This topic describes how to configure the hybrid access solution for an ApsaraDB RDS for PostgreSQL instance. This solution allows you to retain both the classic network endpoint and virtual private cloud (VPC) endpoint of your RDS instance. This way, you can migrate your RDS instance from the classic network to a VPC without network interruptions.

Background information

When you migrate your RDS instance from the classic network to a VPC, the internal classic network endpoint of the instance changes to the internal VPC endpoint. In this case, the endpoint remains unchanged, but the IP address that is bound to the endpoint changes. This change causes a transient connection error of about 30 seconds or less, and classic network-hosted Elastic Compute Service (ECS) instances can no longer connect to your RDS instance over an internal network. To facilitate a smooth migration, ApsaraDB RDS provides the hybrid access solution.

The hybrid access solution allows you to connect your RDS instance from both classic network-hosted ECS instances and VPC-hosted ECS instances. During the validity period of the hybrid access solution, ApsaraDB RDS retains the internal classic network endpoint and generates an internal VPC endpoint. This prevents transient connection errors when you migrate your RDS instance from the classic network to a VPC.

For security and performance purposes, we recommend that you use only the internal VPC endpoint. You must specify a validity period for the hybrid access solution. After the validity period elapses, ApsaraDB RDS releases the internal classic network endpoint. Then, your applications can no longer connect to your RDS instance by using this endpoint. Therefore, you must add the internal VPC endpoint to your applications before the validity period elapses. This allows you to ensure a smooth migration and prevent interruptions to your workloads.

For example, a company uses the hybrid access solution to migrate their RDS instance from the classic network to a VPC. During the validity period of the hybrid access solution, some applications connect to the RDS instance by using the internal VPC endpoint, whereas the others still connect to the RDS instance by using the internal classic network endpoint. When all applications of the company can connect to the RDS instance by using the internal VPC endpoint, the internal classic network endpoint can be released.

Limits

During the validity period of the hybrid access solution, your RDS instance does not support the following operations:

  • Change to the classic network type
  • Migration to another zone

Prerequisites

  • Your RDS instance resides in the classic network.
  • The zone where your RDS instance resides provides available VPCs and vSwitches. For more information about how to create VPCs and vSwitches, see Create a VPC.

Migrate your RDS instance from the classic network to a VPC

  1. Visit the RDS instance list, select a region above, and click the target instance ID.
  2. In the left-side navigation pane, click Database Connection.
  3. Click Switch to other VPC.
  4. In the dialog box that appears, select a VPC and a vSwitch and specify whether to retain the classic network endpoint.
    • Select a VPC. We recommend that you select the VPC where the required ECS instance resides. If the ECS and RDS instances reside in different VPCs, these instances cannot communicate over an internal network. In this case, if you want these instances to communicate over an internal network, you must create a Cloud Enterprise Network (CEN) instance or an IPsec-VPN connection between the VPCs of these instances.For more information, see Overview and Establish IPsec-VPN connections between two VPCs.
    • Select a vSwitch. If no vSwitches are available in the selected VPC, create a vSwitch in the same zone as your RDS instance. For more information, see Create a vSwitch.
    • Clear or select the Reserve original classic endpoint option. For more information, see the following table.
      Action Description
      Clear the Reserve original classic endpoint option

      The classic network endpoint is not retained and changes to the VPC endpoint.

      When you change the network type from classic network to VPC, a transient connection error of about 30 seconds occurs. In this case, the connection between each classic network-hosted ECS instance and your RDS instance is closed.
      Select the Reserve original classic endpoint option

      The classic network endpoint is retained, and a new VPC endpoint is generated. In this case, your RDS instance runs in hybrid access mode. Both classic network-hosted ECS instances and VPC-hosted ECS instances can connect to your RDS instance over an internal network.

      When you change the network type from classic network to VPC, no transient connection errors occur. The connection between each classic network-hosted ECS instance and your RDS instance remains available until the classic network endpoint expires.

      Before the classic network endpoint expires, you must add the VPC endpoint to each required VPC-hosted ECS instance. This allows ApsaraDB RDS to migrate your workloads to the selected VPC without network interruptions.

  5. Add the private IP address of each required VPC-hosted ECS instance to an IP address whitelist of the VPC network type. This allows the ECS instance to connect to your RDS instance over an internal network. If no IP address whitelists of the VPC network type are available, create one.
    • If you have selected the Reserve original classic endpoint option, add the VPC endpoint of your RDS instance to each required VPC-hosted ECS instance before the classic network endpoint expires.
    • If you have cleared the Reserve original classic endpoint option, the connection between each classic network-hosted ECS instance and your RDS instance over an internal network is immediately closed after the network type change is complete. You must add the VPC endpoint of your RDS instance to each required VPC-hosted ECS instance.
    Note If you want to connect a classic network-hosted ECS instance to your VPC-hosted RDS instance over an internal network, you can use ClassicLink to establish a connection. Otherwise, you can migrate the ECS instance to the same VPC as your RDS instance. For more information, see Overview.

Change the expiration date of the internal classic network endpoint

During the validity period of the hybrid access solution, you can change the expiration date of the classic network endpoint based on your business requirements. The expiration date is immediately recalculated starting from the day when you make the change. For example, the classic network endpoint is configured to expire on August 18, 2017. On August 15, 2017, you increase the validity period of the classic network endpoint by 14 days. In this case, ApsaraDB RDS releases the classic network endpoint on August 29, 2017.

Perform the following steps:

  1. Visit the RDS instance list, select a region above, and click the target instance ID.
  2. In the left-side navigation pane, click Database Connection.
  3. In the Original Classic Network Endpoint section of the Database Connection page, click Change Expiration Time.
  4. In the Change Expiration Time dialog box, select an expiration date and click OK.