All Products
Search

This Product

    ApsaraDB RDS:Configure the hybrid access mode

    Document Center

    ApsaraDB RDS:Configure the hybrid access mode

    Last Updated:Mar 10, 2025

    If you want to change the network type of an ApsaraDB RDS for MySQL instance from classic network to Virtual Private Cloud (VPC) without service interruptions, you can enable the hybrid access mode to retain both the endpoints of the classic network and VPC types. During hybrid access, you can modify the configuration to change the classic network endpoint that is configured for your business to the VPC endpoint in phases. After the modification is complete, you can release the classic network endpoint to achieve a smooth network type change.

    Important

    • RDS instances of the classic network type can no longer be renewed, upgraded, downgraded, or cloned from 00: 00 on October 30, 2024. For more information, see [Product changes/Feature changes] Alibaba Cloud plans to phase out ApsaraDB RDS instances of the classic network type.

    • You may fail to renew your RDS instance or change the specifications of the RDS instance due to the following reasons:

      • The network type is changed to VPC but the classic network endpoint is not deleted. In this case, you must go to the Instances page and click the ID of the required RDS instance. On the page that appears, click Database Connection to delete the classic network endpoint.

      • The network type is not changed to VPC before the expiration. In this case, you must submit a ticket to apply for validity period extension. After the validity period is extended, change the network type to VPC, delete the classic network endpoint, and then renew the RDS instance.

    Background information

    When you migrate your RDS instance from the classic network to a VPC, the type of the internal endpoint changes from classic network to VPC. In this case, the endpoint string remains unchanged, but the IP address that is bound to the endpoint changes. This change causes an instance switchover, and classic network-type Elastic Compute Service (ECS) instances can no longer connect to the RDS instance over an internal network. To facilitate smooth migration, ApsaraDB RDS provides the hybrid access mode. For more information about the impacts of an instance switchover, see Impacts of an instance switchover.

    Hybrid access indicates that your RDS instance can be connected by both classic network-type and VPC-type ECS instances. In hybrid access mode, the system retains the original internal endpoint of the classic network type and generates an internal endpoint of the VPC type for your RDS instance, and the public endpoint remains unchanged. This prevents instance switchovers when you change the network type.

    For security and performance purposes, we recommend that you use only the VPC type. You must specify a validity period for the hybrid access mode. When the hybrid access mode expires, the system releases the original internal endpoint of the classic network type and you cannot use the endpoint to connect your applications to your RDS instance. Before the hybrid access mode expires, you must add the internal endpoint of the VPC type to your applications. This ensures a smooth migration and prevents interruptions to your workloads.

    For example, a company uses the hybrid access mode to change the network type of an RDS instance from classic network to VPC. During the validity period of the hybrid access mode, some applications use the internal endpoint of the VPC type to connect to the RDS instance, and other applications continue to use the internal endpoint of the classic network type to connect to the RDS instance. When all applications of the company can use the internal endpoint of the VPC type to connect to the RDS instance, you can release the internal endpoint of the classic network type.

    Prerequisites

    If you want to use the hybrid access mode, the RDS instance must meet the following requirements:

    • The RDS instance resides in the classic network.

    • A VPC and a vSwitch are created in the zone in which the RDS instance resides. For more information about how to create VPCs and vSwitches, see Create and manage a VPC.

    Usage notes

    • Hybrid access mode enabled: You cannot change the network type to classic network or change the zone of the RDS instance. You cannot change between RDS High-availability Edition and RDS Enterprise Edition.

    • Impacts on instance endpoints:

      • Internal endpoint: The system remains the internal endpoint of the classic network type and automatically generates an internal endpoint of the VPC type.

      • Public endpoint: The public endpoint remains unchanged.

    • Impacts on instance access:

      • Internal network access: When a different cloud service instance, such as an ECS instance, connects to the RDS instance over an internal network, the network type of the cloud service instance can be classic network or VPC. If the network type is classic network, the cloud service instance connects to the RDS instance by using the internal endpoint of the classic network type. If the network type is VPC, the cloud service instance connects to the RDS instance by using the internal endpoint of the VPC type. After the classic network endpoint expires, you can use only the VPC endpoint to connect to the RDS instance.

      • Internet access: Internet-based connections to the RDS instance are not affected.

    • Whitelist: If your RDS instance runs MySQL 5.6 or MySQL 5.7 on RDS High-availability Edition and uses local disks, you must change the IP address whitelist mode to the enhanced whitelist mode when you enable the hybrid access mode for the RDS instance. The IP addresses in the original whitelist is automatically replicated to a new enhanced whitelist for the classic network. For more information, see Change to the enhanced whitelist mode.

    • Read-only RDS instances: You must change the network type of the primary RDS instance from classic network to VPC in hybrid access mode, and then complete the hybrid access transformation of the read-only RDS instances.

      • If the primary RDS instance uses local disks, the read-only RDS instances and the primary RDS instance can reside in the same VPC or different VPCs.

      • If the primary RDS instance uses cloud disks, the read-only RDS instances and the primary RDS instance must reside in the same VPC.

