Connect to TiDB Serverless via Private Endpoint

This document describes how to connect to your TiDB Serverless cluster via private endpoint.

Tip

To learn how to connect to a TiDB Dedicated cluster via private endpoint with AWS, see Connect to TiDB Dedicated via Private Endpoint with AWS. To learn how to connect to a TiDB Dedicated cluster via private endpoint with Google Cloud, see Connect to TiDB Dedicated via Private Service Connect with Google Cloud.

TiDB Cloud supports highly secure and one-way access to the TiDB Cloud service hosted in an AWS VPC via the AWS PrivateLink, as if the service were in your own VPC. A private endpoint is exposed in your VPC and you can create a connection to the TiDB Cloud service via the endpoint with permission.

Powered by AWS PrivateLink, the endpoint connection is secure and private, and does not expose your data to the public internet. In addition, the endpoint connection supports CIDR overlap and is easier for network management.

The architecture of the private endpoint is as follows:

Private endpoint architecture

For more detailed definitions of the private endpoint and endpoint service, see the following AWS documents:

Restrictions

Currently, TiDB Cloud supports private endpoint connection to TiDB Serverless only when the endpoint service is hosted in AWS. If the service is hosted in Google Cloud, the private endpoint is not applicable.
Private endpoint connection across regions is not supported.

Set up a private endpoint with AWS

To connect to your TiDB Serverless cluster via a private endpoint, follow these steps:

Choose a TiDB cluster
Create an AWS interface endpoint
Connect to your TiDB cluster

Step 1. Choose a TiDB cluster

On the Clusters page, click the name of your target TiDB Serverless cluster to go to its overview page.
Click Connect in the upper-right corner. A connection dialog is displayed.
In the Endpoint Type drop-down list, select Private.
Take a note of Service Name, Availability Zone ID, and Region ID.
Note
You only need to create one private endpoint per AWS region, which can be shared by all TiDB Serverless clusters located in the same region.

Step 2. Create an AWS interface endpoint

Use AWS Console
Use AWS CLI

To use the AWS Management Console to create a VPC interface endpoint, perform the following steps:

Sign in to the AWS Management Console and open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
Click Endpoints in the navigation pane, and then click Create Endpoint in the upper-right corner.
The Create endpoint page is displayed.
Select Other endpoint services.
Enter the service name that you found in step 1.
Click Verify service.
Select your VPC in the drop-down list. Expand Additional settings and select the Enable DNS name checkbox.
In the Subnets area, select the availability zone where your TiDB cluster is located, and select the Subnet ID.
Select your security group properly in the Security groups area.
Note
Make sure the selected security group allows inbound access from your EC2 instances on port 4000.
Click Create endpoint.

To use the AWS CLI to create a VPC interface endpoint, perform the following steps:

To get the VPC ID and Subnet ID, navigate to your AWS Management Console, and locate them in the relevant sections. Make sure that you fill in the Availability Zone ID that you found in step 1.
Copy the command provided below, replace the relevant arguments with the information you obtained, and then execute it in your terminal.

aws ec2 create-vpc-endpoint --vpc-id ${your_vpc_id} --region ${region_id} --service-name ${service_name} --vpc-endpoint-type Interface --subnet-ids ${your_subnet_id}

Tip

Before running the command, you need to have AWS CLI installed and configured. See AWS CLI configuration basics for details.

Then you can connect to the endpoint service with the private DNS name.

Step 3: Connect to your TiDB cluster

After you have created the interface endpoint, go back to the TiDB Cloud console and take the following steps:

On the Clusters page, click the name of your target cluster to go to its overview page.
Click Connect in the upper-right corner. A connection dialog is displayed.
In the Endpoint Type drop-down list, select Private.
In the Connect With drop-down list, select your preferred connection method. The corresponding connection string is displayed at the bottom of the dialog.
Connect to your cluster with the connection string.

Tip

If you cannot connect to the cluster, the reason might be that the security group of your VPC endpoint in AWS is not properly set. See this FAQ for solutions.

When creating a VPC endpoint, if you encounter an error private-dns-enabled cannot be set because there is already a conflicting DNS domain for gatewayXX-privatelink.XX.prod.aws.tidbcloud.com in the VPC vpc-XXXXX, it is due to that a private endpoint has already been created, and creating a new one is unnecessary.

Troubleshooting

I cannot connect to a TiDB cluster via a private endpoint after enabling private DNS. Why?

You might need to properly set the security group for your VPC endpoint in the AWS Management Console. Go to VPC > Endpoints. Right-click your VPC endpoint and select the proper Manage security groups. A proper security group within your VPC that allows inbound access from your EC2 instances on Port 4000 or a customer-defined port.

Manage security groups

I cannot enable private DNS. An error is reported indicating that the `enableDnsSupport` and `enableDnsHostnames` VPC attributes are not enabled

Make sure that DNS hostname and DNS resolution are both enabled in your VPC setting. They are disabled by default when you create a VPC in the AWS Management Console.