All Products
Search

This Product

    ApsaraDB RDS:Configure the hybrid access solution for an ApsaraDB RDS for PostgreSQL instance

    Document Center

    ApsaraDB RDS:Configure the hybrid access solution for an ApsaraDB RDS for PostgreSQL instance

    Last Updated:Apr 29, 2025

    This topic describes how to configure the hybrid access solution for an ApsaraDB RDS for PostgreSQL instance. This solution allows you to migrate your RDS instance from the classic network to a virtual private cloud (VPC) without network interruptions.

    Background information

    When you migrate an RDS instance from the classic network to a VPC, the internal classic network endpoint changes to an internal VPC endpoint (the connection string remains unchanged, but the IP address changes). This causes a transient connection that lasts less than 30 seconds. Additionally, ECS instances in the classic network can no longer connect to the RDS instance over the internal network. To ensure a smooth network migration, ApsaraDB RDS provides the hybrid access solution.

    Hybrid access means that your RDS instance can be connected by both ECS instances in the classic network and ECS instances in VPCs. With the hybrid access solution, ApsaraDB RDS retains the internal classic network endpoint and generates an internal VPC endpoint. This prevents transient connections when you migrate your RDS instance from the classic network to a VPC.

    For security and performance purposes, we recommend that you use only the VPC type. You must specify a validity period for the hybrid access mode. When the hybrid access mode expires, the system releases the original internal endpoint of the classic network type and you cannot use the endpoint to connect your applications to your RDS instance. To prevent impacts on your business, you must add the VPC endpoint to your applications before the hybrid access solution expires. This ensures a smooth migration and prevents interruptions to your workloads.

    For example, a company uses the hybrid access mode to change the network type of an RDS instance from classic network to VPC. During the validity period of the hybrid access mode, some applications use the internal endpoint of the VPC type to connect to the RDS instance, while other applications continue to use the internal endpoint of the classic network type. When all applications can use the internal endpoint of the VPC type to connect to the RDS instance, you can release the internal endpoint of the classic network type.

    Prerequisites

    • The RDS instance resides in the classic network.

    • Available VPCs and vSwitches exist in the zone in which the RDS instance resides. For more information about how to create a VPC and a vSwitch, see Manage a VPC.

    Consideration

    • During the hybrid access period: You cannot switch back to the classic network or migrate the instance across zones.

    • Impact on instance endpoints:

      • Internal endpoints: The internal classic network endpoint is retained, and an internal VPC endpoint is automatically generated.

      • Public endpoints: The hybrid access solution does not affect the public endpoint of the RDS instance.

    • Impact on instance access:

      • Internal access: After the hybrid access solution is enabled for the RDS instance, other cloud services such as ECS can connect to the RDS instance over the classic network by using the internal classic network endpoint or over a VPC by using the internal VPC endpoint. After the classic network endpoint expires, you can use only the VPC endpoint to connect to the RDS instance.

      • Internet access: The hybrid access solution does not affect Internet access to the RDS instance.

    • Read-only instances: You must first migrate the primary RDS instance from the classic network to a VPC by using the hybrid access solution. Then, you can configure the hybrid access solution for the read-only instances.

      • If local disks are used, you can select any VPC for the read-only instances.

      • If standard SSDs or ESSDs are used, you can select only the VPC of the primary RDS instance.

    Change the network type from classic network to VPC

    1. Visit the RDS Instances page, select a region at the top, and then click the ID of the target instance.

    2. In the left-side navigation pane, click Database Connection.

    3. Click Switch To VPC.

    4. In the dialog box that appears, select a VPC and a vSwitch and specify whether to retain the classic network endpoint.

      • Select a VPC. We recommend that you select the VPC where your ECS instance resides. Otherwise, the ECS instance cannot communicate with the RDS instance over the internal network unless you create a Cloud Enterprise Network or VPN Gateway between the two VPCs.

      • Select a vSwitch. If no vSwitch exists in the selected VPC, create a vSwitch in the same zone as the RDS instance. For more information, see Manage a vSwitch.

      • Specify whether to select Reserve Original Classic Network Endpoint. The following table describes the differences between the two options.

        Affected item

        Reserve Original Classic Network Endpoint

        (Enable hybrid access)

        Do Not Reserve Original Classic Network Endpoint

        (Direct switch)

        Transient connections

        If you change the network type from classic network to VPC, no instance switchovers occur. The connection between each classic network-type ECS instance and the RDS instance remains available until the classic network endpoint expires.

        If you change the network type from classic network to VPC, instance switchovers occur. The connection between each classic network-type ECS instance and the RDS instance is immediately closed.

        Internal endpoints

        Two internal endpoints are available: The internal classic network endpoint is retained, and an internal VPC endpoint is automatically generated.

        Only one internal endpoint is available: The internal endpoint (connection string) remains unchanged, but the network type changes from classic network to VPC.

        Internal access

        After the hybrid access solution is enabled for the RDS instance, other cloud services such as ECS can connect to the RDS instance over the following network types:

        • Classic network: Use the internal classic network endpoint to connect to the RDS instance.

        • VPC: Use the internal VPC endpoint to connect to the RDS instance.

        After the classic network endpoint expires, you can use only the VPC endpoint to connect to the RDS instance.

        After the network type of the RDS instance is changed to VPC, other cloud services such as ECS can connect to the RDS instance only over VPCs.

        Public endpoints

        The public endpoint remains unchanged regardless of whether you change the network type from classic network to VPC. Therefore, the change of network type does not affect Internet access to the RDS instance. The change affects only the internal endpoint and internal access to the RDS instance.

        Internet access

        Note

        • If you change the network type from classic network to VPC, no instance switchovers occur. The connection between each classic network-type ECS instance and the RDS instance remains available until the classic network endpoint expires.

        • Before the classic network endpoint expires, add the VPC endpoint to your application that runs on a VPC-hosted ECS instance. This allows ApsaraDB RDS to migrate your workloads to the selected VPC without downtime.

    5. Add the internal IP addresses of VPC-type ECS instances to an IP address whitelist of the VPC network type of the RDS instance. This allows the ECS instances to connect to the RDS instance over the internal network. If no IP address whitelists of the VPC network type are available, you can create one.

    6. (Optional) On the Database Connection page, view the endpoint of the RDS instance whose Network Type is VPC.

    Change the expiration date of the internal classic network endpoint

    During the validity period of the hybrid access mode, you can change the expiration date of the classic network endpoint based on your business requirements. The expiration date is immediately recalculated starting from the day when you make the change. For example, the classic network endpoint is configured to expire on August 18, 2017. On August 15, 2017, you extend the validity period of the classic network endpoint by 14 days. In this case, the classic network endpoint is released on August 29, 2017.

    To change the expiration date, perform the following operations:

    1. Visit the RDS Instances page, select a region at the top, and then click the ID of the target instance.

    2. In the left-side navigation pane, click Database Connection.

    3. On the Instance Connection tab, click Change Expiration Time.

    4. On the Change Expiration Time confirmation page, select an expiration time and click OK.

    FAQ

    Q: Are the public endpoint and Internet access affected after the network type of an RDS instance is changed from classic network to VPC?

    A: No, the public endpoint and Internet access are not affected. The network type change from classic network to VPC indicates that the classic network endpoint is changed to the VPC endpoint. The VPC endpoint is a type of internal endpoint and does not affect the public endpoint and Internet access.