diff --git a/TOC-tidb-cloud.md b/TOC-tidb-cloud.md index 1f107234b49c9..de581f6beb56e 100644 --- a/TOC-tidb-cloud.md +++ b/TOC-tidb-cloud.md @@ -157,7 +157,8 @@ - [Connection Method Overview](/tidb-cloud/connect-to-tidb-cluster.md) - [Connect via Public Connection](/tidb-cloud/connect-via-standard-connection.md) - [Connect via Private Endpoint with AWS](/tidb-cloud/set-up-private-endpoint-connections.md) - - [Connect via Private Endpoint (Private Service Connect) with Google Cloud](/tidb-cloud/set-up-private-endpoint-connections-on-google-cloud.md) + - [Connect via Private Endpoint with Azure](/tidb-cloud/set-up-private-endpoint-connections-on-azure.md) + - [Connect via Private Endpoint with Google Cloud](/tidb-cloud/set-up-private-endpoint-connections-on-google-cloud.md) - [Connect via VPC Peering](/tidb-cloud/set-up-vpc-peering-connections.md) - [Connect via SQL Shell](/tidb-cloud/connect-via-sql-shell.md) - [Scale a TiDB Cloud Dedicated Cluster](/tidb-cloud/scale-tidb-cluster.md) @@ -351,7 +352,8 @@ - TiDB Cloud Dedicated - [Configure an IP Access List](/tidb-cloud/configure-ip-access-list.md) - [Connect via Private Endpoint with AWS](/tidb-cloud/set-up-private-endpoint-connections.md) - - [Connect via Private Endpoint (Private Service Connect) with Google Cloud](/tidb-cloud/set-up-private-endpoint-connections-on-google-cloud.md) + - [Connect via Private Endpoint with Azure](/tidb-cloud/set-up-private-endpoint-connections-on-azure.md) + - [Connect via Private Endpoint with Google Cloud](/tidb-cloud/set-up-private-endpoint-connections-on-google-cloud.md) - [Connect via VPC Peering](/tidb-cloud/set-up-vpc-peering-connections.md) - [TLS Connections to TiDB Cloud Dedicated](/tidb-cloud/tidb-cloud-tls-connect-to-dedicated.md) - Data Access Control diff --git a/media/tidb-cloud/azure-create-private-endpoint-service-resource-id.png b/media/tidb-cloud/azure-create-private-endpoint-service-resource-id.png new file mode 100644 index 0000000000000..cd3597d061ae7 Binary files /dev/null and b/media/tidb-cloud/azure-create-private-endpoint-service-resource-id.png differ diff --git a/media/tidb-cloud/azure-private-endpoint-arch.png b/media/tidb-cloud/azure-private-endpoint-arch.png new file mode 100644 index 0000000000000..f838930a9b2d3 Binary files /dev/null and b/media/tidb-cloud/azure-private-endpoint-arch.png differ diff --git a/media/tidb-cloud/azure-private-endpoint-dns-ip.png b/media/tidb-cloud/azure-private-endpoint-dns-ip.png new file mode 100644 index 0000000000000..788663e6c4f47 Binary files /dev/null and b/media/tidb-cloud/azure-private-endpoint-dns-ip.png differ diff --git a/media/tidb-cloud/azure-private-endpoint-resource-id.png b/media/tidb-cloud/azure-private-endpoint-resource-id.png new file mode 100644 index 0000000000000..57684200ff380 Binary files /dev/null and b/media/tidb-cloud/azure-private-endpoint-resource-id.png differ diff --git a/tidb-cloud/connect-to-tidb-cluster.md b/tidb-cloud/connect-to-tidb-cluster.md index 7fb8a90c76df9..10cd319dfbe3d 100644 --- a/tidb-cloud/connect-to-tidb-cluster.md +++ b/tidb-cloud/connect-to-tidb-cluster.md @@ -27,7 +27,8 @@ After your TiDB Cloud Dedicated cluster is created on TiDB Cloud, you can connec Private endpoint connection provides a private endpoint to allow SQL clients in your VPC to securely access TiDB Cloud Dedicated clusters. This uses the private link service provided by different cloud providers, which provides highly secure and one-way access to database services with simplified network management. - - For TiDB Cloud Dedicated clusters hosted on AWS, the private endpoint connection uses AWS PrivateLink. For more information, see [Connect to a TiDB Cloud Dedicated Cluster via Private Endpoint with AWS](/tidb-cloud/set-up-private-endpoint-connections.md). + - For TiDB Cloud Dedicated clusters hosted on AWS, the private endpoint connection uses AWS PrivateLink. For more information, see [Connect to a TiDB Cloud Dedicated Cluster via AWS