Building Secure Private Connectivity with AWS PrivateLink for TiDB Cloud
By Ayan Ray, Sr. Partner Solutions Architect, Data & Analytics – AWS
By Savi Venkatachalapathy, Global Business Development and GTM Specialist – AWS
By Arun Vijayraghavan, Principal Product Manager, Developer Ecosystem – PingCAP
By Yunqing Zhou, Tech Lead, TiDB Cloud – PingCAP
TiDB is an advanced, open source, distributed SQL database with elastic scaling, efficient query processing for mixed workloads, and always-on performance. As its managed service, TiDB Cloud supports two means of connectivity for customers: a public endpoint protected by IP allowlisting and virtual private cloud (VPC) peering.
For enterprise deployments, customers require private connectivity where traffic between customers and TiDB Cloud doesn’t go through the public internet. In this setup, customer VPC and TiDB Cloud VPC are peered together, forming a single network plane.
This setup works well but has some major challenges, such as:
- IP address ranges cannot overlap across peer VPCs, which means customers have to reserve a dedicated range in their corporate network for TiDB Cloud. This causes extra complexity and maintenance overhead.
- VPC peering isn’t transitive. While peering enables connectivity between two VPCs, it’s not possible for a third VPC to join the peered connection. For example, if you have a hub-and-spoke architecture where one central VPC serves as a hub for multiple spoke VPCs, a transitive peering model would allow VPCs to communicate with each other without requiring a direct peering connection between each pair of VPCs, thus reducing the VPC peering management complexity. Similarly, when it comes to TiDB Cloud, we cannot assume all workloads from a particular customer connect to TiDB Cloud from a single VPC.
- VPC peering needs extra security measures such as security groups and network access control list (NACLs) to not inadvertently expose the entire VPC with the peered VPC.
Customers want private connectivity without the above challenges, and AWS PrivateLink allows just that. With PrivateLink, customers can connect their VPC to TiDB Cloud services on Amazon Web Services (AWS) as if they were in their own VPCs, without requiring the extra security measure associated with VPC peering.
PingCAP, the company behind TiDB, is an AWS Partner and AWS Marketplace Seller with the PrivateLink Ready specialization. In this post, we’ll walk through how to use AWS PrivateLink to build trusted and secure private connectivity between your data and TiDB Cloud.
Benefits of AWS PrivateLink
AWS PrivateLink is a powerful service that allows you to privately connect your VPC to AWS services and software as a service (SaaS) applications. You can communicate with services as if they were within your VPC, without the need for an internet gateway, public IP address, or virtual private network (VPN) peering.
One of the benefits of using AWS PrivateLink is it helps you reduce your data transfer costs. This is because traffic flows between AWS services and your own VPC over the AWS backbone network, which is typically less expensive than data transfer over the public internet.
Another advantage of using AWS PrivateLink is it can improve your network performance. By providing a low-latency, private connection between your VPC and the service, PrivateLink can reduce the latency between your applications.
AWS PrivateLink provides enhanced security for connecting to other AWS services over a secure network. Customers can initiate the connection to the desired service using a VPC endpoint, which can be further configured with security groups to create trust boundaries and control access to the endpoint.
By allowing traffic only from specific IP addresses using security groups, customers can ensure their traffic is not exposed to the public internet and that only authorized traffic is allowed to flow to and from the endpoint. This gives customers greater control over their network traffic and enables them to enforce fine-grained security access controls as needed.
Finally, AWS PrivateLink can simplify your overall architecture by eliminating the need to allow listed public IPs and complex networking components like internet gateway and firewall proxies. This can reduce your operational overhead and simplify your network management.
The following reference architecture diagram shows the solution architecture of AWS PrivateLink. On the service provider side, the TiDB Cloud cluster hosted on AWS is exposed as an endpoint service, and consumer VPCs access the endpoint service through VPC interface endpoints.
On the consumer side, there are two Amazon Elastic Compute Cloud (Amazon EC2) instances running in two separate AWS Availability Zones (AZs). Each has a VPC interface endpoint configured to access the TiDB cluster’s endpoint service using AWS PrivateLink.
Figure 1 – AWS PrivateLink solution architecture.
This integrated solution of TiDB Cloud and AWS PrivateLink provides a secure and private connection to TiDB Cloud endpoint services through a VPC interface endpoint that’s configured in your VPC. PrivateLink ensures your traffic remains within the AWS backbone network and is not exposed to the public internet, providing an additional layer of security for your data.
PrivateLink supports Classless Inter-Domain Routing (CIDR) overlap, which can simplify network management by allowing you to use overlapping IP addresses in different VPCs. Further, VPC interface endpoints can use security groups to control access to the TiDB Cloud service, ensuring only authorized traffic is allowed to access the service.
