ApsaraDB RDS provides multiple network isolation mechanisms to control who can access your database instance and from where.
Choose a network access method
| Method | How it works | When to use |
|---|---|---|
| VPC (recommended) | Restricts access to resources within the same virtual private cloud (VPC), with no public exposure | Production workloads, sensitive data, applications running on ECS in the same VPC |
| VPC + public endpoint | Combines VPC isolation with an optional public endpoint for Internet access | Scenarios where external access is required; not recommended |
VPC
A VPC is a private network that isolates your traffic at the network layer using underlying network protocols. Placing an RDS instance in a VPC ensures it can only be reached by resources within that VPC by default.
Combined with IP address whitelists, VPC isolation gives you an additional layer of access control to increase security.
Connecting from outside the VPC
To reach an RDS instance in a VPC from your on-premises data center, connect through one of the following:
A leased line (dedicated physical connection)
A VPN
You can also use the customized CIDR block of an RDS instance in a VPC to resolve IP address resource conflicts. This lets you access the instance simultaneously from an Elastic Compute Service (ECS) instance and a server in your data center.
For more information, see What is a VPC?
Public endpoint
By default, an RDS instance in a VPC can only be accessed from an ECS instance that resides in the same VPC. To allow Internet access, apply for a public endpoint. This method is not recommended.
Configure an IP address whitelist before enabling a public endpoint. Internet access requests may originate from ECS elastic IP addresses (EIPs) or the Internet egress of your data center.
IP address whitelists are effective for all connections to the RDS instance. We recommend that you configure IP address whitelists before you apply for a public endpoint.
For instructions, see Apply for or release a public endpoint for an ApsaraDB RDS for MySQL instance.