ApsaraDB RDS:Network isolation

Access options at a glance

VPC

A virtual private cloud (VPC) is a logically isolated private network. Traffic within a VPC is isolated at the network layer through underlying network protocols, so only resources inside the VPC can reach your RDS instance by default.

To connect an on-premises data center to the same VPC, use one of the following options:

• Leased line: A dedicated physical connection for high throughput and low latency

• VPN: A cost-effective option for connecting over the Internet with encryption

Both options let your data center servers and ECS instances access the RDS instance simultaneously. If your data center uses overlapping IP address ranges, use the customized CIDR block of the RDS instance in the VPC to resolve IP address resource conflicts.

For stronger access control, combine VPC isolation with IP address whitelists. The IP address whitelist applies to all connections — both private and public — and lets you restrict access to specific IP addresses or CIDR blocks.

For more information, see What is a VPC?

Public endpoint

By default, a VPC-hosted RDS instance has no public IP address and cannot be reached from the Internet. Apply for a public endpoint only when your client must connect from outside the VPC, such as from:

• ECS elastic IP addresses (EIPs)

• The Internet egress of your data center

Exposing a database on the Internet significantly increases its attack surface. If your use case allows it, connect through a VPC with a leased line or VPN instead.

For steps to enable a public endpoint, see Apply for or release a public endpoint for an ApsaraDB RDS for MySQL instance.