RDS MySQL provides comprehensive protection to guarantee data security in financial usage scenarios. There are multiple methods such as disaster recovery and backup, network isolation, and permission control that can guarantee the security of databases.

Disaster recovery and backup

Enterprise Edition instances

To further meet the high reliability and data security requirements in business scenarios, ApsaraDB for RDS provides the Enterprise Edition. In this edition, each instance servers as a master instance and has two slave instances. Multi-copy replication guarantees strong data consistency and provides financial-level reliability.

You can select the Enterprise Edition when you create an RDS instance. For more information, see Create an RDS MySQL instance.

Multiple zones

Each region where an ApsaraDB for RDS instance resides contains multiple zones. The zones in the same region have an extremely low network latency (less than 3 ms), and a fault in one zone does not impact the services in other zones. Multi-zone instances are deployed on physical servers in different zones. When a zone fails, traffic can be quickly switched to another zone. The entire switchover process is transparent, and does not require any changes to be made to the application code.

You can set the zone to Multi-zone when you create an instance. For more information, see Create an RDS MySQL instance.

Permission control

RAM user authorization

Resource Access Management (RAM) allows you to create and manage RAM user accounts and control their operation permissions on resources of your Alibaba Cloud account. When multiple users in your enterprise need to manage resources at the same time, you can use RAM to assign the least privileges to users and avoid sharing your account key with other users. This reduces information security risks of your enterprise.

For more information, see RAM authorization.

Database account authorization

ApsaraDB for RDS can authorize database accounts to manage databases based on the business needs of the production environment.

You can use the console to create an account and authorize the account database management permissions. For more information, see Create accounts and databases for an RDS for MySQL instance.

Network isolation


ApsaraDB for RDS supports multiple network types. We recommend that you use VPC.

VPC is an isolated network environment with higher security and performance than classic networks. You must create a VPC in advance. For more information, see Create a default VPC and VSwitch.

If an RDS instance is deployed in a classic network, you can switch the network type of the instance to VPC. For more information, see Switch the network type. If your RDS instance is deployed in a VPC, no configuration is required.

IP address whitelist

After an RDS instance is created, the default IP address whitelist is, which indicates that no device can access the RDS instance. You must manually add an IP address before you can connect to the RDS instance.

For more information, see Configure a whitelist for an RDS for MySQL instance.

Log audit

SQL explorer

ApsaraDB for RDS provides the SQL explorer feature, so that you can perform security audit and performance diagnostics on your database.

For more information, see SQL Explorer.

Data encryption

SSL encryption

When you connect to a database through the public network, you can enable Secure Sockets Layer (SSL) encryption and install SSL CA certificates on the necessary applications and services. SSL is used on the transport layer to encrypt network connections. It increases the security and integrity of communication data, but it also increases the response time for network connection.

For more information, see Configure SSL encryption.

Transparent Data Encryption

Transparent Data Encryption (TDE) implements real-time I/O encryption and decryption for data files. It encrypts data before data is written to a disk and decrypts data before data is read from the disk. TDE does not increase the size of data files. You can use TDE without making changes to applications.

For more information, see Set TDE.