Is your feature request related to a problem? Please describe.
When connecting to Athena database from a Metabase hosted in a VPC private subnet, it try to connect to public endoint"//athena.{region}:443".
Cf. endpoint construction in code

Thus, the network request will be fowarded to NAT instance, which imply :

• We have to open outbound port 444 on NAT instance to public internet
• Connection (and maybe result set streaming ?) pass through public networks (even if flux is encrypted)
• Maybe some bad performance even if I think that AWS have done some optimization when outbound request target some of their internal servcies

Describe the solution you'd like
In the configuration screen of the database, it could be helpful to indicate a VPC_ENDPOINT_ID allowing to target athena from private subnet without the need of NAT and port opening to public network.
According to this helper step 4, the final endpoint will look like VPC_Endpoint_ID.athena.Region.vpce.amazonaws.com

Describe alternatives you've considered
Alternative is the current behavior, connecting to Athena through public endpoint.

How important is this feature to you?
It is a security and performance feature but it is not blocking so medium priority.

Additional context
No additional context.