ApsaraDB for RDS provides basic protection for data of critical concern. You can create and configure RDS instances by referring to the following content to further improve the data security level.

Instance disaster recovery

  • Enterprise Edition (formerly known as Finance Edition) instances

    To further meet the high reliability and data security requirements in business scenarios, ApsaraDB for RDS provides an Enterprise Edition instance that has two secondary instances. Primary/secondary replication ensures strong data consistency and provides financial-grade reliability.

    You can select Enterprise Edition when you create an ApsaraDB for RDS instance. For more information, see Create an ApsaraDB RDS for MySQL instance.

  • Multiple zones

    Each region where an ApsaraDB for RDS instance resides contains multiple zones. Zones in the same region have low network latency (less than 3 ms), and a fault in one zone does not impact the services in other zones. Multi-zone instances are deployed on physical servers within different zones. When one zone fails, services can be quickly switched over to another zone. The entire switchover process is transparent and does not require changes to application code.

    You can select Multi-zone Deployment when you create an ApsaraDB for RDS instance. For more information, see Create an ApsaraDB RDS for MySQL instance.

    You can migrate a single-zone instance to multiple zones. In this case, the instance must reside in a region that contains multiple zones. For more information, see Migrate an ApsaraDB RDS for MySQL instance across zones.

  • Cross-region disaster recovery instances

    ApsaraDB for RDS uses Data Transmission Service (DTS) to synchronize data in real time between a primary instance and a cross-region disaster recovery instance. Both the primary and disaster recovery instances are deployed based on the primary/secondary high-availability architecture. If a connection cannot be established to either the primary or secondary instance due to natural disasters, update the endpoints for your application to switch over services to the disaster recovery instance. This minimizes the downtime of your database system.

    For more information, see Disaster recovery instances.

  • Cross-region backup

    ApsaraDB for RDS provides cross-region backup to copy local backup files to an OSS bucket in another region. Cross-region data backup can be used for monitoring and disaster recovery. Cross-region backup is independent of instances. After an instance is released, backup files can still be retained based on the retention time that you set.

    For more information, see Back up an ApsaraDB RDS for MySQL instance across regions.

Access control

  • RAM user authorization

    Resource Access Management (RAM) allows you to create and manage RAM users and control their permissions on the resources of your Alibaba Cloud account. When multiple users in your enterprise need to manage resources at the same time, you can use RAM to grant the least permissions to users and avoid sharing your AccessKey pair with other users. This reduces information security risks of your enterprise.

    For more information, see RAM authorization.

  • Database account authorization

    ApsaraDB for RDS can authorize database accounts based on business requirements in the production environment.

    You can use the ApsaraDB for RDS console to create an account and grant database management permissions to the account. For more information, see Create databases and accounts for an ApsaraDB RDS for MySQL instance.

    If you only need an account to manage a table in a database, you can execute an SQL statement for authorization. For more information, see Authorize accounts to manage tables, views, and fields.

Network isolation

  • VPC

    ApsaraDB for RDS supports multiple network types. We recommend that you use VPC.

    VPC is an isolated network environment with higher security and performance than the classic network. You must first create a VPC. For more information, see Create a default VPC and VSwitch.

    If your ApsaraDB for RDS instance is deployed in the classic network, you can switch the network type of the instance to VPC. For more information, see Change the network type of an ApsaraDB RDS MySQL instance. If your ApsaraDB for RDS instance is deployed in a VPC, no more configuration is required.

  • Whitelist

    Only IP addresses in a whitelist are allowed to access the ApsaraDB for RDS instance.

    For more information, see Configure a whitelist for an ApsaraDB RDS for MySQL instance.

Log audit

  • SQL Explorer

    ApsaraDB for RDS provides the SQL Explorer feature, so that you can perform security audit and performance diagnostics on your databases.

    For more information, see SQL Explorer.

  • Log management

    ApsaraDB for RDS provides the log management feature, so that you can view the error logs, slow query logs, slow query log summary, and primary/secondary switching logs of your RDS instance. These logs help locate faults.

    For more information, see Manage logs.

  • Event history

    ApsaraDB for RDS provides the event history feature, so that you can view the operations and maintenance (O&M) events that are performed by users and Alibaba Cloud on your RDS instance. These events include instance creation and parameter reconfiguration.

    For more information, see View the event history of an ApsaraDB RDS for MySQL instance.

Data encryption

  • SSL encryption

    When you connect to a database over the Internet, you can enable Secure Sockets Layer (SSL) encryption and install SSL CA certificates on the required applications and services. SSL is used at the transport layer to encrypt network connections. It increases the security and integrity of communication data. It also increases the response time for network connection.

    For more information, see Configure SSL encryption for an ApsaraDB RDS for MySQL instance.

  • TDE

    Transparent Data Encryption (TDE) encrypts and decrypts data in real time when files are written or read. It encrypts data when files are written to disks and decrypts data when files are loaded into memory from disks. TDE does not increase the sizes of data files. You can use TDE without the need to change applications.

    For more information, see Configure TDE for an ApsaraDB RDS for MySQL instance.