Classic network instances cannot be isolated at the network layer, making them less secure and harder to integrate with on-premises infrastructure. This topic describes how to switch an ApsaraDB RDS for SQL Server instance from the classic network to a virtual private cloud (VPC).
From April 10, 2023, Alibaba Cloud no longer creates RDS for SQL Server instances on the classic network. Existing classic network instances can still be switched to VPC.
Network types
| Network type | Description |
|---|---|
| Classic network | Instances cannot be isolated at the network level. Access control relies on IP address whitelists or security groups only. Being phased out. |
| VPC | Each VPC is an isolated virtual network with its own route tables, CIDR blocks, and gateways. You can connect a VPC to your data center using Express Connect circuits or VPNs. Recommended. |
Switching between classic network and VPC is free of charge.
The switch from classic network to VPC is irreversible. You cannot revert a VPC instance to the classic network.
Limitations
Check whether any of the following conditions apply before you proceed:
| Condition | Impact | Options |
|---|---|---|
| Instance runs SQL Server 2008 R2 | Cannot switch directly to VPC | See SQL Server 2008 R2 workarounds below |
| Instance is a temporary instance | Cannot switch to VPC | Temporary instances support only the classic network |
SQL Server 2008 R2 workarounds
If your instance runs SQL Server 2008 R2, use one of the following alternatives:
Option 1 — Upgrade the major version: Upgrade to a later version and select VPC during the upgrade.
Option 2 — Migrate to a new instance: Create a new RDS instance with a VPC selected at purchase, then migrate your data to the new instance.
Option 3 — Release the classic network endpoint: On the Database Connection page, manually release the classic network endpoint. After the release, the instance is accessible only via its public endpoint. See Apply for or release a public endpoint.
A released classic network endpoint cannot be recovered. Confirm you no longer need it before releasing.
Test connectivity via the public endpoint before releasing the classic network endpoint.
View the current network type
Go to the Instances page. In the top navigation bar, select the region where your instance resides, then click the instance ID.
In the left-side navigation pane, click Database Connection. The network type is shown on the page.
Switch to VPC
If you do not retain the classic network endpoint, the switch causes a transient connection interruption of approximately 30 seconds. Plan the switch during a low-traffic window.
Prerequisites
Before you begin, ensure that you have:
An RDS for SQL Server instance on the classic network (not running SQL Server 2008 R2, and not a temporary instance)
A VPC in the same region as the instance
A vSwitch in the same zone as the instance
Steps
Go to the Instances page. In the top navigation bar, select the region where your instance resides, then click the instance ID.
In the left-side navigation pane, click Database Connection. On the Instance Connection tab, click Switch to VPC.
ImportantIf Switch to VPC is not visible, the instance is either already on a VPC or running SQL Server 2008 R2. See Limitations.
In the Switch to VPC dialog box, configure the following: VPC — Select the VPC where your Elastic Compute Service (ECS) instances reside. If the ECS and RDS instances are in different VPCs, they can communicate only over the public network unless you connect the VPCs using Cloud Enterprise Network (CEN) or VPN Gateway. See Overview of Alibaba Cloud CEN or Establish IPsec-VPN connections between two VPCs. vSwitch — Select a vSwitch in the target VPC. If no vSwitches are available, create one in the same zone as the instance. See Create a vSwitch. Reserve original classic endpoint — Choose how to handle the existing classic network endpoint: In hybrid access mode, ApsaraDB RDS sends an SMS to the mobile number bound to your Alibaba Cloud account once per day during the seven days before the classic network endpoint expires. Add the VPC endpoint to your application before expiry to complete the migration with no downtime. See Configure the hybrid access solution for an ApsaraDB RDS for SQL Server instance.
Setting Behavior Downtime Cleared (not retained) The classic network endpoint is removed immediately and replaced with a VPC endpoint. Classic network ECS instances are disconnected from the RDS instance immediately. Approximately 30 seconds Selected (retained) The classic network endpoint remains alongside the new VPC endpoint. The instance enters hybrid access mode, allowing both classic network and VPC ECS instances to connect over the internal network. The classic network endpoint remains active until it expires. None Add the internal IP address of each VPC-type ECS instance to an IP address whitelist on the RDS instance so those instances can connect over the internal network. If no VPC-type IP address whitelist exists, create one.
Find the internal IP address of an ECS instance on its Instance Details page in the ECS console.
Update connection strings in your applications to use the VPC endpoint:
If you retained the classic network endpoint: Add the VPC endpoint to each VPC-type ECS instance before the classic network endpoint expires.
If you did not retain the classic network endpoint: Update all applications on VPC-type ECS instances immediately, as classic network connectivity is already severed.
NoteTo allow an ECS instance in a classic network to connect to an RDS instance in a VPC over the internal network, you can use ClassicLink or switch the network type of the ECS instance to VPC.
If a classic network ECS instance needs to connect to the RDS instance after the switch, use ClassicLink to establish the connection, or migrate the ECS instance to the same VPC as the RDS instance. See Use ClassicLink to connect a classic network and a VPC.
API reference
Use the ModifyDBInstanceNetworkType API operation to switch the network type programmatically.