All Products
Search
Document Center

ApsaraDB RDS:(Optional) Configure an ECS security group

Last Updated:Jun 20, 2026

You can use the one-click cloud migration feature to migrate a self-managed PostgreSQL database from an ECS instance to ApsaraDB RDS for PostgreSQL. To do this, configure the security group of the ECS instance to allow the ApsaraDB RDS for PostgreSQL instance to access the port of your self-managed database.

Prerequisites

Your ECS instance must meet the following conditions:

  • The ECS instance and the ApsaraDB RDS for PostgreSQL instance must be in the same VPC.

  • A PostgreSQL database must be deployed on the ECS instance.

Procedure

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Instances & Images > Instance.

  3. In the upper-left corner of the top menu bar, select a region.

  4. Find the target ECS instance and click its instance ID.

  5. On the Security Group tab, click the security group ID.

  6. On the Security Group Details page, in the Rules section, click the Add Rule button on the Inbound tab to add the following rules.

    The following table describes the required parameters.

    Protocol

    Destination

    Access Source

    All ICMP

    Leave this parameter at its default value: All(-1/-1).

    Set this to the VPC CIDR Block of the ApsaraDB RDS for PostgreSQL instance.

    How to find the VPC CIDR block

    1. Log on to the ApsaraDB RDS console and go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the instance ID.

    2. In the left navigation bar, click Database Connection, and view the VPC CIDR block under Network Type. On the Database Connection page for the instance, you can view the Network Type (Virtual Private Cloud (VPC)), the VPC CIDR block (such as 172.1x.xxx.xx/12), the internal endpoint (such as pgm-bp**.rds.aliyuncs.com), and the status of the public endpoint. Note the VPC CIDR block information because you may need it for future network configurations.

    Custom TCP

    Set this to the port of the self-managed PostgreSQL database on the ECS instance. You can run the netstat -a | grep PGSQL command to find the port.

Next steps

Configure the postgresql.conf file