Connect to Confluent Cloud on AWS via a Private Link Connection

April 21, 2026 · View on GitHub

This document describes how to connect a {{{ .essential }}} instance to a Confluent Cloud Dedicated cluster on AWS using an AWS Endpoint Service private link connection.

Note

Among all Confluent Cloud cluster types on AWS, only Confluent Cloud Dedicated clusters support private link connections.

Prerequisites

You have a Confluent Cloud account.
Your {{{ .essential }}} is hosted on AWS, and it is active. Retrieve and save the following details for later use:
- AWS Account ID
- Availability Zones (AZ)

To view the AWS account ID and availability zones, do the following:

In the TiDB Cloud console, navigate to the overview page of your {{{ .essential }}} instance, and then click Settings > Networking in the left navigation pane.
In the Private Link Connection For Dataflow area, click Create Private Link Connection.
In the displayed dialog, you can find the AWS account ID and availability zones.

Identify a Confluent Cloud network that you want to use, or create a new Confluent Cloud network on AWS.

The Confluent Cloud network must meet the following requirements:

Type: the network must be a PrivateLink network.
Region match: the network must reside in the same AWS region as your {{{ .essential }}} instance.
AZ (Availability Zone) availability: the availability zones of the network must overlap with those of your {{{ .essential }}} instance.

To get the unique name of the Confluent Cloud network, take the following steps:

In the Confluent Cloud Console, navigate to the Environments page, and then click the environment where your Confluent Cloud network is located.
Click Network management and choose For dedicated clusters to find the network you created.
Go to the Network overview page to obtain the DNS subdomain of the Confluent Cloud network.
Extract the unique name of your Confluent Cloud network from the DNS subdomain. For example, if the DNS subdomain is use1-az1.domnprzqrog.us-east-1.aws.confluent.cloud, then the unique name is domnprzqrog.us-east-1.
Save the unique name for later use.

Add a PrivateLink Access to the network you identified or set up in Step 1. For more information, see Add a PrivateLink Access in Confluent Cloud.

During the process, you need to:

Provide the TiDB Cloud AWS account ID that you obtain in Prerequisites.
Save the VPC Service Endpoint provided by Confluent Cloud for later use, usually in the com.amazonaws.vpce.<region>.vpce-svc-xxxxxxxxxxxxxxxxx format.

Create a Confluent Cloud Dedicated cluster under the existing network you set up in Step 1. For more information, see Create a dedicated cluster in Confluent Cloud.

To create a private link connection in TiDB Cloud, do the following:

Create a private link connection in TiDB Cloud using the VPC Service Endpoint from Confluent Cloud.

For more information, see Create an AWS Endpoint Service private link connection.

Note:

For Confluent Cloud Dedicated clusters on AWS, you do not need to go to the detail page of your endpoint service on the AWS console to manually accept the endpoint connection request from TiDB Cloud. Confluent Cloud processes it automatically.
Attach the Confluent Cloud service domains to the private link connection so that dataflow services in TiDB Cloud can access the Confluent cluster.

For more information, see Attach domains to a private link connection.