ApsaraDB RDS provides multiple network isolation methods to ensure the network security of an ApsaraDB RDS instance.


In addition to IP address whitelists, ApsaraDB RDS allows you to use virtual private clouds (VPCs) for advanced access control.

A VPC is a private network that strictly isolates your network packets based on underlying network protocols to implement access control at the network layer. You can connect a server in your data center to Alibaba Cloud by using a leased line or a VPN. You can also use the customized CIDR block of an RDS instance in a VPC to resolve IP address resource conflicts. This way, you can access the RDS instance from the server in your data center and an Alibaba Cloud Elastic Compute Service (ECS) instance at the same time.

You can use VPCs and IP address whitelists together to increase security for an RDS instance.

For more information about VPCs, see What is a VPC?


If an RDS instance resides in a VPC, the RDS instance can be accessed only from an ECS instance that resides in the same VPC. You can also apply for a public endpoint to receive access requests from the Internet. This method is not recommended. The requests include but are not limited to:

  • Access requests from ECS elastic IP addresses (EIPs).
  • Access requests from the Internet egress of your data center.

The IP address whitelists of an RDS instance are effective for all connections to the RDS instance. We recommend that you configure IP address whitelists before you apply for a public endpoint.

For more information about how to apply for a public endpoint, see Apply for or release a public endpoint for an ApsaraDB RDS for MySQL instance.