pingcap · shiyuhang0 · Dec 16, 2025 · Dec 16, 2025 · Dec 16, 2025 · Dec 16, 2025
diff --git a/TOC-tidb-cloud-essential.md b/TOC-tidb-cloud-essential.md
@@ -275,7 +275,11 @@
     - [TLS Connections to TiDB Cloud](/tidb-cloud/secure-connections-to-serverless-clusters.md)
   - Private Link Connection
     - [Private Link Connection Overview](/tidb-cloud/serverless-private-link-connection.md)
+    - [Connect to Amazon RDS](/tidb-cloud/serverless-private-link-connection-to-aws-rds.md)
+    - [Connect to Alibaba Cloud RDS](/tidb-cloud/serverless-private-link-connection-to-alicloud-rds.md)
     - [Connect to Confluent Cloud on AWS](/tidb-cloud/serverless-private-link-connection-to-aws-confluent.md)
+    - [Connect to Self-Hosted Kafka on Alibaba Cloud](/tidb-cloud/serverless-private-link-connection-to-self-hosted-kafka-in-alicloud.md)
+    - [Connect to Self-Hosted Kafka on AWS](/tidb-cloud/serverless-private-link-connection-to-self-hosted-kafka-in-aws.md)
   - Audit Management
     - [Console Audit Logging](/tidb-cloud/tidb-cloud-console-auditing.md)
     - [Database Audit Logging](/tidb-cloud/essential-database-audit-logging.md)

diff --git a/tidb-cloud/serverless-private-link-connection-to-alicloud-rds.md b/tidb-cloud/serverless-private-link-connection-to-alicloud-rds.md
@@ -0,0 +1,95 @@
+---
+title: Connect to Alibaba Cloud ApsaraDB RDS for MySQL via a Private Link Connection
+summary: Learn how to connect to an Alibaba Cloud ApsaraDB RDS for MySQL instance using an Alibaba Cloud Endpoint Service private link connection.
+---
+
+# Connect to Alibaba Cloud ApsaraDB RDS for MySQL via a Private Link Connection 
+
+This document describes how to connect a {{{ .essential }}} cluster to an [Alibaba Cloud ApsaraDB RDS for MySQL](https://www.alibabacloud.com/en/product/apsaradb-for-rds-mysql) instance using an Alibaba Cloud Endpoint Service private link connection.
+
+## Prerequisites
+
+- You have an existing ApsaraDB RDS for MySQL instance or the permissions required to create one.
+
+- Verify that your account has the following permissions to manage networking components:
+
+    - Manage load balancer
+    - Manage endpoint services
+
+- Your {{{ .essential }}} cluster is on Alibaba Cloud, and it is active. Retrieve and save the following details for later use:
+
+    - Account ID
+    - Availability Zones (AZ)
+
+To view the the Alibaba Cloud account ID and availability zones, do the following:
+
+1. In the [TiDB Cloud console](https://tidbcloud.com), navigate to the cluster overview page of the TiDB cluster, and then click **Settings** > **Networking** in the left navigation pane.
+2. In the **Private Link Connection For Dataflow** area, click **Create Private Link Connection**.
+3. In the displayed dialog, you can find the Alibaba Cloud account ID and availability zones.
+
+## Step 1. Set up an ApsaraDB RDS for MySQL instance
+
+Identify an Alibaba Cloud ApsaraDB RDS for MySQL that you want to use, or [create a new RDS](https://www.alibabacloud.com/help/en/rds/apsaradb-rds-for-mysql/step-1-create-an-apsaradb-rds-for-mysql-instance-and-configure-databases).
+
+Your ApsaraDB RDS for MySQL instance must meet the following requirements:
+
+- Region match: the instance must reside in the same Alibaba Cloud region as your {{{ .essential }}} cluster.
+- AZ (Availability Zone) availability: the availability zones must overlap with those of your {{{ .essential }}} cluster.
+- Network accessibility: the instance must be configured with proper IP whitelist and be accessible within the VPC.
+
+> **Note**
+>
+> Cross-region connections for ApsaraDB RDS for MySQL are not supported.
+
+## Step 2. Expose the ApsaraDB RDS for MySQL instance as an endpoint service
+
+You need to set up the load balancer and the endpoint service in the Alibaba Cloud console.