PrivateLink](/tidb-cloud/set-up-private-endpoint-connections.md). + - For TiDB Cloud Dedicated clusters hosted on Azure, the private endpoint connection uses Azure Private Link. For more information, see [Connect to a TiDB Cloud Dedicated Cluster via Azure Private Link](/tidb-cloud/set-up-private-endpoint-connections-on-azure.md). - For TiDB Cloud Dedicated clusters hosted on Google Cloud, the private endpoint connection uses Google Cloud Private Service Connect. For more information, see [Connect to a TiDB Cloud Dedicated Cluster via Google Cloud Private Service Connect](/tidb-cloud/set-up-private-endpoint-connections-on-google-cloud.md). - [VPC peering](/tidb-cloud/set-up-vpc-peering-connections.md) diff --git a/tidb-cloud/set-up-private-endpoint-connections-on-azure.md b/tidb-cloud/set-up-private-endpoint-connections-on-azure.md new file mode 100644 index 0000000000000..4f3241d00d7ac --- /dev/null +++ b/tidb-cloud/set-up-private-endpoint-connections-on-azure.md @@ -0,0 +1,123 @@ +--- +title: Connect to a TiDB Cloud Dedicated Cluster via Azure Private Link +summary: Learn how to connect to TiDB Cloud Dedicated Cluster via Azure Private Link. +--- + +# Connect to a TiDB Cloud Dedicated Cluster via Azure Private Link + +This document describes how to connect to your TiDB Cloud Dedicated cluster via [Azure Private Link](https://learn.microsoft.com/en-us/azure/private-link/private-link-overview). + +> **Tip:** +> +> - To learn how to connect to a TiDB Cloud Dedicated cluster via private endpoint with AWS, see [Connect to a TiDB Cloud Dedicated Cluster via AWS PrivateLink](/tidb-cloud/set-up-private-endpoint-connections.md). +> - To learn how to connect to a TiDB Cloud Dedicated cluster via private endpoint with Google Cloud, see [Connect to a TiDB Cloud Dedicated Cluster via Google Cloud Private Service Connect](/tidb-cloud/set-up-private-endpoint-connections-on-google-cloud.md) +> - To learn how to connect to a TiDB Cloud Serverless cluster via private endpoint, see [Connect to TiDB Cloud Serverless via Private Endpoint](/tidb-cloud/set-up-private-endpoint-connections-serverless.md). + +TiDB Cloud supports highly secure and one-way access to the TiDB Cloud service hosted in an Azure virtual network via [Azure Private Link](https://learn.microsoft.com/en-us/azure/private-link/private-link-overview), as if the service were in your own virtual network. You can create a private endpoint in your virtual network, and then connect to the TiDB Cloud service via the endpoint with permission. + +Powered by Azure Private Link, the endpoint connection is secure and private, and does not expose your data to the public internet. In addition, the endpoint connection supports CIDR overlap and is easier for network management. + +The architecture of Azure Private Link is as follows: [^1] + +![Azure Private Link architecture](/media/tidb-cloud/azure-private-endpoint-arch.png) + +For more detailed definitions of the private endpoint and endpoint service, see the following Azure documents: + +- [What is Azure Private Link](https://learn.microsoft.com/en-us/azure/private-link/private-link-overview) +- [What is a private endpoint](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview) +- [Create a private endpoint](https://learn.microsoft.com/en-us/azure/private-link/create-private-endpoint-portal?tabs=dynamic-ip) + +## Restrictions + +- Only the `Organization Owner` and `Project Owner` roles can create private endpoints. +- The private endpoint and the TiDB cluster to be connected must be located in the same region. + +## Set up a private endpoint with Azure Private Link + +To connect to your TiDB Cloud Dedicated cluster via a private endpoint, complete the following steps: + +1. [Select a TiDB cluster](#step-1-select-a-tidb-cluster) +2. [Create an Azure private endpoint](#step-2-create-an-azure-private-endpoint) +3. [Accept the endpoint](#step-3-accept-the-endpoint) +4. [Connect to your TiDB cluster](#step-4-connect-to-your-tidb-cluster) + +If