📣
TiDB Cloud Essential is now in public preview. Try it out →
TiDB Cloud
TiDB Self-Managed
Learning Center
Contact Us
Sign InStart for Free

Private Link Connections for Dataflow

Dataflow services in TiDB Cloud, such as Changefeed and Data Migration (DM), require reliable connectivity to external resources such as RDS instances and Kafka clusters. While public endpoints are supported, private link connections provide a superior alternative by offering higher efficiency, lower latency, and enhanced security.

Private link connections enable direct connectivity between TiDB Cloud Essential and your target resources. This ensures that data traveling from TiDB Cloud to your databases on other cloud platforms remains entirely within private network boundaries, significantly reducing the network attack surface and ensuring consistent throughput for critical dataflow workloads.

Private link connections for dataflow are available in different types, depending on the cloud provider and the service you want to access. Each type enables secure and private network access between your TiDB Cloud cluster and external resources (for example, RDS or Kafka) in the same cloud environment.

AWS Endpoint Service

This type of private link connection enables TiDB Cloud clusters on AWS to connect to your AWS endpoint service powered by AWS PrivateLink.

The private link connection can access various AWS services, such as RDS instances and Kafka services, by associating them with the endpoint service.

Alibaba Cloud Endpoint Service

This type of private link connection enables TiDB Cloud clusters on Alibaba Cloud to connect to your Alibaba Cloud endpoint service powered by Alibaba Cloud PrivateLink.

The private link connection can access various Alibaba Cloud services, such as RDS instances and Kafka services, by associating them with the endpoint service.

You can create an AWS Endpoint Service private link connection using the TiDB Cloud console or the TiDB Cloud CLI.

Ensure that the AWS endpoint service:

  • Resides in the same region as your TiDB Cloud cluster.
  • Add the TiDB Cloud account ID to the Allow principals list.
  • Has availability zones that overlap with your TiDB Cloud cluster.

You can get the account ID and availability zones information at the bottom of the Create Private Link Connection dialog, or by running the following command:

ticloud serverless private-link-connection zones --cluster-id <cluster-id>

    1. Log in to the TiDB Cloud console and navigate to the Clusters page of your project.

    2. Click the name of your target cluster to go to its overview page, and then click Settings > Networking in the left navigation pane.

    3. In the Private Link Connection For Dataflow area, click Create Private Link Connection.

    4. In the Create Private Link Connection dialog, enter the required information:

      • Private Link Connection Name: enter a name for the private link connection.
      • Connection Type: select AWS Endpoint Service. If this option is not displayed, ensure that your cluster is created on AWS.
      • Endpoint Service Name: enter your AWS endpoint service name, for example, com.amazonaws.vpce.<region>.vpce-svc-xxxxxxxxxxxxxxxxx.

    5. Click Create.

    6. Go to the detail page of your endpoint service on the AWS console. In the Endpoint Connections tab, accept the endpoint connection request from TiDB Cloud.

    To create a private link connection using the TiDB Cloud CLI:

    1. Run the following command:

      ticloud serverless private-link-connection create -c <cluster-id> --display-name <display-name> --type AWS_ENDPOINT_SERVICE --aws.endpoint-service-name <endpoint-service-name>

    2. Go to the detail page of your endpoint service on the AWS console. In the Endpoint Connections tab, accept the endpoint connection request from TiDB Cloud.

    You can create an Alibaba Cloud Endpoint Service private link connection using the TiDB Cloud console or the TiDB Cloud CLI.

    Ensure that the Alibaba Cloud endpoint service:

    • Resides in the same region as your TiDB Cloud cluster.
    • Add the TiDB Cloud account ID to the Service Whitelist.
    • Has availability zones that overlap with your TiDB Cloud cluster.

    You can get the account ID and available zones information at the bottom of the Create Private Link Connection dialog, or by running the following command:

    ticloud serverless private-link-connection zones --cluster-id <cluster-id>

      1. Log in to the TiDB Cloud console and navigate to the Clusters page of your project.

      2. Click the name of your target cluster to go to its overview page, and then click Settings > Networking in the left navigation pane.

      3. In the Private Link Connection For Dataflow area, click Create Private Link Connection.

      4. In the Create Private Link Connection dialog, enter the required information:

        • Private Link Connection Name: enter a name for the private link connection.
        • Connection Type: select Alibaba Cloud Endpoint Service. If this option is not displayed, ensure that your cluster is created on Alibaba Cloud.
        • Endpoint Service Name: enter the Alibaba Cloud endpoint service name, for example, com.aliyuncs.privatelink.<region>.epsrv-xxxxxxxxxxxxxxxxx.

      5. Click Create.

      6. Go to the detail page of your endpoint service on the Alibaba Cloud console. In the Endpoint Connections tab, allow the endpoint connection request from TiDB Cloud.

