Configure TiDB Cloud Starter or Essential Firewall Rules for Public Endpoints
This document describes the public connectivity option for TiDB Cloud Starter and TiDB Cloud Essential clusters. You will learn key concepts for securely managing a cluster accessible via the internet.
Public endpoints
Configuring public access on your cluster allows the cluster access through a public endpoint. That is, the cluster is accessible through the internet. The public endpoint is a publicly resolvable DNS address. The term "authorized network" refers to a range of IP addresses you choose to permit access to your cluster. These permissions are enforced through firewall rules.
Characteristics of public access
- Only specified IP addresses can access your cluster.
- By default, all IP addresses (
0.0.0.0 - 255.255.255.255
) are allowed. - You can update allowed IP addresses after cluster creation.
- By default, all IP addresses (
- Your cluster has a publicly resolvable DNS name.
- Network traffic to and from your cluster is routed over the public internet rather than a private network.
Firewall rules
Granting access to an IP address is done via firewall rules. If a connection attempt originates from an unapproved IP address, the client will receive an error.
You can create a maximum of 200 IP firewall rules.
Allow AWS access
If your TiDB Cloud Starter cluster is hosted on AWS, you can enable access from all AWS IP addresses by referring to the official AWS IP address list.
TiDB Cloud regularly updates this list and uses the reserved IP address 169.254.65.87 to represent all AWS IP addresses.
Create and manage a firewall rule
This section describes how to manage firewall rules for a TiDB Cloud Starter or TiDB Cloud Essential cluster. With a public endpoint, the connections to your cluster are restricted to the IP addresses specified in the firewall rules.
To add firewall rules to a TiDB Cloud Starter or TiDB Cloud Essential cluster, take the following steps:
Navigate to the Clusters page, and then click the name of your target cluster to go to its overview page.
In the left navigation pane, click Settings > Networking.
On the Networking page, enable Public Endpoint if it is disabled. In Authorized Networks, click + Add Current IP. This automatically creates a firewall rule with the public IP address of your computer, as perceived by TiDB Cloud.
Click Add rule to add more address ranges. In the displayed window, you can specify a single IP address or a range of IP addresses. If you want to limit the rule to a single IP address, type the same IP address in the Start IP Address and End IP Address fields. Opening the firewall enables administrators, users, and applications to access any database on your cluster to which they have valid credentials. Click Submit to add the firewall rule.