you have multiple clusters, you need to repeat these steps for each cluster that you want to connect to using Azure Private Link. + +### Step 1. Select a TiDB cluster + +1. On the [**Clusters**](https://tidbcloud.com/console/clusters) page, click the name of your target TiDB cluster to go to its overview page. +2. Click **Connect** in the upper-right corner. A connection dialog is displayed. +3. In the **Connection Type** drop-down list, select **Private Endpoint**, and then click **Create Private Endpoint Connection** to open the **Create Azure Private Endpoint Connection** dialog. + +> **Note:** +> +> If you have already created a private endpoint connection, the active endpoint will appear in the connection dialog. To create additional private endpoint connections, navigate to the **Networking** page in the left navigation pane. + +### Step 2. Create an Azure private endpoint + +1. In the **Create Azure Private Endpoint Connection** dialog, copy the TiDB Cloud resource ID of the private link service and leave the dialog open for later use. + + > **Note:** + > + > For each TiDB Cloud Dedicated cluster, the corresponding endpoint service is automatically created 3 to 4 minutes after the cluster creation. + +2. Log in to the [Azure portal](https://portal.azure.com/), and then create a private endpoint for your cluster using the copied TiDB Cloud resource ID as follows: + + 1. In the Azure portal, search for **Private endpoints**, and then select **Private endpoints** in the result. + 2. On the **Private endpoint** page, click **+ Create**. + 3. In the **Basics** tab, fill in the project and instance information, and then click **Next: Resource**. + 4. In the **Resource** tab, choose **Connect to an Azure resource by resource ID or alias** as the **connection method**, and paste the TiDB Cloud resource ID to the **Resource ID or alias** field. + 5. Continue clicking **Next** to go through the remaining configuration tabs and complete the required settings. Then, click **Create** to create and deploy the private endpoint. It might take a few seconds for Azure to complete the deployment. For more information, see [Create a private endpoint](https://learn.microsoft.com/en-us/azure/private-link/create-private-endpoint-portal?tabs=dynamic-ip#create-a-private-endpoint) in Azure documentation. + +3. After the private endpoint is created and deployed, click **Go to resource**, and then do the following: + + - Click **Settings** > **Properties** in the left navigation pane, and copy its **Resource ID** for later use. + + ![Azure private endpoint resource ID](/media/tidb-cloud/azure-private-endpoint-resource-id.png) + + - Click **Settings** > **DNS configuration** in the left navigation pane, and then copy its **IP address** for later use. + + ![Azure private endpoint DNS IP](/media/tidb-cloud/azure-private-endpoint-dns-ip.png) + +### Step 3. Accept the endpoint + +1. Return to the **Create Azure Private Endpoint Connection** dialog in the TiDB Cloud console, and then paste the copied **Resource ID** and **IP address** into the corresponding fields. +2. Click **Verify Endpoint** to validate the private endpoint access. If you encounter any error, follow the error message for troubleshooting, and then try again. +3. Once verification is successful, click **Accept Endpoint** to approve the connection from your private endpoint. + +### Step 4. Connect to your TiDB cluster + +After you have accepted the endpoint connection, you are redirected back to the connection dialog. + +1. Wait for the private endpoint connection status to become **Active** (approximately 5 minutes). You can go to the **Networking** page of the cluster to check its status. +2. In the **Connect With** drop-down list, select your preferred connection method. The corresponding connection string is displayed at the bottom of the dialog. +3. Connect to your cluster with the connection string. + +### Private endpoint status reference + +You can view the statuses of private endpoints or private endpoint services on the **Networking** page of your cluster. + +The possible statuses of a private endpoint are explained as follows: + +- **Discovered**: TiDB Cloud can automatically detect your private endpoint associated with the endpoint service before accepting the request to prevent the need for creating another one. +- **Pending**: waiting for processing. +- **Active**: your private endpoint is ready to use. You cannot edit the private endpoint of this status. +- **Deleting**: the private endpoint is being deleted. +- **Failed**: the private endpoint creation fails. You can click **Edit** of that row to retry the creation. + +The possible statuses of a private endpoint service are explained as follows: + +- **Creating**: the endpoint service is being created, which takes 3 to 5 minutes. +- **Active**: the endpoint service is created, no matter whether the private endpoint is created or not. + +## Troubleshooting + +### TiDB Cloud fails to create an endpoint service. What should I do? + +The endpoint service is created automatically after you open the **Create Azure Private Endpoint** page and choose the TiDB cluster. If it shows as failed or remains in the **Creating** state for a long time, submit a [support ticket](/tidb-cloud/tidb-cloud-support.md) for assistance. + +### If I cancel the action during setup, what should I do before accepting the private endpoint? + +The Azure private endpoint connection feature can automatically detect your private endpoints. This means that after [creating an Azure private endpoint](#step-2-create-an-azure-private-endpoint) in the Azure portal, if you click **Cancel** in the **Create Azure Private Endpoint Connection** dialog in the TiDB Cloud console, you can still view the created endpoint on the **Networking** page. If the cancellation is unintentional, you can continue to configure the endpoint to complete the setup. If the cancellation is intentional, you can delete the endpoint directly in the TiDB Cloud console. + +[^1]: The diagram of the Azure Private Link architecture is from the [What is Azure Private Link service](https://learn.microsoft.com/en-us/azure/private-link/private-link-service-overview) document ([source file on GitHub](https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/private-link/private-link-service-overview.md)) in Azure documentation, licensed under the Creative Commons Attribution 4.0 International. \ No newline at end of file diff --git a/tidb-cloud/set-up-private-endpoint-connections-on-google-cloud.md b/tidb-cloud/set-up-private-endpoint-connections-on-google-cloud.md index 2ae40e9d64ff9..a3dc562195e23 100644 --- a/tidb-cloud/set-up-private-endpoint-connections-on-google-cloud.md +++ b/tidb-cloud/set-up-private-endpoint-connections-on-google-cloud.md @@ -5,14 +5,15 @@ summary: Learn how to connect to your TiDB Cloud cluster via Google Cloud Privat # Connect to a TiDB Cloud Dedicated Cluster via Google Cloud Private Service Connect -This document describes how to connect to your TiDB Cloud Dedicated cluster via Google Cloud Private Service Connect. Google Cloud Private Service Connect is a private endpoint service provided by Google Cloud. +This document describes how to connect to your TiDB Cloud Dedicated cluster via [Private Service Connect](https://cloud.google.com/vpc/docs/private-service-connect). Google Cloud Private Service Connect is a private endpoint service provided by Google Cloud. > **Tip:** > -> - To learn how to connect to a TiDB Cloud Dedicated cluster via private endpoint with AWS, see [Connect to TiDB Cloud Dedicated via Private Endpoint with AWS](/tidb-cloud/set-up-private-endpoint-connections.md). +> - To learn how to connect to a TiDB Cloud Dedicated cluster via private endpoint with AWS, see [Connect to a TiDB Cloud Dedicated Cluster via AWS PrivateLink](/tidb-cloud/set-up-private-endpoint-connections.md). +> - To learn how to connect