Skip to content

connect-to-premium-via-aws-private-endpoint.md

Latest commit

 

History

History
201 lines (131 loc) · 10.7 KB

connect-to-premium-via-aws-private-endpoint.md

File metadata and controls

201 lines (131 loc) · 10.7 KB
title Connect to {{{ .premium }}} via AWS PrivateLink
summary Learn how to connect to your {{{ .premium }}} instance via private endpoint with AWS.

Connect to {{{ .premium }}} via AWS PrivateLink

This document describes how to connect to your {{{ .premium }}} instance via AWS PrivateLink.

Tip:

To learn how to connect to a {{{ .starter }}} or {{{ .essential }}} cluster via AWS PrivateLink, see Connect to {{{ .starter }}} or Essential via AWS PrivateLink.

TiDB Cloud supports highly secure and one-way access to the TiDB Cloud service hosted in an AWS VPC via AWS PrivateLink, as if the service were in your own VPC. A private endpoint is exposed in your VPC and you can create a connection to the TiDB Cloud service via the endpoint with permission.

Powered by AWS PrivateLink, the endpoint connection is secure and private, and does not expose your data to the public internet. In addition, the endpoint connection supports CIDR overlap and is easier for network management.

The architecture of the private endpoint is as follows:

Private endpoint architecture

For more detailed definitions of the private endpoint and endpoint service, see the following AWS documents:

Restrictions

  • Only users with the Organization Owner role can create private endpoint connections.
  • The private endpoint and the TiDB instance you want to connect to must be located in the same region.

Prerequisites

Make sure that DNS hostnames and DNS resolution are both enabled in your AWS VPC settings. They are disabled by default when you create a VPC in the AWS Management Console.

Set up a private endpoint connection and connect to your instance

To connect to your {{{ .premium }}} instance via a private endpoint, follow these steps:

  1. Select a TiDB instance
  2. Create an AWS interface endpoint
  3. Create a private endpoint connection
  4. Enable private DNS
  5. Connect to your TiDB instance

If you have multiple instances, you need to repeat these steps for each instance that you want to connect to using AWS PrivateLink.

Step 1. Select a TiDB instance

  1. On the TiDB Instances page of your TiDB Cloud web console, click the name of your target TiDB instance to go to its overview page.
  2. Click Connect in the upper-right corner. A connection dialog is displayed.
  3. In the Connection Type drop-down list, select Private Endpoint, and then click Create Private Endpoint Connection.

Note:

If you have already created a private endpoint connection, the active endpoint will appear in the connection dialog. To create additional private endpoint connections, navigate to the Networking page by clicking Settings > Networking in the left navigation pane.

Step 2. Create an AWS interface endpoint

Note:

For each {{{ .premium }}} instance, the corresponding endpoint service is automatically created 3 to 4 minutes after the instance creation.

If you see the TiDB Private Link Service is ready message, the corresponding endpoint service is ready. You can provide the following information to create the endpoint.

  1. Fill in the Your VPC ID and Your Subnet IDs fields. You can find these IDs from your AWS Management Console. For multiple subnets, enter the IDs separated by spaces.

  2. Click Generate Command to get the following endpoint creation command.

    aws ec2 create-vpc-endpoint --vpc-id ${your_vpc_id} --region ${your_region} --service-name ${your_endpoint_service_name} --vpc-endpoint-type Interface --subnet-ids ${your_application_subnet_ids}

Then, you can create an AWS interface endpoint either using the AWS CLI or using the AWS Management Console.

To use the AWS CLI to create a VPC interface endpoint, perform the following steps:

  1. Copy the generated command and run it in your terminal.
  2. Record the VPC endpoint ID you just created.

Tip:

  • Before running the command, you need to have AWS CLI installed and configured. See AWS CLI configuration basics for details.

  • If your service is spanning across more than three availability zones (AZs), you will get an error message indicating that the VPC endpoint service does not support the AZ of the subnet. This issue occurs when there is an extra AZ in your selected region in addition to the AZs where your TiDB instance is located. In this case, you can contact PingCAP Technical Support.

