Please Change the Network Type of Your RDS Instances From Classic Network to VPC ASAP
Aug 10, 2022
Dear Customer:
Thank you for choosing ApsaraDB for RDS and related database services.
You are receiving this message because we noticed that you are still using Classic Network for some of your database instances. To improve the security of your database system, we recommend that you change the network type of your RDS instances from Classic Network to Virtual Private Cloud (VPC) as soon as possible. Please note that the network type change is provided completely free of charge.
Background Information
● RDS instances that use Classic Network are reachable by default by instances that belong to other users using the same network type within the same availability zone. This means that the resources of other users are not isolated from each other. The access control relies only on the allowlist policy of the instance, which is inadequate and prone to security risks if the policy is not configured, or set up incorrectly.
● RDS instances that use VPC are isolated from each other by default because of the network isolation of VPC. A VPC is created and managed by the user, which means it belongs only to the user, and the user has full ownership of the VPC. By default, even if the allowlist is not configured, instances using VPC can only be accessed by resources within the same VPC owned by the user. This provides an additional layer of security through isolation.
Taking the points above into consideration, and considering the differences of the two network types, we highly recommend switching from Classic Network to VPC to avoid unnecessary risks caused by the lack of network isolation, and consequently improve database security.
Recommended Solution
We recommended you to switch to the same VPC as the ECS instance where your application is located, otherwise your application will not be able to access the RDS instance through the intranet, causing service impacts. By default, VPCs are isolated and cannot be accessed from each other without the help of CEN.
For more details about switching from Classic Network to VPC, please refer to the documentation on our website:https://www.alibabacloud.com/help/zh/apsaradb-for-rds/latest/change-the-network-type-of-an-apsaradb-rds-for-mysql-instance。
Thank you for choosing ApsaraDB for RDS and related database services.
You are receiving this message because we noticed that you are still using Classic Network for some of your database instances. To improve the security of your database system, we recommend that you change the network type of your RDS instances from Classic Network to Virtual Private Cloud (VPC) as soon as possible. Please note that the network type change is provided completely free of charge.
Background Information
● RDS instances that use Classic Network are reachable by default by instances that belong to other users using the same network type within the same availability zone. This means that the resources of other users are not isolated from each other. The access control relies only on the allowlist policy of the instance, which is inadequate and prone to security risks if the policy is not configured, or set up incorrectly.
● RDS instances that use VPC are isolated from each other by default because of the network isolation of VPC. A VPC is created and managed by the user, which means it belongs only to the user, and the user has full ownership of the VPC. By default, even if the allowlist is not configured, instances using VPC can only be accessed by resources within the same VPC owned by the user. This provides an additional layer of security through isolation.
Taking the points above into consideration, and considering the differences of the two network types, we highly recommend switching from Classic Network to VPC to avoid unnecessary risks caused by the lack of network isolation, and consequently improve database security.
Recommended Solution
We recommended you to switch to the same VPC as the ECS instance where your application is located, otherwise your application will not be able to access the RDS instance through the intranet, causing service impacts. By default, VPCs are isolated and cannot be accessed from each other without the help of CEN.
For more details about switching from Classic Network to VPC, please refer to the documentation on our website:https://www.alibabacloud.com/help/zh/apsaradb-for-rds/latest/change-the-network-type-of-an-apsaradb-rds-for-mysql-instance。