When you connect a database in your data center to Data Transmission Service (DTS) using a leased line or VPN Gateway, DTS provides the VPC data channel feature to simplify complex network configurations. This feature creates an Elastic Network Interface (ENI) in your virtual private cloud (VPC). The ENI allows DTS to securely access your database directly through a private endpoint. This simplifies the network architecture and reduces the scope of the required security whitelist.
Feature Overview
The VPC data channel is an efficient and secure network connection solution that is built on Alibaba Cloud PrivateLink. It works as follows:
Enable the service: When you use this feature, DTS checks if you have enabled PrivateLink. If not, DTS automatically enables it for you.
Create network access points: When you configure a DTS task, you must specify a vSwitch in a primary zone and a vSwitch in a secondary zone within your VPC. DTS then creates an ENI on each selected vSwitch. These two ENIs become the network access points for DTS in your VPC.
Reuse resources and save IP addresses: DTS uses only existing vSwitches in your VPC and does not create new ones. Each VPC data channel uses at least two IP addresses: one for the primary ENI and one for the secondary ENI. If you create multiple DTS tasks in the same VPC and select the same primary and secondary vSwitches, DTS reuses the existing VPC data channel without using additional IP addresses. To make reuse easier, DTS automatically populates the vSwitch information that you last used.
No interference with network planning: This feature only attaches ENIs to your specified vSwitches. It does not modify the route table of your VPC. This ensures no interference with your existing network planning.
Advantages
Simplified network architecture
You can simplify the network architecture by planning your network in advance. You only need to add the CIDR block of the vSwitch where the ENI resides to the VPC route table and the database whitelist. DTS then automatically creates a VPC data channel to connect to the database.Reduced scope for security configurations
The scope of security configurations is reduced. You only need to add the CIDR block of the vSwitch where the ENI resides to your database's security settings, such as firewalls, whitelists, or security groups. You no longer need to add the large range of DTS server IP addresses to the whitelist.Simplified network troubleshooting
Network troubleshooting is simplified. For example, if a network connectivity issue occurs and a connectivity check fails during DTS instance configuration, you can create an ECS instance on the same vSwitch as the ENI. You can then test the connectivity to the database directly to quickly identify the problem.
Pricing
The VPC data channel feature is free of charge.
Scope
Database Type: Supports MySQL, PostgreSQL, SQL Server, Tair/Redis, Oracle, and MongoDB.
Access Method: Supports only Express Connect, VPN Gateway, or Smart Access Gateway.
Console version: This feature is available only on the new DTS configuration page.
Regions and zones:
Region
Zone
Name
ID
Name
ID
China (Hangzhou)
cn-hangzhou
Zone I, Zone J, Zone K
cn-hangzhou-i, cn-hangzhou-j, cn-hangzhou-k
China (Shanghai)
cn-shanghai
Zone B, Zone G, Zone M, Zone N
cn-shanghai-b, cn-shanghai-g, cn-shanghai-m, cn-shanghai-n
China (Shenzhen)
cn-shenzhen
Zone D, Zone E, Zone F
cn-shenzhen-d, cn-shenzhen-e, cn-shenzhen-f
China (Beijing)
cn-beijing
Zone H, Zone G, Zone L, Zone I, Zone F, Zone K
cn-beijing-h, cn-beijing-g, cn-beijing-l, cn-beijing-i, cn-beijing-f, cn-beijing-k
China (Qingdao)
cn-qingdao
Zone B, Zone C
cn-qingdao-b, cn-qingdao-c
China (Zhangjiakou)
cn-zhangjiakou
Zone A, Zone B, Zone C
cn-zhangjiakou-a, cn-zhangjiakou-b, cn-zhangjiakou-c
China (Ulanqab)
cn-wulanchabu
Zone A, Zone B
cn-wulanchabu-a, cn-wulanchabu-b
China (Chengdu)
cn-chengdu
Zone A, Zone B
cn-chengdu-a, cn-chengdu-b
China (Hong Kong)
cn-hongkong
Zone B, Zone C, Zone D
cn-hongkong-b, cn-hongkong-c, cn-hongkong-d
Singapore
ap-southeast-1
Zone A, Zone B
ap-southeast-1a, ap-southeast-1b
Indonesia (Jakarta)
ap-southeast-5
Zone A, Zone B
ap-southeast-5a, ap-southeast-5b
Germany (Frankfurt)
eu-central-1
Zone A, Zone B
eu-central-1a, eu-central-1b
US East (Virginia)
us-east-1
Zone A, Zone B
us-east-1a, us-east-1b
US West (Silicon Valley)
us-west-1
Zone A, Zone B
us-west-1a, us-west-1b
Japan (Tokyo)
ap-northeast-1
Zone A, Zone B
ap-northeast-1a, ap-northeast-1b
Notes
If the DTS task that you are configuring meets the requirements for Database Type, Access Method, and Instance Region as described in the Scope section, you must use a VPC data channel. You must also configure primary and secondary vSwitches.
To ensure high availability, the primary and secondary vSwitches you select must be in different zones.
When you use the VPC data channel feature, DTS creates a security group named
DTS_VPCNATin your VPC and associates it with the created ENIs.The inbound rule of this security group allows access from all IP addresses (
0.0.0.0/0) by default. This ensures that DTS can establish a bidirectional connection with your database.Do not modify or delete this security group or its rules. Otherwise, the DTS task may fail or experience issues.
This security group is for DTS use only. Do not associate it with other resources, such as your ECS instances, to avoid potential security risks.
FAQ
If you encounter network connectivity issues during configuration, see Configure a VPC data channel task and FAQ.