateway endpoints. No additional infrastructure is required on your side.
You configure a connection and API credentials in your data warehouse, and the AT functions route requests through CARTO's public endpoints to access Location Data Services. This is the default setup covered in the standard installation guides for each data warehouse.
When to use: You are using CARTO SaaS, or your CARTO platform has a publicly accessible API endpoint.
Self-hosted (Customer-managed AT Gateway)
When CARTO is deployed as Self-hosted inside a private VPC or VNet — with no public endpoint — the CARTO-managed AT Gateway cannot be reached from your data warehouse. In this scenario, you deploy your own AT Gateway inside your cloud environment.
The self-hosted AT Gateway serves as a network bridge with two distinct legs:
Inbound (Data Warehouse to Gateway): The data warehouse calls the AT Gateway over a public or VPC-native endpoint. This is necessary because most data warehouses route external function calls through their own managed infrastructure, not through the customer's private network.
Outbound (Gateway to CARTO): The AT Gateway forwards requests to the CARTO Self-hosted platform over private networking — using the same VPC, VNet peering, or a VPC Connector — ensuring that CARTO never needs a public endpoint.
This architecture keeps the CARTO platform fully private while still allowing data warehouse functions to access Location Data Services.
When to use: You are running CARTO Self-hosted in a private VPC/VNet and the CARTO platform has no public endpoint.
Available guides
Since some data warehouses — such as Databricks and Snowflake — run on multiple cloud providers, the self-hosted AT Gateway implementation is specific to each cloud and data warehouse combination. The AT Gateway can be deployed in any cloud environment, but the compute service and networking setup vary depending on the cloud provider and data warehouse. The following guides are currently available:
Redshift
AWS
Lambda
Lambda deployed in VPC subnet (same VPC as CARTO)
Databricks *
Azure
Azure Container Apps
VNet integration + VNet Peering to AKS VNet
Snowflake
Multi-cloud
—
Coming soon
—
PostgreSQL
Multi-cloud
—
Coming soon
—
* Databricks is a multi-cloud platform available on AWS, GCP, and Azure. The AT Gateway can be deployed on any of these clouds, but this guide covers Azure deployments specifically. Contact [email protected] for guidance on other cloud providers.
The AT Gateway container image is the same across all cloud providers (gcr.io/carto-onprem-artifacts/at-gateway/cloud-run). What differs is the compute service used to run it and the networking mechanism used to reach the CARTO platform privately.
Don't see your cloud and data warehouse combination listed above? Contact [email protected] to discuss your deployment options.
Choosing the right deployment type
Use the following decision criteria to determine which AT Gateway deployment model applies to your environment:
CARTO deployment
CARTO SaaS (cloud-hosted by CARTO)
CARTO Self-hosted (on your own infrastructure)
CARTO API accessibility
Publicly accessible
Private only (no public endpoint)
AT Gateway infrastructure
Managed by CARTO — nothing to deploy
Deployed and managed by you in your cloud
Network requirements
Data warehouse must have outbound internet access
AT Gateway must have private connectivity to CARTO and a public endpoint for the data warehouse
Operational overhead
None — CARTO handles updates and scaling
You manage the gateway lifecycle, scaling, and networking
Use case
Standard cloud analytics with CARTO SaaS
Enterprise deployments with strict network isolation requirements
Decision flow
Is your CARTO platform publicly accessible?
Yes — Use the SaaS model. Follow the standard installation guide for your data warehouse. No AT Gateway deployment is needed.
No — Continue to step 2.
Is your CARTO Self-hosted platform running inside a private VPC/VNet with no public endpoint?
Yes — Use the Self-hosted model. You need to deploy an AT Gateway in your cloud environment with private connectivity to CARTO.
No — If your Self-hosted platform has a public endpoint, you can use the SaaS model with your platform's public API base URL.
Which cloud and data warehouse are you using?
Check the available guides above for your cloud and data warehouse combination. Follow the linked VPC/VNet installation guide for step-by-step instructions.
If your combination is not listed, contact [email protected] to discuss your deployment options.
For detailed installation steps, refer to the Getting access section of each data warehouse's documentation.
Last updated
Was this helpful?