ApsaraDB RDS provides multiple network isolation methods to ensure the network security of an ApsaraDB RDS instance. By default, an RDS instance residing in a VPC can only be accessed from within that VPC. You can also apply for a public endpoint to receive access requests from the Internet.
Network controls at a glance
ApsaraDB RDS combines two complementary controls:
| Control | What it does | Required |
|---|---|---|
| VPC | Isolates network traffic at the network layer using underlying network protocols | Recommended for advanced access control |
| IP address whitelist | Restricts which IP addresses can connect to the RDS instance | Required — effective for all connections |
| Public endpoint | Opens the instance to Internet access | Only when clients outside the VPC need direct access |
Use VPCs and IP address whitelists together for the strongest security posture.
Access scenarios
Clients inside a VPC
By default, only Elastic Compute Service (ECS) instances in the same VPC can connect to an RDS instance. This is the recommended and most secure setup.
Clients in your data center
Connect your data center to Alibaba Cloud over a leased line or VPN. To avoid IP address conflicts between your on-premises network and the VPC, use the customized CIDR block of the RDS instance. This lets you access the instance simultaneously from both data center servers and ECS instances.
Clients on the Internet
Exposing an RDS instance via a public endpoint increases its attack surface. This method is not recommended. If you must use it, configure IP address whitelists before applying for a public endpoint to limit which addresses are allowed to connect.
Applying for a public endpoint opens the instance to Internet access from sources including:
ECS elastic IP addresses (EIPs)
The Internet egress of your data center
For instructions, see Apply for or release a public endpoint for an ApsaraDB RDS for MySQL instance.
What's next
What is a VPC? — Learn how VPCs isolate network traffic and how to configure them for your environment.