📣
TiDB Cloud Essential is now in public preview. Try it out →
TiDB Cloud
TiDB Self-Managed
Learning Center
Contact Us
Sign InStart for Free

Connect to Amazon RDS via a Private Link Connection

This document describes how to connect a TiDB Cloud Essential cluster to an Amazon RDS instance using an AWS Endpoint Service private link connection.

Prerequisites

  • You have an existing Amazon RDS instance or the permissions required to create one.

  • Your account has the following permissions to manage networking components:

    • Manage security groups
    • Manage load balancer
    • Manage endpoint services

  • Your TiDB Cloud Essential is hosted on AWS, and it is active. Retrieve and save the following details for later use:

    • AWS Account ID
    • Availability Zones (AZ)

To view the AWS account ID and availability zones, do the following:

  1. In the TiDB Cloud console, navigate to the cluster overview page of the TiDB cluster, and then click Settings > Networking in the left navigation pane.
  2. In the Private Link Connection For Dataflow area, click Create Private Link Connection.
  3. In the displayed dialog, you can find the AWS account ID and availability zones.

Step 1. Set up the Amazon RDS instance

Identify an Amazon RDS instance to use, or create a new one.

The Amazon RDS instance must meet the following requirements:

  • Region match: the instance must reside in the same AWS region as your TiDB Cloud Essential cluster.

  • The subnet group of your Amazon RDS instance must have availability zones that overlap with those of your TiDB Cloud Essential cluster.

  • Set your Amazon RDS instance with a proper security group, and ensure that it is accessible within the VPC. For example, you can create a security group with the following rules:

    • An inbound rule that allows MySQL/Aurora:
      • Type: MySQL/Aurora
      • Source: Anywhere-IPv4
    • An outbound rule that allows MySQL/Aurora:
      • Type: MySQL/Aurora
      • Destination: Anywhere-IPv4

Step 2. Expose the Amazon RDS instance as an endpoint service

You need to set up the load balancer and the AWS Endpoint Service in the AWS console.

Step 2.1. Set up the load balancer

To set up the load balancer in the same region as your RDS, take the following steps:

  1. Go to Target groups to create a target group. Provide the following information:

    • Target type: select IP addresses.
    • Protocol and Port: set the protocol to TCP and the port to your database port, for example 3306 for MySQL.
    • IP address type: select IPv4.
    • VPC: select the VPC where your RDS is located.
    • Register targets: register the IP addresses of your Amazon RDS instance. You can ping the RDS endpoint to get the IP address.

    For more information, see Create a target group for your Network Load Balancer.

  2. Go to Load balancers to create a network load balancer. Provide the following information:

    • Schema: select Internal

    • Load balancer IP address type: select IPv4

    • VPC: select the VPC where your RDS is located

    • Availability Zones: select the availability zones that overlap with your TiDB Cloud Essential cluster

    • Security groups: create a new security group with the following rules:

      • An inbound rule that allows MySQL/Aurora:

        • Type: MySQL/Aurora
        • Source: Anywhere-IPv4

      • An outbound rule that allows MySQL/Aurora:

        • Type: MySQL/Aurora
        • Destination: Anywhere-IPv4

    • Listeners and routing:

      • Protocol and Port: set the protocol to TCP and the port to your database port, for example 3306 for MySQL
      • Target group: select the target group that you created in the previous step

    For more information, see Create a Network Load Balancer.

Step 2.2. Set up the AWS Endpoint Service

To set up the endpoint service in the same region as your RDS, take the following steps:

  1. Go to Endpoint services to create an endpoint service. Provide the following information:

    • Load balancer type: select Network
    • Available load balancers: enter the load balancer you created in the previous step
    • Supported Regions: leave it empty if you do not have cross-region requirements
    • Require acceptance for endpoint: it is recommended to select Acceptance required
    • Supported IP address types: select IPv4

  2. Go to the details page of the endpoint service, and then copy the endpoint service name, in the format of com.amazonaws.vpce.<region>.vpce-svc-xxxxxxxxxxxxxxxxx. You need to provide it to TiDB Cloud.

  3. On the details page of the endpoint service, click the Allow principals tab, and then add the AWS account ID that you obtained in Prerequisites to the allowlist, for example, arn:aws:iam::<account_id>:root.

You can create a private link connection using the TiDB Cloud console or the TiDB Cloud CLI.

For more information, see Create an AWS Endpoint Service private link connection.

Was this page helpful?