Connect to TiDB Serverless via Private Endpoint
This document describes how to connect to your TiDB Serverless cluster via private endpoint.
TiDB Cloud supports highly secure and one-way access to the TiDB Cloud service hosted in an AWS VPC via the AWS PrivateLink, as if the service were in your own VPC. A private endpoint is exposed in your VPC and you can create a connection to the TiDB Cloud service via the endpoint with permission.
Powered by AWS PrivateLink, the endpoint connection is secure and private, and does not expose your data to the public internet. In addition, the endpoint connection supports CIDR overlap and is easier for network management.
The architecture of the private endpoint is as follows:
For more detailed definitions of the private endpoint and endpoint service, see the following AWS documents:
Restrictions
- Currently, TiDB Cloud supports private endpoint connection to TiDB Serverless only when the endpoint service is hosted in AWS. If the service is hosted in Google Cloud, the private endpoint is not applicable.
- Private endpoint connection across regions is not supported.
Set up a private endpoint with AWS
To connect to your TiDB Serverless cluster via a private endpoint, follow these steps:
Step 1. Choose a TiDB cluster
On the Clusters page, click the name of your target TiDB Serverless cluster to go to its overview page.
Click Connect in the upper-right corner. A connection dialog is displayed.
In the Endpoint Type drop-down list, select Private.
Take a note of Service Name, Availability Zone ID, and Region ID.
Step 2. Create an AWS interface endpoint
- Use AWS Console
- Use AWS CLI
To use the AWS Management Console to create a VPC interface endpoint, perform the following steps:
Sign in to the AWS Management Console and open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
Click Endpoints in the navigation pane, and then click Create Endpoint in the upper-right corner.
The Create endpoint page is displayed.
Select Other endpoint services.
Enter the service name that you found in step 1.
Click Verify service.
Select your VPC in the drop-down list. Expand Additional settings and select the Enable DNS name checkbox.
In the Subnets area, select the availability zone where your TiDB cluster is located, and select the Subnet ID.
Select your security group properly in the Security groups area.
Click Create endpoint.
To use the AWS CLI to create a VPC interface endpoint, perform the following steps:
- To get the VPC ID and Subnet ID, navigate to your AWS Management Console, and locate them in the relevant sections. Make sure that you fill in the Availability Zone ID that you found in step 1.
- Copy the command provided below, replace the relevant arguments with the information you obtained, and then execute it in your terminal.
aws ec2 create-vpc-endpoint --vpc-id ${your_vpc_id} --region ${region_id} --service-name ${service_name} --vpc-endpoint-type Interface --subnet-ids ${your_subnet_id}
Then you can connect to the endpoint service with the private DNS name.
Step 3: Connect to your TiDB cluster
After you have created the interface endpoint, go back to the TiDB Cloud console and take the following steps:
- On the Clusters page, click the name of your target cluster to go to its overview page.
- Click Connect in the upper-right corner. A connection dialog is displayed.
- In the Endpoint Type drop-down list, select Private.
- In the Connect With drop-down list, select your preferred connection method. The corresponding connection string is displayed at the bottom of the dialog.
- Connect to your cluster with the connection string.
Troubleshooting
I cannot connect to a TiDB cluster via a private endpoint after enabling private DNS. Why?
You might need to properly set the security group for your VPC endpoint in the AWS Management Console. Go to VPC > Endpoints. Right-click your VPC endpoint and select the proper Manage security groups. A proper security group within your VPC that allows inbound access from your EC2 instances on Port 4000 or a customer-defined port.
I cannot enable private DNS. An error is reported indicating that the enableDnsSupport
and enableDnsHostnames
VPC attributes are not enabled
Make sure that DNS hostname and DNS resolution are both enabled in your VPC setting. They are disabled by default when you create a VPC in the AWS Management Console.