Private Link can help you securely and stably access services deployed in other VPCs through a private network in VPC environments, greatly simplifying network architecture and avoiding security risks associated with accessing services through the public network.
The SelectDB Cloud warehouse is created and run in the SelectDB VPC, and application systems or clients within the user's VPC can access the SelectDB Cloud warehouse across VPCs via Private Link. Private Link includes two parts: endpoint service and endpoint.
When the user needs to access SelectDB in their own private network, SelectDB Cloud will create and manage the endpoint service, and the user creates and manages the endpoint.
When the user needs to use SelectDB to access their own private network, they need to create an endpoint service and register it in SelectDB Cloud. Subsequently, SelectDB Cloud will create an endpoint to connect to the user's endpoint service.
Access SelectDB from Your VPC
Creating a connection to allow your data applications, such as reporting, profiling, and log analysis, within your private network to access the SelectDB Cloud warehouse.
Note There is no additional fee on the SelectDB Cloud service side, but users need to pay the cloud provider for endpoint instances and traffic fees.
Take AWS Private Link as an example:
- Switch to the target warehouse, click Connections on the navigation bar, and click New Connection to Access SelectDB from Your VPC on the Private Link tab to create an endpoint. Firstly, you need to allow a principal to access the endpoint service of SelectDB Cloud warehouse.
Note If you specify to allow an ARN for principal of IAM user or IAM role, only the principal of the IAM user or IAM role has permission to access the endpoint service, and the permission will not be passed to AWS Account.
- After allowing a principal to access the endpoint service, the page displays the Endpoint Service information required for creating an endpoint. You can click Go to Create to go to the cloud provider's Private Link product console and create an endpoint.
- On the cloud provider's Private Link product console, you need to confirm that the current region is the same as the warehouse's endpoint service (limited by the cloud provider's Private Link product) and click Create endpoint.
Note You need to sign in to AWS with the principal that has been allowed to access the endpoint service of SelectDB Cloud, so that you can successfully pass the service name verification when creating the endpoint.
- Follow the wizard prompts to fill in the form as follows:
|Name tag||Optional. Creates a tag with a key of 'Name' and a value that you specify.|
|Service category||Required. Select the service category. The endpoint service of the SelectDB Cloud warehouse belongs to Other endpoint services, so click to select it.|
|Service name||Required. One-click shortcut to copy the Service Name of the endpoint service of SelectDB Cloud warehouse in the page that displays the Endpoint Service information required for creating an endpoint, fill in the input box and click Verify service .|
|VPC||Required. Select the VPC in which to create your endpoint.|
|Subnets||Required. Select the same Availability Zone as the one where the endpoint service of the SelectDB Cloud warehouse is located (limited by the cloud vendor's Private Link product), and then select an appropriate subnet ID under it.|
|Security groups||Required. Select a preset security group. Note that the security rules should allow the protocol and port used by the SelectDB Cloud warehouse, as well as the IP address of the source where the application/client connects to the SelectDB Cloud warehouse.|
|Tags||Optional. You can add tags associated with the resource.|
- After the endpoint is created, its status changes from " Pending " to " Available ", indicating that the endpoint has successfully connected with the warehouse's endpoint service.
- After refreshing the Connections page of the SelectDB Cloud warehouse, the endpoint list will display the connection information of the endpoint.
Note You need to click Find DNS Name to open the Endpoint Details page of AWS Private Link product console, find the DNS Name of the endpoint and use it to access the SelectDB Cloud warehouse.
- The application/client can access the SelectDB Cloud warehouse through the DNS name of the endpoint by MySQL protocol or HTTP protocol. For the specific connection method, refer to the pop-up bubble for Connection Examples .
- SelectDB Cloud includes two independent account systems: One is used to connect to the warehouse, as described in this topic. The other one is used to log into the console, which is described in the Registration and Login topic.
- For first-time connection, please use the admin username and its password which can be changed on the Settings page.
SelectDB Accesses Your VPC
Note The endpoint instance and traffic fees generated by SelectDB's access to the private network are currently not charged to users.
- Switch to the target warehouse, click Connections on the navigation bar, and click New Connection for SelectDB Accesses Your VPC on the Private Link tab to create an endpoint service.
After clicking + Endpoint Service, the pages will display the Current Region of the warehouse and the ARN for AWS principal of SelectDB Cloud. You can click Go to Create to go to the cloud provider's Private Link product console and create an endpoint service.
Sign in to the AWS Console, select VPC-Endpoint services and switch to the same region as the current warehouse.
Click Create endpoint service.
- On the Endpoint Service configuration page, configure the relevant parameters and click Create.
- After creating the endpoint service, add the ARN for AWS principal of SelectDB Cloud in the Allow principals Tab of the endpoint service.
- Copy the Service ID and Service Name from the Endpoint Service Details page, and fill them in the Endpoint Service registration page of SelectDB Cloud.
- After the registration is complete, go to the next step, specify the Endpoint Name of SelectDB Cloud warehouse, and click Create Now.
- Refresh the page and wait for the status of the endpoint of SelectDB Cloud warehouse to change from "pendingAcceptance" to "connected", which means the connection is successful.
On the Connections page, switch to the Public Link tab to manage the public network connection.
Add IP Whitelist
In order to access the SelectDB Cloud warehouse via the public network, you need to add the source public network IP address to the whitelist.
Click IP Whitelist Management on the right of the Connect Warehouse card to add the source IP addresses or segments.
In the IP whitelist, you can add or delete IP addresses to enable or disable their access to the warehouse.
Note By default, the IP segment 0.0.0.0/0 is set, which means the warehouse is completely open to the public network. It is recommended to remove it in time after use to reduce safety risks.
After adding the source public network IP address to the whitelist, you can click WebUI Login to access the SelectDB Cloud warehouse through the public network. For the specific connection method, please refer to the Other Methods.