To establish a PrivateLink connection to TiDB Cloud, you’ll need to create a VPC interface endpoint in your VPC that connects to the TiDB Cloud’s endpoint service. This private endpoint can be created using the AWS Management Console, AWS Command Line Interface (CLI), or AWS Software Development Kits (SDKs). Once the endpoint is created, you can use it to securely access TiDB Cloud services from within your VPC.
In this section, we’ll create a VPC interface endpoint in the consumer VPC using the AWS console.
The VPC interface endpoint connects privately to the TiDB Cloud cluster exposed by the endpoint service. Currently, TiDB Cloud supports private endpoints for dedicated tier clusters and for a single region only. Keep in mind there may be additional limitations or requirements depending on the service you are connecting to, so it’s important to review the documentation carefully before you start.
To follow along, you’ll need to create a dedicated tier cluster in TiDB Cloud.
Step 1: Set Up a Private Endpoint
To add a private endpoint, log in to the TiDB Cloud console. In the left navigation pane of the Clusters page, click Admin > Network Access. Under the Private Endpoint tab, click the Add button.
Figure 2 – Set up an AWS private endpoint.
Step 2: Choose a TiDB Cluster
Choose an available TiDB cluster you want to interface with and click Next.
Step 3: Review Service Endpoint Region
The service endpoint region will be automatically selected based on the region where your selected TiDB cluster is hosted. Click Next to proceed.
Step 4: Create a VPC Interface Endpoint
TiDB Cloud automatically begins creating an endpoint service, which generally takes 3-4 minutes. Once the endpoint service is created, note the endpoint service name from the command in the lower area of the console.
As shown below, the endpoint service name is prefaced with –service-name and usually starts with com.amazonaws.
Figure 3 – Create an endpoint service in the TiDB Cloud console.
Next, we’ll create a VPC interface endpoint.
Sign in to the AWS console and select the region where your TiDB Cluster is hosted. Navigate to VPC > Endpoints, and click Create Endpoint.
For the Service Category, select Other endpoint services. In Service settings, enter the endpoint service name you obtained in the previous step, and click Verify service.
Figure 4 – Create a VPC endpoint in the AWS console.
After verifying the service name, select the VPC where you want your workloads to be located. This is the VPC that will be used to create the VPC interface endpoint.
Choose the corresponding AZ and subnets, select the default Security Group, and click Create endpoint. The VPC interface endpoint will be created with a Pending status.
Make a note of the VPC endpoint ID, which should start with vpce-.
Step 5: Accept Endpoint Connection
On the Create Private Endpoint page of the TiDB Cloud console, provide the VPC endpoint ID you obtained in the previous step for the Your VPC endpoint ID field, and then click Next.
Step 6: Enable Private DNS
In the AWS console, wait for the VPC endpoint status to go from Pending to Available.
Select the VPC endpoint. From the Actions drop-down list, select Modify private DNS name. Then, select the Enable for this endpoint checkbox and click Save changes to enable private domain name system (DNS) names.
Figure 5 – Enable private DNS in the AWS console.
To finish creating the endpoint, click Create in the TiDB Cloud console.
Step 7: Verify the Private Endpoint Connection
Now that you have created the private endpoint, it’s time to verify if it’s working correctly. In the TiDB Cloud cluster page, click the name of your target cluster to go to its overview page.
Next, in the upper-right corner, click Connect and a connection dialog box will appear. From the Private Endpoint tab, copy the MySQL connection information from the Connect your connection section.
Figure 6 – Connect via the private link.
On the AWS console, connect to an Amazon EC2 instance that’s running in the VPC and the subnet configured for the interface endpoint. Then, execute the MySQL connection command you just obtained.
From the output. we can see that we’re able to connect to the TiDB instance using AWS PrivateLink connectivity and retrieve data.
Figure 7 – Validate connection to TiDB.
AWS PrivateLink greatly simplifies network planning and makes it easier for customers to connect to AWS services and SaaS applications. It also offers additional benefits including better security and more flexible network configuration for TiDB Cloud.
Spin up a TiDB Cloud cluster for free and build private connectivity with your applications through AWS PrivateLink. To learn more about this solution, visit the TiDB Cloud website or check out AWS Marketplace.
PingCAP – AWS Partner Spotlight
PingCAP is an AWS Partner and the parent company behind TiDB, an open source, distributed SQL database with MySQL compatibility. Trusted by industry leaders in technology, financial services, and gaming, TiDB helps customers maintain data consistency at scale while delivering performance and resiliency.