[Important Notice] Alibaba Cloud – Please Change the Network Type of Your RDS Instances From Classic Network to VPC at The Earliest Opportunity
Jul 25, 2022
To improve the security of your database systems, we recommend that you change the network type of your ApsaraDB for RDS instances from Classic Network to Virtual Private Cloud (VPC) at the earliest opportunity. The network type change is provided completely free of charge.
Background Information
● If your RDS instance resides in the Classic Network, network isolation cannot be implemented for the RDS instance. Allowlists are required to deny unauthorized access to the RDS instance. If no allowlists are configured or the policies are not properly configured for your RDS instance, the RDS instance is more likely to be exposed to security risks.
● If your RDS instance resides in a VPC, networks are isolated by using VPCs. A VPC is an isolated network environment. A VPC is a resource that is created and managed by a user, which means it belongs only to the user, and the user has full ownership of it. If no allowlists are configured for your RDS instance, the RDS instance can be accessed only by resources reside in the same VPC owned by the user. This provides an additional layer of security.
Taking the points above into consideration, we highly recommend switching from Classic Network to VPC to prevent potential risks that are caused by the lack of network isolation, and consequently improve the security of your RDS instances.
Recommended Solution
By default, VPCs are isolated from each other and cannot communicate with each other without the hep of Cloud Enterprise Network (CEN). Therefore, we recommended you to switch the network type of RDS instances to the same VPC as the Elastic Compute Service (ECS) instance where your application is deployed, otherwise your application will not be able to access the RDS instances over an intranet network, causing service impacts.
For more information about how to change the network type, see RDS documentation (https://www.alibabacloud.com/help/apsaradb-for-rds/latest/change-the-network-type-of-an-apsaradb-rds-for-mysql-instance).
Background Information
● If your RDS instance resides in the Classic Network, network isolation cannot be implemented for the RDS instance. Allowlists are required to deny unauthorized access to the RDS instance. If no allowlists are configured or the policies are not properly configured for your RDS instance, the RDS instance is more likely to be exposed to security risks.
● If your RDS instance resides in a VPC, networks are isolated by using VPCs. A VPC is an isolated network environment. A VPC is a resource that is created and managed by a user, which means it belongs only to the user, and the user has full ownership of it. If no allowlists are configured for your RDS instance, the RDS instance can be accessed only by resources reside in the same VPC owned by the user. This provides an additional layer of security.
Taking the points above into consideration, we highly recommend switching from Classic Network to VPC to prevent potential risks that are caused by the lack of network isolation, and consequently improve the security of your RDS instances.
Recommended Solution
By default, VPCs are isolated from each other and cannot communicate with each other without the hep of Cloud Enterprise Network (CEN). Therefore, we recommended you to switch the network type of RDS instances to the same VPC as the Elastic Compute Service (ECS) instance where your application is deployed, otherwise your application will not be able to access the RDS instances over an intranet network, causing service impacts.
For more information about how to change the network type, see RDS documentation (https://www.alibabacloud.com/help/apsaradb-for-rds/latest/change-the-network-type-of-an-apsaradb-rds-for-mysql-instance).