This topic describes how to configure the hybrid access solution for an ApsaraDB RDS for MySQL instance. This solution allows you to migrate your RDS instance from the classic network to a virtual private cloud (VPC) without network interruptions.

Important Network security cannot be guaranteed for the classic network. All new RDS instances that use standard SSDs or enhanced SSDs (ESSDs) do not support the classic network. If you select the local SSD storage type when you create an RDS instance, you cannot select the classic network. To ensure your network security, we recommend that you migrate your RDS instances from the classic network to VPCs. For more information, see Change the network type from classic network to VPC.

Background information

When you migrate your RDS instance from the classic network to a VPC, the internal classic network endpoint of the instance changes to the internal VPC endpoint. In this case, the endpoint remains unchanged, but the IP address that is bound to the endpoint changes. This change causes a transient connection that lasts 30 seconds or less, and Elastic Compute Service (ECS) instances located in the classic network can no longer connect to your RDS instance over an internal network. To facilitate a smooth migration, ApsaraDB RDS provides the hybrid access solution.

Hybrid access indicates that your RDS instance can be connected by both ECS instances in the classic network and ECS instances in VPCs. If you use the hybrid access solution, ApsaraDB RDS retains the internal classic network endpoint and generates an internal VPC endpoint. This prevents transient connections when you migrate your RDS instance from the classic network to a VPC.

For security and performance purposes, we recommend that you use only the internal VPC endpoint. You must specify a validity period for the hybrid access solution. When the hybrid access solution expires, ApsaraDB RDS releases the internal classic network endpoint and applications are unable to use the endpoint to connect to your RDS instance. You must add the internal VPC endpoint to your applications before the hybrid access solution expires. This ensures a smooth migration and prevents interruptions to your workloads.

For example, a company uses the hybrid access solution to migrate its RDS instance from the classic network to a VPC. During the validity period of the hybrid access solution, some applications use the internal VPC endpoint to connect to the RDS instance, and the other applications continue to use the internal classic network endpoint to connect to the RDS instance. When all applications of the company can use the internal VPC endpoint to connect to the RDS instance, the internal classic network endpoint can be released.

Limits

During the validity period of the hybrid access solution, your RDS instance has the following limits:

  • The network type of the RDS instance cannot be changed to classic network.
  • The RDS instance cannot be migrated to another zone.
  • Change between RDS High-availability Edition and RDS Enterprise Edition is not supported.

Prerequisites

  • The RDS instance resides in the classic network.
  • Available VPCs and vSwitches exist in the zone in which the RDS instance resides. For more information about how to create VPCs and vSwitches, see Create a VPC.

Change the network type from classic network to VPC

  1. Access RDS Instances, select a region at the top, and then click the ID of the target RDS instance.
  2. In the left-side navigation pane, click Database Connection.
  3. Click Switch to other VPC.
  4. In the Switch to VPC dialog box, select a VPC and a vSwitch and specify whether to retain the classic network endpoint.
    • Select a VPC. We recommend that you select the VPC in which the required ECS instance resides. If the ECS instance and the RDS instance reside in different VPCs, these instances can communicate over an internal network only if you use Cloud Enterprise Network (CEN) or VPN Gateway to enable network communication between the VPCs of these instances. For more information, see Overview of CEN or Establish IPsec-VPN connections between two VPCs.
    • Select a vSwitch. If no vSwitches are available in the selected VPC, create a vSwitch in the zone in which the RDS instance resides. For more information, see Create a vSwitch.
    • Clear or select Reserve original classic endpoint.
      Operation Description
      Clear Reserve original classic endpoint

      The classic network endpoint is not retained and changes to a VPC endpoint.

      When you change the network type from classic network to VPC, a transient connection that lasts approximately 30 seconds occurs and ECS instances that reside in the classic network are immediately disconnected from the RDS instance.
      Select Reserve original classic endpoint

      The classic network endpoint is retained, and a new VPC endpoint is generated. In this case, your RDS instance runs in hybrid access mode. Both classic network-type ECS instances and VPC-type ECS instances can access your RDS instance over an internal network.

      When you change the network type from classic network to VPC, no transient connections occur. The connection between each classic network-type ECS instance and the RDS instance remains available until the classic network endpoint expires.

      Before the classic network endpoint expires, you must add the VPC endpoint to your application that runs on a VPC-type ECS instance. This allows ApsaraDB RDS to migrate your workloads to the selected VPC with no downtime.

  5. Add the private IP address of the required VPC-type ECS instance to an IP address whitelist of the VPC network type on the RDS instance. This way, the ECS instance can access the RDS instance over an internal network. If no IP address whitelists of the VPC network type are available, create one.
    • If you select Reserve original classic endpoint, add the VPC endpoint of your RDS instance to each required VPC-type ECS instance before the classic network endpoint expires.
    • If you clear Reserve original classic endpoint, the connection between each classic network-type ECS instance and the RDS instance over an internal network is immediately closed after the network type is changed. You must add the VPC endpoint of the RDS instance to your application that runs on the required VPC-type ECS instance.
    Note If the RDS instance resides in a VPC and you want to connect a classic network-type ECS instance to the RDS instance over an internal network, you can use ClassicLink to establish a connection. Alternatively, you can migrate the ECS instance to the same VPC as the RDS instance. For more information, see Overview.

Change the expiration date of the internal classic network endpoint

During the validity period of the hybrid access solution, you can change the expiration date of the classic network endpoint based on your business requirements. The expiration date is immediately recalculated starting from the day when you make the change. For example, the classic network endpoint is configured to expire on August 18, 2017. On August 15, 2017, you extend the validity period of the classic network endpoint by 14 days. In this case, ApsaraDB RDS releases the classic network endpoint on August 29, 2017.

To change the expiration date, perform the following operations:

  1. Access RDS Instances, select a region at the top, and then click the ID of the target RDS instance.
  2. In the left-side navigation pane, click Database Connection.
  3. On the Instance Connection tab, click Change Expiration Time.
  4. In the Change Expiration Time dialog box, select an expiration date and click OK.