| title | Connect to {{{ .starter }}} or Essential via AWS PrivateLink |
|---|---|
| summary | Learn how to connect to your {{{ .starter }}} or Essential instance via private endpoint. |
This document describes how to connect to your {{{ .starter }}} or {{{ .essential }}} instance via AWS PrivateLink.
Tip:
- To learn how to connect to a TiDB Cloud Dedicated cluster via private endpoint with AWS, see Connect to a TiDB Cloud Dedicated Cluster via AWS PrivateLink.
- To learn how to connect to a TiDB Cloud Dedicated cluster via private endpoint with Azure, see Connect to a TiDB Cloud Dedicated Cluster via Azure Private Link.
- To learn how to connect to a TiDB Cloud Dedicated cluster via private endpoint with Google Cloud, see Connect to a TiDB Cloud Dedicated Cluster via Google Cloud Private Service Connect.
TiDB Cloud supports highly secure and one-way access to the TiDB Cloud service hosted in an AWS VPC via the AWS PrivateLink, as if the service were in your own VPC. A private endpoint is exposed in your VPC and you can create a connection to the TiDB Cloud service via the endpoint with permission.
Powered by AWS PrivateLink, the endpoint connection is secure and private, and does not expose your data to the public internet. In addition, the endpoint connection supports CIDR overlap and is easier for network management.
The architecture of the private endpoint is as follows:
For more detailed definitions of the private endpoint and endpoint service, see the following AWS documents:
- Currently, TiDB Cloud supports AWS PrivateLink connections only when the endpoint service is hosted in AWS. If the service is hosted in other cloud providers, the AWS PrivateLink connection is not applicable.
- Cross-region private endpoint connections is not supported.
Make sure that DNS hostnames and DNS resolution are both enabled in your AWS VPC settings. They are disabled by default when you create a VPC in the AWS Management Console.
To connect to your {{{ .starter }}} or {{{ .essential }}} instance via a private endpoint, follow these steps:
- Choose a {{{ .starter }}} or Essential instance
- Create an AWS interface endpoint
- Authorize your private endpoint in TiDB Cloud (optional)
- Connect to your {{{ .starter }}} or Essential instance
-
On the My TiDB page, click the name of your target {{{ .starter }}} or {{{ .essential }}} instance to go to its overview page.
-
Click Connect in the upper-right corner. A connection dialog is displayed.
-
In the Connection Type drop-down list, select Private Endpoint.
-
Take a note of Service Name, Availability Zone ID, and Region ID.
Note:
You only need to create one private endpoint per AWS region, which can be shared by all {{{ .starter }}} or {{{ .essential }}} instances located in the same region.
To use the AWS Management Console to create a VPC interface endpoint, perform the following steps:
-
Sign in to the AWS Management Console and open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
-
Click Endpoints in the navigation pane, and then click Create Endpoint in the upper-right corner.
The Create endpoint page is displayed.
-
Select Endpoint services that use NLBs and GWLBs.
-
Enter the service name that you found in step 1.
-
Click Verify service.
-
Select your VPC in the drop-down list. Expand Additional settings and select the Enable DNS name checkbox.
-
In the Subnets area, select the availability zone where your {{{ .starter }}} or Essential instance is located, and select the Subnet ID.
-
Select your security group properly in the Security groups area.
Note:
Make sure the selected security group allows inbound access from your EC2 instances on port 4000.
-
Click Create endpoint.
To use the AWS CLI to create a VPC interface endpoint, perform the following steps:
- To get the VPC ID and Subnet ID, navigate to your AWS Management Console, and locate them in the relevant sections. Make sure that you fill in the Availability Zone ID that you found in step 1.
- Copy the command provided below, replace the relevant arguments with the information you obtained, and then execute it in your terminal.
aws ec2 create-vpc-endpoint --vpc-id ${your_vpc_id} --region ${region_id} --service-name ${service_name} --vpc-endpoint-type Interface --subnet-ids ${your_subnet_id}Tip:
Before running the command, you need to have AWS CLI installed and configured. See AWS CLI configuration basics for details.
Then you can connect to the endpoint service with the private DNS name.
Note:
This step is optional. You only need to configure Authorized Networks when you want to restrict access to specific private endpoint connections. If no rules are configured, all private endpoint connections are allowed by default.
After creating the AWS interface endpoint, you can authorize it for your target {{{ .starter }}} or {{{ .essential }}} instance to restrict access.
-
On the My TiDB page, click the name of your target {{{ .starter }}} or {{{ .essential }}} instance to go to its overview page.
-
Click Settings > Networking in the left navigation pane.
-
Scroll down to the Private Endpoint section and then locate the Authorized Networks table.
-
Click Add Rule to add a firewall rule.
- Endpoint Service Name: paste the service name you got from Step 1.
- Firewall Rule Name: enter a name to identify this connection.
- Your VPC Endpoint ID: paste your 22-character VPC Endpoint ID from the AWS Management Console (starts with
vpce-).
Tip:
- If you leave the Authorized Networks table empty, all private endpoint connections are allowed by default.
- To allow all private endpoint connections from your cloud region (for testing or open access), enter a single asterisk (
*) in the Your VPC Endpoint ID field.
-
Click Submit.
After you have created the interface endpoint, go back to the TiDB Cloud console and take the following steps:
- On the My TiDB page, click the name of your target {{{ .starter }}} or Essential instance to go to its overview page.
- Click Connect in the upper-right corner. A connection dialog is displayed.
- In the Connection Type drop-down list, select Private Endpoint.
- In the Connect With drop-down list, select your preferred connection method. The corresponding connection string is displayed at the bottom of the dialog.
- Connect to your {{{ .starter }}} or Essential instance with the connection string.
Tip:
If you cannot connect to the {{{ .starter }}} or Essential instance, the reason might be that the security group of your VPC endpoint in AWS is not properly set. See this FAQ for solutions.
When creating a VPC endpoint, if you encounter an error
private-dns-enabled cannot be set because there is already a conflicting DNS domain for gatewayXX-privatelink.XX.prod.aws.tidbcloud.com in the VPC vpc-XXXXX, it is due to that a private endpoint has already been created, and creating a new one is unnecessary.
I cannot connect to a {{{ .starter }}} or Essential instance via a private endpoint after enabling private DNS. Why?
You might need to properly set the security group for your VPC endpoint in the AWS Management Console. Go to VPC > Endpoints. Right-click your VPC endpoint and select the proper Manage security groups. A proper security group within your VPC that allows inbound access from your EC2 instances on Port 4000 or a customer-defined port.
