ApsaraDB RDS:Change the network type

Classic network vs. VPC

Use VPC for all new and existing RDS instances.

Choose a migration path

Before you start, decide which migration path fits your situation:

After the classic network endpoint expires in hybrid access mode, only the VPC endpoint can connect to the RDS instance. Update your application connection strings before the classic endpoint expires.

Prerequisites

Before you begin, ensure that you have:

• (For read-only instances) Changed the primary RDS instance to VPC first. The primary instance must be on VPC before you can change the network type of any read-only instance.

  • If the read-only instance uses Premium Local SSDs, you can select any VPC — it does not need to be the same VPC as the primary instance.

  • If the read-only instance uses cloud disks, you must select the same VPC as the primary instance.

• (For RDS High-availability Edition instances running MySQL 5.6 or 5.7 on Premium Local SSDs) Changed the IP address whitelist mode to enhanced whitelist mode. See Change to the enhanced whitelist mode.

• A VPC in the same region as the RDS instance. If none exists, create a VPC first.

• A vSwitch in the zone where the RDS instance resides. If none exists, create a vSwitch in that zone.

You can use the VPC or classic network type and change the network type of your RDS instance free of charge.

View the network type

1. Log on to the ApsaraDB RDS console. In the top navigation bar, select the region where the RDS instance resides. Find the instance and click its ID.

2. In the left-side navigation pane, click Database Connection.

Change the network type from classic network to VPC

1. Log on to the ApsaraDB RDS console. In the top navigation bar, select the region where the RDS instance resides. Find the instance and click its ID.

2. In the left-side navigation pane, click Database Connection.

3. Click Switch to VPC.

   If Switch to VPC is not visible, confirm that the instance is on the classic network.

4. In the dialog box, configure the following settings: Select a VPC.Cloud Enterprise Network (CEN) Select the VPC where the Elastic Compute Service (ECS) instances that need to connect to the RDS instance reside. If the ECS instance and the RDS instance are in different VPCs, they cannot communicate over an internal network unless you use Cloud Enterprise Network (CEN) or VPN Gateway to connect the VPCs. See Overview of Alibaba Cloud CEN or Establish IPsec-VPN connections between two VPCs. Select a vSwitch. Select the vSwitch in the zone where the RDS instance resides. Reserve original classic endpoint. Choose based on your migration path:

   • Clear (direct change): The classic network endpoint is released and the existing endpoint changes to a VPC endpoint. Classic-network ECS instances lose internal connectivity to the RDS instance immediately.

   • Select (hybrid access mode): The classic network endpoint is retained and a new VPC endpoint is generated. Both endpoints are active during the transition. After you update your application to use the VPC endpoint, delete the classic network endpoint. See Configure the hybrid access mode.

   Important

   After completing the migration — whether direct or hybrid — delete the classic network endpoint. Leaving the classic network endpoint active blocks future renewals and specification changes. To delete it, go to Database Connection and remove the classic network endpoint.

5. Add the private IP address of each VPC-type ECS instance to the IP address whitelist of the VPC type for the RDS instance. This lets the ECS instance connect over an internal network. See Configure an IP address whitelist.

   Find the private IP address of an ECS instance on the Instance Details tab in the ECS console.

6. Update your application's connection configuration to use the VPC endpoint of the RDS instance. See View and manage instance endpoints and ports.

   • For ECS instances to connect to the RDS instance over an internal network, both instances must be in the same region and the same VPC. Verify this using the VPC ID.

   • To connect a classic-network ECS instance to the VPC-type RDS instance over an internal network, use ClassicLink or migrate the ECS instance to the same VPC as the RDS instance. See Overview and Migrate ECS instances from the classic network to a VPC.

Update whitelists after the network type change

If the enhanced whitelist mode is enabled for your RDS instance, update the whitelists after the network type is changed:

• Add the private IP addresses of VPC-type cloud service instances to the IP address whitelist of the VPC type.

• To allow internet access, add the public IP addresses of the connecting devices to the IP address whitelist of the classic network type.

See Change to the enhanced whitelist mode.

Impact on database proxies

If a database proxy is enabled for the RDS instance, a network type change has the following impact. Check the proxy type on the Database Proxy page in the ApsaraDB RDS console. See What are database proxies?

FAQ

Does changing from classic network to VPC affect my public endpoint or internet access?

No. The public endpoint and internet access are not affected. Changing from classic network to VPC only changes the internal endpoint — the endpoint type changes from classic to VPC. The public endpoint remains the same throughout.

Can I still renew or change specifications after switching to VPC?

Only if the classic network endpoint has been deleted. If you retained the classic network endpoint during the switch (hybrid access mode), delete it before renewing or changing instance specifications. Go to Database Connection and delete the classic network endpoint. If your instance has already expired without switching to VPC, submit a ticket to apply for a validity period extension, then switch to VPC and delete the classic network endpoint before renewing.

API reference