Configure TiDB Cloud Starter or Essential Firewall Rules for Public Endpoints

This document describes the public connectivity option for TiDB Cloud Starter and TiDB Cloud Essential instances. You will learn key concepts for securely managing a TiDB Cloud Starter or Essential instance accessible via the internet.

Note

This document applies to TiDB Cloud Starter and TiDB Cloud Essential. For instructions on configuring an IP access list for TiDB Cloud Dedicated, see Configure an IP Access List for TiDB Cloud Dedicated.

Public endpoints

Configuring public access on your TiDB Cloud Starter or Essential instance allows the instance access through a public endpoint. That is, the TiDB Cloud Starter or Essential instance is accessible through the internet. The public endpoint is a publicly resolvable DNS address. The term "authorized network" refers to a range of IP addresses you choose to permit access to your TiDB Cloud Starter or Essential instance. These permissions are enforced through firewall rules.

Characteristics of public access

Only specified IP addresses can access your TiDB Cloud Starter or Essential instance.
- By default, all IP addresses (0.0.0.0 - 255.255.255.255) are allowed.
- You can update allowed IP addresses after TiDB Cloud Starter or Essential instance creation.
Your TiDB Cloud Starter or Essential instance has a publicly resolvable DNS name.
Network traffic to and from your TiDB Cloud Starter or Essential instance is routed over the public internet rather than a private network.

Firewall rules

Granting access to an IP address is done via firewall rules. If a connection attempt originates from an unapproved IP address, the client will receive an error.

You can create a maximum of 200 IP firewall rules.

Allow AWS access

If your TiDB Cloud Starter instance is hosted on AWS, you can enable access from all AWS IP addresses by referring to the official AWS IP address list.

TiDB Cloud regularly updates this list and uses the reserved IP address 169.254.65.87 to represent all AWS IP addresses.

Create and manage a firewall rule

This section describes how to manage firewall rules for a TiDB Cloud Starter or TiDB Cloud Essential instance. With a public endpoint, the connections to your instance are restricted to the IP addresses specified in the firewall rules.

To add firewall rules to a TiDB Cloud Starter or TiDB Cloud Essential instance, take the following steps:

Navigate to the My TiDB page, and then click the name of your target TiDB Cloud Starter or Essential instance to go to its overview page.
In the left navigation pane, click Settings > Networking.
On the Networking page, enable Public Endpoint if it is disabled. In Authorized Networks, click + Add Current IP. This automatically creates a firewall rule with the public IP address of your computer, as perceived by TiDB Cloud.
Note
In some situations, the IP address observed by the TiDB Cloud console differs from the IP address used when accessing the internet. Therefore, you might need to change the start and end IP addresses to make the rule function as expected. You can use a search engine or other online tool to check your own IP address. For example, search for "what is my IP."
Click Add rule to add more address ranges. In the displayed window, you can specify a single IP address or a range of IP addresses. If you want to limit the rule to a single IP address, type the same IP address in the Start IP Address and End IP Address fields. Opening the firewall enables administrators, users, and applications to access any database on your TiDB Cloud Starter or Essential instance to which they have valid credentials. Click Submit to add the firewall rule.

What's next

Connect to TiDB Cloud Starter or Essential via Public Endpoint