+
+### Step 2.1. Set up the load balancer
+
+Set up the load balancer in the same region of your ApsaraDB RDS for MySQL as follows:
+
+1. Go to [Server Groups](https://slb.console.alibabacloud.com/nlb/ap-southeast-1/server-groups) to create a server group. Provide the following information:
+
+    - **Server Group Type**: select `IP`
+    - **VPC**: enter the VPC where your ApsaraDB RDS for MySQL is located
+    - **Backend Server Protocol**: select `TCP`
+
+2. Click the created server group to add backend servers, and then add the IP address of your ApsaraDB RDS for MySQL instance. 
+
+    You can ping the RDS endpoint to get the IP address.
+
+3. Go to [NLB](https://slb.console.alibabacloud.com/nlb) to create a network load balancer. Provide the following information:
+
+    - **Network Type**: select `Internal-facing`
+    - **VPC**: select the VPC where your ApsaraDB RDS for MySQL is located
+    - **Zone**: it must overlap with your {{{ .essential }}} cluster
+    - **IP Version**: select `IPv4`
+
+4. Find the load balancer you created, and then click **Create Listener**. Provide the following information:
+
+    - **Listener Protocol**: select `TCP`
+    - **Listener Port**: enter the database port, for example, `3306` for MySQL
+    - **Server Group**: choose the server group you created in the previous step
+
+### Step 2.2. Set up an endpoint service
+
+To set up the endpoint service in the same region of your ApsaraDB RDS for MySQL, take the following steps:
+
+1. Go to [Endpoint Service](https://vpc.console.alibabacloud.com/endpointservice) to create an endpoint service. Provide the following information:
+
+    - **Service Resource Type**: select `NLB`
+    - **Select Service Resource**: select all zones that NLB is in, and choose the NLB that you created in the previous step
+    - **Automatically Accept Endpoint Connections**: it is recommended to choose `No`
+
+2. Go to the details page of the endpoint service, and copy the **Endpoint Service Name**, for example, `com.aliyuncs.privatelink.<region>.xxxxx`. You need to use it for TiDB Cloud later. 
+
+3. On the detail page of the endpoint service, click the **Service Whitelist** tab, click **Add to Whitelist**, and then enter the TiDB Cloud account ID. 
+
+    For more information about how to get the account ID, see [Prerequisites](#prerequisites).
+
+## Step 3. Create a private link connection in TiDB Cloud
+
+You can create a private link connection using the TiDB Cloud console or the TiDB Cloud CLI.
+
+For more information, see [Create an Alibaba Cloud Endpoint Service private link connection](/tidb-cloud/serverless-private-link-connection.md#create-an-alibaba-cloud-endpoint-service-private-link-connection).
diff --git a/tidb-cloud/serverless-private-link-connection-to-aws-rds.md b/tidb-cloud/serverless-private-link-connection-to-aws-rds.md
@@ -0,0 +1,114 @@
+---
+title: Connect to Amazon RDS via a Private Link Connection
+summary: Learn how to connect to an Amazon RDS instance using an AWS Endpoint Service private link connection.
+---
+
+# Connect to Amazon RDS via a Private Link Connection
+
+This document describes how to connect a {{{ .essential }}} cluster to an [Amazon RDS](https://aws.amazon.com/rds/) instance using an AWS Endpoint Service private link connection.
+
+## Prerequisites
+
+- You have an existing Amazon RDS instance or the permissions required to create one.
+
+- Your account has the following permissions to manage networking components:
+
+    - Manage security groups
+    - Manage load balancer
+    - Manage endpoint services
+
+- Your {{{ .essential }}} is hosted on AWS, and it is active. Retrieve and save the following details for later use:
+
+    - AWS Account ID
+    - Availability Zones (AZ)
+
+To view the the AWS account ID and availability zones, do the following:
+
+1. In the [TiDB Cloud console](https://tidbcloud.com), navigate to the cluster overview page of the TiDB cluster, and then click **Settings** > **Networking** in the left navigation pane.
+2. In the **Private Link Connection For Dataflow** area, click **Create Private Link Connection**.
+3. In the displayed dialog, you can find the AWS account ID and availability zones.
+
+## Step 1. Set up the Amazon RDS instance
+
+Identify an Amazon RDS instance to use, or [create a new one](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CreateDBInstance.html).
