ApsaraDB RDS provides multiple layers of built-in data protection. Alibaba Cloud secures the underlying infrastructure, while you are responsible for configuring access controls for your instances.
How it works
RDS security operates across three layers, from the network perimeter inward:
| Layer | Mechanism | What it does |
|---|---|---|
| Network perimeter | DDoS attack detection and mitigation | Blocks malicious traffic before it reaches your instances |
| Access control | IP address whitelists and account isolation | Restricts who can connect and what they can access |
| System isolation | Firewalls, restricted host access, and inbound-only connections | Limits the attack surface of each instance |
DDoS attack prevention
RDS instances exposed to the Internet are vulnerable to distributed denial-of-service (DDoS) attacks. When an attack is detected, the security system responds in two stages:
Traffic scrubbing — Filters malicious inbound traffic while allowing legitimate requests through.
Blackhole filtering — If traffic scrubbing is ineffective or the attack volume exceeds the blackhole filtering threshold, blackhole filtering is triggered to protect instance availability.
We recommend that you access RDS instances over the internal network to prevent DDoS attacks. For details, see Protection against attacks.
Access control
RDS supports two mechanisms to control who can access your databases:
| Mechanism | Description |
|---|---|
| IP address whitelist | Only requests from IP addresses on the whitelist are allowed to connect to the RDS instance |
| Account isolation | Resources across Alibaba Cloud accounts are logically isolated — each account can view and manage only its own databases |
For details, see Access control.
System security
Each RDS instance is protected by the following system-level controls:
| Control | Description |
|---|---|
| Multi-layer firewalls | Block a wide range of network-based attacks before they reach the instance |
| No direct host access | Physical hosts running RDS instances are not directly accessible — instances are reachable only through their assigned endpoints and ports |
| Inbound-only connections | RDS instances cannot initiate outbound connections — they only accept incoming access requests |
For details, see Network isolation.
Professional security team
Alibaba Cloud security experts provide technical support to ensure the security of ApsaraDB RDS instances.