    Change the network type from classic network to VPC

    1. Log on to the ApsaraDB RDS console and go to the Instances page. In the top navigation bar, select the region in which your RDS instance resides. Then, find the RDS instance and click the instance ID.

    2. In the left-side navigation pane of the page that appears, click Database Connection.

    3. Click Switch to VPC.

      Note

      If Switch to VPC is not displayed, you must check whether your RDS instance meets the requirements described in Prerequisites.

    4. In the dialog box that appears, select a VPC and a vSwitch and specify whether to retain the classic network endpoint.

      • Select a VPC. We recommend that you select the VPC in which the ECS instance that you want to connect resides. If the ECS instance and the RDS instance reside in different VPCs, these instances cannot communicate over an internal network unless you use Cloud Enterprise Network (CEN) or VPN Gateway to enable network communication between the VPCs of these instances. For more information, see Overview of Alibaba Cloud CEN or Establish IPsec-VPN connections between two VPCs.

      • Select a vSwitch. If no vSwitches are available in the selected VPC, create a vSwitch in the zone in which the RDS instance resides. For more information, see Create and manage a vSwitch.

      • Select Reserve original classic endpoint. In this case, your RDS instance runs in hybrid access mode. Both classic network-type and VPC-type ECS instances can access your RDS instance over an internal network.

        Affected item

        Classic network endpoint not retained

        (direct change)

        Classic network endpoint retained

        (hybrid access mode enabled for smooth change)

        Instance connection

        When you change the network type of an instance from classic network to VPC, the connection to the instance is momentarily disconnected and the classic network-type ECS instances that are connected to your RDS instance over an internal network are immediately disconnected.

        When you change the network type of an instance from classic network to VPC, the connection to the instance is not affected. The connection between each classic network-type ECS instance and the RDS instance remains available until the classic network endpoint expires.

        Internal endpoint

        Only one internal endpoint: After the change, the internal endpoint remains unchanged but the type of the internal endpoint is changed from classic network to VPC.

        Two internal endpoints: The internal endpoint of the classic network type is retained and an internal endpoint of the VPC type is generated.

        Internal network access

        If a different cloud service instance, such as ECS instance, wants to access an RDS instance, the network type of the cloud service instance must be VPC.

        If a different cloud service instance, such as ECS instance, wants to access an RDS instance, the network type of the cloud service instance can be classic network or VPC.

        • If the network type is classic network, the cloud service instance connects to the RDS instance by using the internal endpoint of the classic network type.

        • If the network type is VPC, the cloud service instance connects to the RDS instance by using the internal endpoint of the VPC type.

        After the classic network endpoint expires, you can use only the VPC endpoint to connect to the RDS instance.

        Public endpoint

        The Internet access is not affected because the public endpoint remains unchanged regardless of the method used to change the network type. Only the internal endpoint and internal network access are affected.

        Internet access

        Note

        • If you change the network type from classic network to VPC, no instance switchovers occur. The connection between each classic network-type ECS instance and the RDS instance remains available until the classic network endpoint expires.

        • Before the classic network endpoint expires, you must add the VPC endpoint to your application that runs on a VPC-type ECS instance. This allows the system to migrate your workloads to the selected VPC with no downtime.

    5. Add the private IP address of the required VPC-type ECS instance to an IP address whitelist of the VPC type on the RDS instance. This way, the ECS instance can access the RDS instance over an internal network. If no IP address whitelists of the VPC network type are available, create one.

    6. Add the VPC endpoint of your RDS instance to each required VPC-type ECS instance before the classic network endpoint expires.

      Note

      • If you want to connect a VPC-type ECS instance to the VPC-type RDS instance over an internal network, make sure that the instances reside in the same region and the same VPC. You can check whether the instances reside in the same VPC based on the VPC ID.

      • If you want to connect a classic network-type ECS instance to the VPC-type RDS instance over an internal network, you can use ClassicLink to establish a connection. Alternatively, you can migrate the ECS instance to the same VPC as the RDS instance. For more information, see Overview and Migrate ECS instances from the classic network to a VPC.

    Change the expiration date of the internal endpoint of the classic network type

    During the validity period of the hybrid access mode, you can change the expiration date of the classic network endpoint based on your business requirements. The expiration date is immediately recalculated starting from the day when you make the change. For example, the classic network endpoint is configured to expire on August 18, 2017. On August 15, 2017, you extend the validity period of the classic network endpoint by 14 days. In this case, the classic network endpoint is released on August 29, 2017.

    To change the expiration date, perform the following operations:

    1. Log on to the ApsaraDB RDS console and go to the Instances page. In the top navigation bar, select the region in which your RDS instance resides. Then, find the RDS instance and click the instance ID.

    2. In the left-side navigation pane, click Database Connection.

    3. On the Instance Connection tab, click Change Expiration Time.

    4. In the Change Expiration Time dialog box, select an expiration date and click OK.

    FAQ

    Are the public endpoint and Internet access affected after the network type of an RDS instance is changed from classic network to VPC?

    No, the public endpoint and Internet access are not affected. The network type change from classic network to VPC indicates that the classic network endpoint is changed to the VPC endpoint. The VPC endpoint is a type of internal endpoint and does not affect the public endpoint and Internet access.