      To create a private link connection using the TiDB Cloud CLI:

      1. Run the following command:

        ticloud serverless private-link-connection create -c <cluster-id> --display-name <display-name> --type ALICLOUD_ENDPOINT_SERVICE --alicloud.endpoint-service-name <endpoint-service-name>

      2. Go to the detail page of your endpoint service on the Alibaba Cloud console. In the Endpoint Connections tab, allow the endpoint connection request from TiDB Cloud.

      You can attach domains to a private link connection. When a domain is attached to the private link connection, all traffic from TiDB Cloud dataflow services to this domain will be routed to this private link connection. It is useful when your service provides custom domains to clients at runtime, such as Kafka advertised listeners.

      Different private link connection types support attaching different domain types. The following table shows supported domain types for each private link connection type.

      Private link connection typeSupported domain type
      AWS Endpoint Service
      • TiDB Cloud managed (aws.tidbcloud.com)
      • Confluent Dedicated (aws.confluent.cloud)
      Alibaba Cloud Endpoint ServiceTiDB Cloud managed (alicloud.tidbcloud.com)

      If your domain is not included in this table, contact TiDB Cloud Support to request support.

      You can attach domains to a private link connection using the TiDB Cloud console or the TiDB Cloud CLI.

        To attach domains to a private link connection using the TiDB Cloud console, do the following:

        1. Log in to the TiDB Cloud console and navigate to the Clusters page of your project.

        2. Click the name of your target cluster to go to its overview page, and then click Settings > Networking in the left navigation pane.

        3. In the Private Link Connection For Dataflow area, choose the target private link connection, and then click ....

        4. Click Attach Domains.

        5. In the Attach Domains dialog, choose the domain type:

          • TiDB Cloud Managed: the domains will be generated automatically by TiDB Cloud. In the name of a generated domain, you can get the unique name for the domain. For example, if a generated domain is *.use1-az1.dvs6nl5jgveztmla3pxkxgh76i.aws.plc.tidbcloud.com, then the unique name is dvs6nl5jgveztmla3pxkxgh76i. Click Attach Domains to confirm.
          • Confluent Cloud: enter the unique name provided by the Confluent Cloud Dedicated cluster to generate the domains, and then click Attach Domains to confirm. Refer to Connect to Confluent Cloud via a Private Link Connection for more information about how to get the unique name.

        To attach a TiDB Cloud managed domain using the TiDB Cloud CLI, do the following:

        1. Use dry run to preview the domains to be attached. It outputs a unique name for the next step.

          ticloud serverless private-link-connection attach-domains -c <cluster-id> --private-link-connection-id <private-link-connection-id> --type TIDBCLOUD_MANAGED --dry-run

        2. Attach the domains with the unique name from the previous step.

          ticloud serverless private-link-connection attach-domains -c <cluster-id> --private-link-connection-id <private-link-connection-id> --type TIDBCLOUD_MANAGED --unique-name <unique-name>

        To attach a Confluent Cloud domain, run the following command:

        ticloud serverless private-link-connection attach-domains -c <cluster-id> --private-link-connection-id <private-link-connection-id> --type CONFLUENT --unique-name <unique-name>

        You can detach domains from a private link connection using the TiDB Cloud console or the TiDB Cloud CLI.

          To detach domains from a private link connection using the TiDB Cloud console, do the following:

          1. Log in to the TiDB Cloud console and navigate to the Clusters page of your project.

          2. Click the name of your target cluster to go to its overview page, and then click Settings > Networking in the left navigation pane.

          3. In the Private Link Connection For Dataflow area, choose the target private link connection, and then click ....

          4. Click Detach Domains, and then confirm the detachment.

          To detach domains from a private link connection using the TiDB Cloud CLI, do the following:

          1. Get the private link connection details to find the attach-domain-id:

            ticloud serverless private-link-connection get -c <cluster-id> --private-link-connection-id <private-link-connection-id>

          2. Detach the domain by the attach-domain-id:

             ticloud serverless private-link-connection detach-domains -c <cluster-id> --private-link-connection-id <private-link-connection-id> --attach-domain-id <attach-domain-id>

          You can delete a private link connection using the TiDB Cloud console or the TiDB Cloud CLI.

            To delete a private link connection using the TiDB Cloud console, do the following:

            1. Log in to the TiDB Cloud console and navigate to the Clusters page of your project.

            2. Click the name of your target cluster to go to its overview page, and then click Settings > Networking in the left navigation pane.

            3. In the Private Link Connection For Dataflow area, choose the target private link connection, and then click ....

            4. Click Delete, and then confirm the deletion.

            To delete a private link connection, run the following command:

            ticloud serverless private-link-connection delete -c <cluster-id> --private-link-connection-id <private-link-connection-id>

            See also

            Was this page helpful?