ECS and RDS instances under different Alibaba Cloud accounts cannot communicate through the internal network by default. Three methods are available to establish cross-account connectivity, each suited to different scenarios.
Supported engines
ApsaraDB RDS for MySQL
ApsaraDB RDS for SQL Server
ApsaraDB RDS for PostgreSQL
Choose a method
| Method | Best for | Network | Latency | Complexity |
|---|---|---|---|---|
| Migrate the RDS instance | Consolidating resources under one account | Internal | Low | Low |
| Cloud Enterprise Network (CEN) or VPN Gateway | Keeping instances under separate accounts with private connectivity | Internal (cross-VPC) | Low | Medium |
| Public endpoint | Quick testing or temporary access | Internet | Higher | Low |
Migrate the RDS instance if you can consolidate resources under one Alibaba Cloud account. Both instances then share the same VPC and internal network.
If the instances must stay under separate accounts, use CEN or VPN Gateway to create a private connection between the two VPCs. This preserves internal-network performance without exposing the database to the internet.
Use the public endpoint only for short-term scenarios such as testing. Internet-based connections have higher latency and require additional security measures.
Method 1: Migrate the RDS instance to the ECS account
Move the database to the same Alibaba Cloud account as the ECS instance so they can communicate through the internal network directly.
Procedure
Log on to the RDS purchase page with the Alibaba Cloud account that owns the ECS instance. Purchase a new RDS instance with the same engine and specifications as the original.
Use Data Transmission Service (DTS) to migrate data from the original RDS instance to the new one. For more information, see Migrate data between ApsaraDB RDS instances.
After the migration is complete, verify data integrity on the new instance. Then release the original RDS instance.
Verify the connection
After migration, connect from the ECS instance to the new RDS instance using its internal endpoint:
mysql -h <internal-endpoint> -u <username> -pReplace <internal-endpoint> with the internal endpoint of the new RDS instance, and <username> with your database account.
Method 2: Connect through CEN or VPN Gateway
Keep the ECS and RDS instances under separate Alibaba Cloud accounts and establish private network connectivity between their VPCs.
Prerequisites
Before you begin, make sure that:
Both the ECS instance and the RDS instance use the VPC network type
If the ECS instance uses the classic network, migrate it to VPC first
If the RDS instance uses the classic network, switch it to VPC first
The CIDR blocks of the two VPCs do not overlap. Overlapping CIDR blocks prevent CEN or VPN Gateway from establishing a connection
Both account owners are available to complete their respective configuration steps
Procedure
This method requires coordination between two Alibaba Cloud account owners (Account A for the ECS instance, Account B for the RDS instance).
Step 1: Establish cross-VPC connectivity
Set up Cloud Enterprise Network (CEN) or VPN Gateway to connect the two VPCs across accounts.
CEN (recommended for ongoing cross-account access): One account owner creates a CEN instance and attaches both VPCs. The other account owner must authorize the attachment.
VPN Gateway: Set up an IPsec VPN connection between the two VPCs. Each account owner configures a VPN Gateway in their own VPC.
Step 2: Add the ECS CIDR block to the RDS whitelist
After the VPCs are connected, the RDS instance still blocks traffic unless you explicitly allow it. On Account B, add the CIDR block or IP address of the ECS instance to the RDS whitelist. For more information, see Configure an IP address whitelist.
Verify the connection
From the ECS instance, test connectivity to the RDS internal endpoint:
# Test network reachability
telnet <rds-internal-endpoint> <port>
# Test database connection
mysql -h <rds-internal-endpoint> -u <username> -pReplace <rds-internal-endpoint> and <port> with the internal endpoint and port of the RDS instance.
Method 3: Connect through the public endpoint
Access the RDS instance over the internet instead of the internal network.
Procedure
Allocate a public endpoint for the RDS instance and configure the RDS IP address whitelist to allow the public IP address of the ECS instance.
Connect from the ECS instance using the RDS public endpoint.
For more information, see Connect to an ApsaraDB RDS instance.
Public endpoint connections traverse the internet. Use SSL encryption and restrict the IP address whitelist to minimize security exposure.
Verify the connection
mysql -h <public-endpoint> -u <username> -pReplace <public-endpoint> with the public endpoint of the RDS instance.