Configure TiDB Cloud Starter or Essential Firewall Rules for Public Endpoints
This document describes the public connectivity option for TiDB Cloud Starter and TiDB Cloud Essential instances. You will learn key concepts for securely managing a TiDB Cloud Starter or Essential instance accessible via the internet.
Public endpoints
Configuring public access on your TiDB Cloud Starter or Essential instance allows the instance access through a public endpoint. That is, the TiDB Cloud Starter or Essential instance is accessible through the internet. The public endpoint is a publicly resolvable DNS address. The term "authorized network" refers to a range of IP addresses you choose to permit access to your TiDB Cloud Starter or Essential instance. These permissions are enforced through firewall rules.
Characteristics of public access
- Only specified IP addresses can access your TiDB Cloud Starter or Essential instance.
- By default, all IP addresses (
0.0.0.0 - 255.255.255.255) are allowed. - You can update allowed IP addresses after TiDB Cloud Starter or Essential instance creation.
- By default, all IP addresses (
- Your TiDB Cloud Starter or Essential instance has a publicly resolvable DNS name.
- Network traffic to and from your TiDB Cloud Starter or Essential instance is routed over the public internet rather than a private network.
Firewall rules
Granting access to an IP address is done via firewall rules. If a connection attempt originates from an unapproved IP address, the client will receive an error.
You can create a maximum of 200 IP firewall rules.
Allow AWS access
If your TiDB Cloud Starter instance is hosted on AWS, you can enable access from all AWS IP addresses by referring to the official AWS IP address list.
TiDB Cloud regularly updates this list and uses the reserved IP address 169.254.65.87 to represent all AWS IP addresses.
Create and manage a firewall rule
This section describes how to manage firewall rules for a TiDB Cloud Starter or TiDB Cloud Essential instance. With a public endpoint, the connections to your instance are restricted to the IP addresses specified in the firewall rules.
To add firewall rules to a TiDB Cloud Starter or TiDB Cloud Essential instance, take the following steps:
Navigate to the My TiDB page, and then click the name of your target TiDB Cloud Starter or Essential instance to go to its overview page.
In the left navigation pane, click Settings > Networking.
On the Networking page, enable Public Endpoint if it is disabled.
(Optional) For a newly created TiDB Cloud Starter or TiDB Cloud Essential instance, TiDB Cloud enables Allow_all_public_connections by default. To restrict access to specific IP addresses or ranges, click ... in the row of Allow_all_public_connections, and then click Delete.
In the Authorized Networks section, click Add rule, and then add the IP address or IP address range that you want to allow.
To add the current IP address of your computer, click Add Current IP. This automatically creates a firewall rule with the public IP address of your computer, as perceived by TiDB Cloud.
To enable access from all AWS IP addresses if your TiDB Cloud Starter or Essential instance is hosted on AWS, click Add AWS Access. This automatically creates a firewall rule that includes all AWS IP ranges. TiDB Cloud uses the reserved IP address 169.254.65.87 to represent AWS IP ranges and updates the list regularly based on the official AWS IP address list.
To add more address ranges, specify a single IP address or a range of IP addresses. To limit the rule to a single IP address, enter the same IP address in the Start IP Address and End IP Address fields.
Click Save.