to a TiDB Cloud Dedicated cluster via private endpoint with Azure, see [Connect to a TiDB Cloud Dedicated Cluster via Azure Private Link](/tidb-cloud/set-up-private-endpoint-connections-on-azure.md). > - To learn how to connect to a TiDB Cloud Serverless cluster via private endpoint, see [Connect to TiDB Cloud Serverless via Private Endpoint](/tidb-cloud/set-up-private-endpoint-connections-serverless.md). -TiDB Cloud supports highly secure and one-way access to the TiDB Cloud service hosted in a Google Cloud VPC via the [Private Service Connect](https://cloud.google.com/vpc/docs/private-service-connect). You can create an endpoint and use it to connect to the TiDB Cloud service . +TiDB Cloud supports highly secure and one-way access to the TiDB Cloud service hosted in a Google Cloud VPC via [Private Service Connect](https://cloud.google.com/vpc/docs/private-service-connect). You can create an endpoint and use it to connect to the TiDB Cloud service . Powered by Google Cloud Private Service Connect, the endpoint connection is secure and private, and does not expose your data to the public internet. In addition, the endpoint connection supports CIDR overlap and is easier for network management. diff --git a/tidb-cloud/set-up-private-endpoint-connections-serverless.md b/tidb-cloud/set-up-private-endpoint-connections-serverless.md index b921157258f37..82415559e2d77 100644 --- a/tidb-cloud/set-up-private-endpoint-connections-serverless.md +++ b/tidb-cloud/set-up-private-endpoint-connections-serverless.md @@ -9,8 +9,9 @@ This document describes how to connect to your TiDB Cloud Serverless cluster via > **Tip:** > -> To learn how to connect to a TiDB Cloud Dedicated cluster via private endpoint with AWS, see [Connect to TiDB Cloud Dedicated via Private Endpoint with AWS](/tidb-cloud/set-up-private-endpoint-connections.md). -> To learn how to connect to a TiDB Cloud Dedicated cluster via private endpoint with Google Cloud, see [Connect to TiDB Cloud Dedicated via Private Service Connect with Google Cloud](/tidb-cloud/set-up-private-endpoint-connections-on-google-cloud.md). +> - To learn how to connect to a TiDB Cloud Dedicated cluster via private endpoint with AWS, see [Connect to a TiDB Cloud Dedicated Cluster via AWS PrivateLink](/tidb-cloud/set-up-private-endpoint-connections.md). +> - To learn how to connect to a TiDB Cloud Dedicated cluster via private endpoint with Azure, see [Connect to a TiDB Cloud Dedicated Cluster via Azure Private Link](/tidb-cloud/set-up-private-endpoint-connections-on-azure.md). +> - To learn how to connect to a TiDB Cloud Dedicated cluster via private endpoint with Google Cloud, see [Connect to a TiDB Cloud Dedicated Cluster via Google Cloud Private Service Connect](/tidb-cloud/set-up-private-endpoint-connections-on-google-cloud.md). TiDB Cloud supports highly secure and one-way access to the TiDB Cloud service hosted in an AWS VPC via the [AWS PrivateLink](https://aws.amazon.com/privatelink/?privatelink-blogs.sort-by=item.additionalFields.createdDate&privatelink-blogs.sort-order=desc), as if the service were in your own VPC. A private endpoint is exposed in your VPC and you can create a connection to the TiDB Cloud service via the endpoint with permission. diff --git a/tidb-cloud/set-up-private-endpoint-connections.md b/tidb-cloud/set-up-private-endpoint-connections.md index 6dd3ab38fa3de..5412b877ecdf2 100644 --- a/tidb-cloud/set-up-private-endpoint-connections.md +++ b/tidb-cloud/set-up-private-endpoint-connections.md @@ -1,18 +1,19 @@ --- -title: Connect to a TiDB Cloud Dedicated Cluster via Private Endpoint with AWS +title: Connect to a TiDB Cloud Dedicated Cluster via AWS PrivateLink summary: Learn how to connect to your TiDB Cloud cluster via private endpoint with AWS. --- -# Connect to a TiDB Cloud Dedicated Cluster via Private Endpoint with AWS +# Connect to a TiDB Cloud Dedicated Cluster via AWS PrivateLink -This document describes how to connect to your TiDB Cloud