ApsaraDB for RDS provides multiple network isolation mechanisms to ensure network security.


In addition to the IP address whitelist, ApsaraDB for RDS allows you to use virtual private cloud to obtain advanced network access control.

VPC is a private network environment, it strictly isolates packets through network protocols and implements control access at layer 2. You can connect the servers you build in IDCs to Alibaba Cloud through VPN or physical connections. You can also use the RDS IP address segment defined in VPC to handle IP address conflicts, allows both your own server and Alibaba Cloud ECS to access RDS.

The combination of VPCs and IP address whitelists is an ideal option for you to secure apsaradb for RDS instances.

For more information about VPC, see What is a VPC?.


By default, RDS instances deployed in a VPC network are only accessible from the ECS instances in the same VPC network. You can also apply for a public IP address to receive access requests from the public network (not recommended). The requests include but are not limited to:

  • Access requests from ECS EIPs.
  • Access requests from the user-created IDC to the egress.

IP address whitelists apply to all connections to ApsaraDB for RDS instances. We recommend that you configure the whitelist before applying for a public IP address.

For more information, see Apply for a public endpoint for an RDS MySQL instance.