When you connect an on-premises database to Data Transmission Service (DTS) over a leased line or VPN Gateway, DTS requires network access to your database. Without a VPC data channel, you must whitelist a broad range of DTS server IP addresses — a list that can change and is difficult to maintain. The VPC data channel solves this by creating an Elastic Network Interface (ENI) directly inside your virtual private cloud (VPC), giving DTS a fixed, private access point. This reduces your security whitelist to a single vSwitch CIDR block and simplifies network troubleshooting.
How it works
The VPC data channel is built on Alibaba Cloud PrivateLink. When you configure a DTS task, the following happens automatically:
-
PrivateLink is enabled. DTS checks whether PrivateLink is active on your account. If not, DTS enables it for you.
-
Two ENIs are created. You select a vSwitch in a primary zone and a vSwitch in a secondary zone within your VPC. DTS creates one ENI on each vSwitch. These two ENIs become the network access points DTS uses to reach your database.
-
Existing vSwitches are reused. DTS never creates new vSwitches. Each VPC data channel uses at least two IP addresses — one per ENI. If subsequent DTS tasks in the same VPC select the same primary and secondary vSwitches, DTS reuses the existing channel without consuming additional IP addresses. DTS automatically pre-fills the vSwitch selections from your previous task.
-
Route tables are left unchanged. The feature only attaches ENIs to your specified vSwitches. It does not modify your VPC route table, so your existing network planning is unaffected.
Scope
Use a VPC data channel when your DTS task meets all three of the following criteria. If all three are met, using a VPC data channel is required — you must configure both a primary and a secondary vSwitch.
| Dimension | Supported values |
|---|---|
| Database type | MySQL, PostgreSQL, SQL Server, Tair/Redis, Oracle, MongoDB |
| Access method | Express Connect, VPN Gateway, or Smart Access Gateway |
| Console version | New DTS configuration page only |
Supported regions and zones
| Region | Region ID | Zones | Zone IDs |
|---|---|---|---|
| China (Hangzhou) | cn-hangzhou | Zone I, Zone J, Zone K | cn-hangzhou-i, cn-hangzhou-j, cn-hangzhou-k |
| China (Shanghai) | cn-shanghai | Zone B, Zone G, Zone M, Zone N | cn-shanghai-b, cn-shanghai-g, cn-shanghai-m, cn-shanghai-n |
| China (Shenzhen) | cn-shenzhen | Zone D, Zone E, Zone F | cn-shenzhen-d, cn-shenzhen-e, cn-shenzhen-f |
| China (Beijing) | cn-beijing | Zone H, Zone G, Zone L, Zone I, Zone F, Zone K | cn-beijing-h, cn-beijing-g, cn-beijing-l, cn-beijing-i, cn-beijing-f, cn-beijing-k |
| China (Qingdao) | cn-qingdao | Zone B, Zone C | cn-qingdao-b, cn-qingdao-c |
| China (Zhangjiakou) | cn-zhangjiakou | Zone A, Zone B, Zone C | cn-zhangjiakou-a, cn-zhangjiakou-b, cn-zhangjiakou-c |
| China (Ulanqab) | cn-wulanchabu | Zone A, Zone B | cn-wulanchabu-a, cn-wulanchabu-b |
| China (Chengdu) | cn-chengdu | Zone A, Zone B | cn-chengdu-a, cn-chengdu-b |
| China (Hong Kong) | cn-hongkong | Zone B, Zone C, Zone D | cn-hongkong-b, cn-hongkong-c, cn-hongkong-d |
| Singapore | ap-southeast-1 | Zone A, Zone B | ap-southeast-1a, ap-southeast-1b |
| Indonesia (Jakarta) | ap-southeast-5 | Zone A, Zone B | ap-southeast-5a, ap-southeast-5b |
| Germany (Frankfurt) | eu-central-1 | Zone A, Zone B | eu-central-1a, eu-central-1b |
| US East (Virginia) | us-east-1 | Zone A, Zone B | us-east-1a, us-east-1b |
| US West (Silicon Valley) | us-west-1 | Zone A, Zone B | us-west-1a, us-west-1b |
| Japan (Tokyo) | ap-northeast-1 | Zone A, Zone B | ap-northeast-1a, ap-northeast-1b |
Benefits
Smaller security whitelist
Add only the CIDR block of the ENI's vSwitch to your database security settings — firewalls, whitelists, or security groups. You no longer need to maintain the broad range of DTS server IP addresses.
Simpler network architecture
Plan your network in advance by adding the ENI vSwitch's CIDR block to your VPC route table and database whitelist. DTS then handles the channel setup automatically.
Faster network troubleshooting
If a connectivity check fails during DTS task configuration, launch an ECS instance on the same vSwitch as the ENI and test the connection to your database directly. This isolates network issues without involving DTS-specific tooling.
Billing
The VPC data channel feature is free of charge.
Usage notes
-
Select primary and secondary vSwitches in different zones to ensure high availability.
-
DTS creates a security group named
DTS_VPCNATin your VPC and associates it with the ENIs.-
The inbound rule allows access from all IP addresses (
0.0.0.0/0) by default. This enables DTS to establish a bidirectional connection with your database. -
Do not modify or delete this security group or its rules. Doing so may cause DTS tasks to fail.
-
Do not associate
DTS_VPCNATwith other resources such as ECS instances. It is reserved for DTS internal use only and associating it with other resources introduces security risks.
-
FAQ
For network connectivity issues encountered during configuration, see Configure a VPC data channel task and FAQ.