To use the AWS Management Console to create a VPC interface endpoint, perform the following steps:

  1. Sign in to the AWS Management Console and open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. Click Endpoints in the navigation pane, and then click Create Endpoint in the upper-right corner.

    The Create endpoint page is displayed.

    Verify endpoint service

  3. In the Endpoint settings area, fill in a name tag if needed, and then select the Endpoint services that use NLBs and GWLBs option.

  4. In the Service settings area, enter the service name ${your_endpoint_service_name} from the generated command (--service-name ${your_endpoint_service_name}).

  5. Click Verify service.

  6. In the Network settings area, select your VPC in the drop-down list.

  7. In the Subnets area, select the availability zones where your TiDB instance is located.

    Tip:

    If your service is spanning across more than three availability zones (AZs), you might not be able to select AZs in the Subnets area. This issue occurs when there is an extra AZ in your selected region in addition to the AZs where your TiDB instance is located. In this case, contact PingCAP Technical Support.

  8. In the Security groups area, select your security group properly.

    Note:

    Make sure the selected security group allows inbound access from your EC2 instances on port 4000 or a customer-defined port.

  9. Click Create endpoint.

Step 3. Create a private endpoint connection

  1. Go back to the TiDB Cloud console.
  2. On the Create AWS Private Endpoint Connection page, enter your VPC endpoint ID.
  3. Click Create Private Endpoint Connection.

Tip:

You can view and manage private endpoint connections on the Networking page of your target TiDB instance. To access this page, click Settings > Networking in the left navigation pane.

Step 4. Enable private DNS

Enable private DNS in AWS. You can either use the AWS CLI or the AWS Management Console.

To enable private DNS using your AWS CLI, copy the following aws ec2 modify-vpc-endpoint command from the Create Private Endpoint Connection page and run it in your AWS CLI.

aws ec2 modify-vpc-endpoint --vpc-endpoint-id ${your_vpc_endpoint_id} --private-dns-enabled

Alternatively, you can find the command on the Networking page of your instance. Locate the private endpoint and click ... > Enable DNS in the Action column.

To enable private DNS in your AWS Management Console:

  1. Go to VPC > Endpoints.

  2. Right-click your endpoint ID and select Modify private DNS name.

  3. Select the Enable for this endpoint check box.

  4. Click Save changes.

    Enable private DNS

Step 5. Connect to your TiDB instance

After you have accepted the private endpoint connection, you are redirected back to the connection dialog.

  1. Wait for the private endpoint connection status to change from System Checking to Active (approximately 5 minutes).
  2. In the Connect With drop-down list, select your preferred connection method. The corresponding connection string is displayed at the bottom of the dialog.
  3. Connect to your instance using the connection string.

Tip:

If you cannot connect to the instance, the reason might be that the security group of your VPC endpoint in AWS is not properly set. See this FAQ for solutions.

Private endpoint status reference

When you use private endpoint connections, the statuses of private endpoints and private endpoint services are displayed on the instance-level Networking page:

  1. Switch to your target instance using the combo box in the upper-left corner.
  2. Click Settings > Networking in the left navigation pane.

The possible statuses of a private endpoint are explained as follows:

  • Not Configured: The endpoint service is created but the private endpoint is not created yet.
  • Pending: Waiting for processing.
  • Active: Your private endpoint is ready to use. You cannot edit a private endpoint in this status.
  • Deleting: The private endpoint is being deleted.
  • Failed: The private endpoint creation fails. You can click Edit in that row to retry the creation.

The possible statuses of a private endpoint service are explained as follows:

  • Creating: The endpoint service is being created, which takes 3 to 5 minutes.
  • Active: The endpoint service is created, regardless of whether the private endpoint is created or not.
  • Deleting: The endpoint service or the instance is being deleted, which takes 3 to 5 minutes.

Troubleshooting

I cannot connect to a TiDB instance via a private endpoint after enabling private DNS. Why?

You might need to properly set the security group for your VPC endpoint in the AWS Management Console. To do so, go to VPC > Endpoints, right-click your VPC endpoint, and select Manage security groups. Ensure that the selected security group allows inbound access from your EC2 instances on port 4000 or a customer-defined port.

Manage security groups