Dedicated cluster via private endpoint with AWS. +This document describes how to connect to your TiDB Cloud Dedicated cluster via [AWS PrivateLink](https://aws.amazon.com/privatelink). > **Tip:** > -> To learn how to connect to a TiDB Cloud Serverless cluster via private endpoint, see [Connect to TiDB Cloud Serverless via Private Endpoint](/tidb-cloud/set-up-private-endpoint-connections-serverless.md). -> To learn how to connect to a TiDB Cloud Dedicated cluster via private endpoint with Google Cloud, see [Connect to TiDB Cloud Dedicated via Private Service Connect with Google Cloud](/tidb-cloud/set-up-private-endpoint-connections-on-google-cloud.md). +> - To learn how to connect to a TiDB Cloud Serverless cluster via private endpoint, see [Connect to TiDB Cloud Serverless via Private Endpoint](/tidb-cloud/set-up-private-endpoint-connections-serverless.md). +> - To learn how to connect to a TiDB Cloud Dedicated cluster via private endpoint with Azure, see [Connect to a TiDB Cloud Dedicated Cluster via Azure Private Link](/tidb-cloud/set-up-private-endpoint-connections-on-azure.md). +> - To learn how to connect to a TiDB Cloud Dedicated cluster via private endpoint with Google Cloud, see [Connect to a TiDB Cloud Dedicated Cluster via Google Cloud Private Service Connect](/tidb-cloud/set-up-private-endpoint-connections-on-google-cloud.md). -TiDB Cloud supports highly secure and one-way access to the TiDB Cloud service hosted in an AWS VPC via the [AWS PrivateLink](https://aws.amazon.com/privatelink/?privatelink-blogs.sort-by=item.additionalFields.createdDate&privatelink-blogs.sort-order=desc), as if the service were in your own VPC. A private endpoint is exposed in your VPC and you can create a connection to the TiDB Cloud service via the endpoint with permission. +TiDB Cloud supports highly secure and one-way access to the TiDB Cloud service hosted in an AWS VPC via [AWS PrivateLink](https://aws.amazon.com/privatelink), as if the service were in your own VPC. A private endpoint is exposed in your VPC and you can create a connection to the TiDB Cloud service via the endpoint with permission. Powered by AWS PrivateLink, the endpoint connection is secure and private, and does not expose your data to the public internet. In addition, the endpoint connection supports CIDR overlap and is easier for network management. diff --git a/tidb-cloud/tidb-node-group-management.md b/tidb-cloud/tidb-node-group-management.md index b175c5fe95786..c934f076fe66a 100644 --- a/tidb-cloud/tidb-node-group-management.md +++ b/tidb-cloud/tidb-node-group-management.md @@ -86,7 +86,7 @@ For more information, see [Connect to TiDB Cloud Dedicated via Public Connection 2. In the upper-right corner, click **Connect**. A connection dialog is displayed. 3. Select your TiDB node group from the **TiDB Node Group** list and **Private Endpoint** from the **Connection Type** list. 4. In the left navigation pane, click **Networking**, and then select your TiDB node group from the **TiDB Node Group** list in the upper-right corner. -5. Click **Create Private Endpoint Connection** to create a new connection for this node group. For clusters deployed on AWS, refer to [Connect to a TiDB Cloud Dedicated Cluster via Private Endpoint with AWS](/tidb-cloud/set-up-private-endpoint-connections.md). For clusters deployed on Google Cloud, refer to [Connect to a TiDB Cloud Dedicated Cluster via Google Cloud Private Service Connect](/tidb-cloud/set-up-private-endpoint-connections-on-google-cloud.md). +5. Click **Create Private Endpoint Connection** to create a new connection for this node group. For clusters deployed on AWS, refer to [Connect to a TiDB Cloud Dedicated Cluster via AWS PrivateLink](/tidb-cloud/set-up-private-endpoint-connections.md). For clusters deployed on Google Cloud, refer to [Connect to a TiDB Cloud Dedicated Cluster via Google Cloud Private Service Connect](/tidb-cloud/set-up-private-endpoint-connections-on-google-cloud.md). > **Note**: >