+
+The Amazon RDS instance must meet the following requirements:
+
+- Region match: the instance must reside in the same AWS region as your {{{ .essential }}} cluster.
+- The [subnet group](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html#USER_VPC.Subnets) of your Amazon RDS instance must have overlapping availability zones as your {{{ .essential }}} cluster.
+- Set your Amazon RDS instance with a proper security group, and it is accessible within the VPC. For example, you can create a security group with the following rules:
+
+    - An inbound rule that allows MySQL/Aurora: 
+        - Type: `MySQL/Aurora`
+        - Source: `Anywhere-IPv4`
+
+    - An outbound rule that allows MySQL/Aurora: 
+        - Type: `MySQL/Aurora`
+        - Destination: `Anywhere-IPv4`
+
+> **Note**
+>
+> To connect to a cross-region RDS instance, contact [TiDB Cloud Support](/tidb-cloud/tidb-cloud-support.md).
+
+## Step 2. Expose the Amazon RDS instance as an endpoint service
+
+You need to set up the load balancer and the AWS Endpoint Service in the AWS console.
+
+### Step 2.1. Set up the load balancer
+
+To set up the load balancer in the same region of your RDS, take the following steps:
+
+1. Go to [Target groups](https://console.aws.amazon.com/ec2/home#CreateTargetGroup) to create a target group. Provide the following information:
+
+    - **Target type**: select `IP addresses`
+    - **Protocol and Port**: set the protocol to `TCP` and the port to your database port, for example `3306` for MySQL.
+    - **IP address type**: select `IPv4`
+    - **VPC**: select the VPC where your RDS is located
+    - **Register targets**: register the IP addresses of your Amazon RDS instance. You can ping the RDS endpoint to get the IP address.
+
+  For more information, see [Create a target group for your Network Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-target-group.html).
+
+2. Go to [Load balancers](https://console.aws.amazon.com/ec2/home#LoadBalancers) to create a network load balancer. Provide the following information:
+
+    - **Schema**: select `Internal`
+    - **Load balancer IP address type**: select `IPv4`
+    - **VPC**: select the VPC where your RDS is located
+    - **Availability Zones**: it must overlap with your {{{ .essential }}} cluster
+    - **Security groups**: create a new security group with the following rules:
+        - An inbound rule that allows MySQL/Aurora: 
+            - Type: `MySQL/Aurora`
+            - Source: `Anywhere-IPv4`
+
+        - An outbound rule that allows MySQL/Aurora:        
+            - Type: `MySQL/Aurora`
+            - Destination: `Anywhere-IPv4`
+
+    - **Listeners and routing**:  
+        - **Protocol and Port**: set the protocol to `TCP` and the port to your database port, for example `3306` for MySQL
+        - **Target group**: select the target group that you create in the previous step
+
+  For more information, see [Create a Network Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-network-load-balancer.html).
+
+### Step 2.2. Set up the AWS Endpoint Service
+
+To set up the endpoint service in the same region of your RDS, take the following steps:
+
+1. Go to [Endpoint services](https://console.aws.amazon.com/vpcconsole/home#EndpointServices) to create an endpoint service. Provide the following information:
+
+    - **Load balancer type**: select `Network`
+    - **Available load balancers**: enter the load balancer you create in the previous step
+    - **Supported Regions**: leave it empty if you do not have cross-region requirements
+    - **Require acceptance for endpoint**: it is recommended to select `Acceptance required`
+    - **Supported IP address types**: select `IPv4`
+
+2. Go to the details page of the endpoint service, and then copy the endpoint service name, in the format of `com.amazonaws.vpce.<region>.vpce-svc-xxxxxxxxxxxxxxxxx`. You need to provide it to TiDB Cloud.
+
+3. On the details page of the endpoint service, click the **Allow principals** tab, and then add the TiDB Cloud account ID to the allowlist, for example, `arn:aws:iam::<account_id>:root`. 
+
+    You can get the AWS account ID in [Prerequisites](#prerequisites).
+
+## Step 3. Create an AWS Endpoint Service private link connection in TiDB Cloud
+
+You can create a private link connection using the TiDB Cloud console or the TiDB Cloud CLI.
+
+For more information, see [Create an AWS Endpoint Service private link connection](/tidb-cloud/serverless-private-link-connection.md#create-an-aws-endpoint-service-private-link-connection).