ApsaraDB RDS supports two connection paths: over the Internet using a public endpoint, or over an internal network using an internal endpoint. Use the internal network path whenever possible — it's faster and more secure.
RDS instances no longer support the classic network type. Connect to an RDS instance over a virtual private cloud (VPC). If you change the network type of an RDS instance from classic network to VPC, or enable hybrid access mode, only the internal endpoint changes — access through the public endpoint is not affected. You can check the network type of the RDS instance and choose a connection method based on the network type — see Use a client or the CLI to connect to an ApsaraDB RDS for MySQL instance. For details on the phase-out timeline, see [Product changes] Alibaba Cloud plans to phase out ApsaraDB RDS instances of the classic network type.
Connect over the Internet
To connect over the Internet, use the public endpoint of the RDS instance. By default, RDS instances don't have a public endpoint — you must apply for one first. See Apply for or release a public endpoint.
Using a public endpoint exposes your instance to the Internet. For better security and throughput, deploy your application on an Elastic Compute Service (ECS) instance in the same region and VPC as your RDS instance, then connect via the internal endpoint.
Traffic costs when connecting over the Internet:
| Traffic direction | Cost |
|---|---|
| RDS instance → ECS instance | Free |
| ECS instance → RDS instance | Charged |
After you obtain a public endpoint, connect using the method for your database engine. See What's next.
Connect over an internal network
To connect over an internal network, use the internal endpoint of the RDS instance. To view the internal endpoint, see View and manage instance endpoints and ports.
Internal network connections are supported from Data Management (DMS) and from ECS instances. For on-premises data centers, use Cloud Enterprise Network (CEN) to establish connectivity — see Use CEN to enable intra-region network communication.
Choose your scenario
Select the scenario that matches your setup:
Scenario 1: ECS instance in the same VPC as the RDS instance
This is the most common setup. Before connecting, confirm:
The ECS instance and RDS instance reside in the same network type
The ECS instance and RDS instance are in the same VPC, the same region, and the same Alibaba Cloud account
The private IP address of the ECS instance is added to the IP address whitelist of the RDS instance — see Configure a whitelist
When all conditions are met, connect using the internal endpoint of the RDS instance.
Scenario 2: ECS instance in a different VPC or a different region
If the ECS and RDS instances are in different VPCs or different regions, use one of the following options:
| Option | Best for | Cost |
|---|---|---|
| VPC peering connections | Two VPCs that need to communicate, regardless of account or region | Free within the same region |
| CEN — same region, different regions, or different accounts | Complex topologies spanning multiple regions or accounts | Varies |
Scenario 3: On-premises data center
Use CEN to enable internal network communication between your data center and the RDS instance. See Use CEN to enable intra-region network communication.
FAQ
How do I block Internet access to my RDS instance?
Make sure the IP address whitelists on your RDS instance contain only private IP addresses. Alternatively, release the public endpoint entirely. See Apply for or release a public endpoint.
Why can't I change the network type from VPC back to classic network?
Some RDS instances only support VPC and cannot be switched back to the classic network type. See Change the network type for which instances support the switch.
My RDS instance disconnects even though the public IP address is whitelisted. What's wrong?
The public IP address of your client likely changed. Add the new public IP address to the IP address whitelist of your RDS instance.
How do I view the public IP address of my RDS instance?
Get the public endpoint of the RDS instance and ping it from a Windows or Linux machine. The ping output shows the resolved IP address.
Can I predict the public IP address ranges of my RDS instance?
No. The public IP address ranges of an RDS instance change dynamically and cannot be predicted.
Does enabling a public endpoint affect the internal endpoint?
No. Enabling or disabling a public endpoint has no effect on the internal endpoint.
Why can't I find my database after logging in to my RDS instance through DMS?
The database metadata may not be synchronized. In DMS, move the pointer over the instance name and click the refresh button on the right side of the instance name to reload the database list.
Am I charged for traffic between an ECS instance and an RDS instance in the same VPC?
No. Traffic within the same VPC is free of charge.
Can I connect to the host running my RDS instance via SSH or RDP?
No. Direct host access via Secure Shell (SSH) or Remote Desktop Protocol (RDP) is not supported. Connect to the RDS instance using its endpoint.
What's next
Connect to your RDS instance using the method for your database engine: