All Products
Search

This Product

    ApsaraDB RDS:Configure the hybrid access solution for an ApsaraDB RDS for PostgreSQL instance

    Document Center

    ApsaraDB RDS:Configure the hybrid access solution for an ApsaraDB RDS for PostgreSQL instance

    Last Updated:Mar 07, 2025

    To meet the increasing demand for network migration, RDS has introduced the hybrid access feature, which allows for a smooth transition from the classic network to a VPC without any access interruptions.

    Background information

    Previously, migrating an RDS instance from the classic network to a VPC would change the internal endpoint of the classic network to that of the VPC. Although the connection string remained unchanged, the underlying IP address would change, causing a transient connection of up to 30 seconds. ECS instances in the classic network would also lose the ability to access the RDS instance over the internal network. To facilitate a seamless network migration, RDS has introduced the hybrid access feature.

    Hybrid access enables an RDS instance to be accessed by ECS instances in both the classic network and the VPC. During the hybrid access period, the RDS instance retains the original internal endpoint of the classic network and adds a new internal endpoint under the VPC, preventing transient connections during network migration.

    For security and performance reasons, we recommend using only the VPC. Therefore, the hybrid access period has a specified duration. When the retention period of the original internal endpoint of the classic network expires, it will be automatically released, and applications will no longer be able to access the database through the internal endpoint of the classic network. To avoid impacting your business, you should configure the internal endpoint under the VPC in all your applications during the hybrid access period to ensure a smooth network migration.

    For instance, when a company decides to migrate from the classic network to a VPC using the hybrid access migration method, some applications access the database through the VPC, while others continue to use the original internal endpoint of the classic network. Once all applications can access the database through the VPC, the original internal endpoint of the classic network can be released.

    Prerequisites

    • The network type of the instance is the classic network.

    • Available VPCs and vSwitches exist in the zone where the instance resides. For more information, see Manage virtual private networks.

    Considerations

    • During the hybrid access period: Switching to the classic network and migrating zones are not supported.

    • Impact on instance connection address:

      • Internal endpoint: The internal endpoint of the classic network is retained, and an internal endpoint of the VPC is automatically added.

      • Public endpoint: Enabling the hybrid access feature does not affect the public endpoint of the instance.

    • Impact on instance access:

      • Internal access: Other cloud products, such as ECS, can access RDS over the internal network. Their network type can be the classic network, accessing through the internal endpoint of the classic network, or the VPC, accessing through the internal endpoint of the VPC. After the classic network endpoint expires, only access through the VPC is supported.

      • Public access: Enabling the hybrid access feature does not affect public access to the instance.

    • Read-only instance: You must first migrate the primary instance from the classic network to the VPC network according to the temporary hybrid access solution, and then complete the temporary hybrid access transformation of the read-only instance.

      • If local SSDs are used, you can select any VPC network for the read-only instance.

      • If cloud disks are used, the VPC of the read-only instance must be the same as that of the primary instance.

    Migrate from the classic network to a VPC

    1. Visit the RDS instance list, select the region at the top, and then click the target instance ID.

    2. In the left navigation bar, click Database Connection.

    3. Click Switch To Virtual Private Cloud.

    4. In the dialog box that appears, select a VPC and a vSwitch, and specify whether to retain the classic network address.

      • Select a VPC, preferably the one where your ECS instance resides to ensure that the ECS and RDS instances can communicate over the internal network. If they are in different VPCs, communication is only possible through a Cloud Enterprise Network or a VPN Gateway.

      • Select a vSwitch. If there is no available vSwitch in the selected VPC, you can create one in the same zone as the instance. For more information, see Manage vSwitches.

      • Specify whether to select Retain Classic Network. For more information, see the following table.

        Affected item

        Retain classic network

        (Enable temporary hybrid access for smooth switching)

        Do not retain classic network

        (Direct switch)

        Transient connection

        No transient connection occurs when the network type is switched. The internal access of the classic network ECS to the RDS instance will not be interrupted until the classic network endpoint expires.

        A transient connection occurs when the network type is switched, and the internal access of the classic network ECS to the RDS instance will be immediately interrupted.

        Internal endpoint

        There are two different internal endpoints: the internal endpoint of the classic network is retained, and an internal endpoint of the VPC is automatically added.

        There is only one internal endpoint: after the switch, the internal endpoint (connection string) remains unchanged, but its type changes from the internal endpoint of the classic network to the internal endpoint of the VPC.

        Internal access

        After RDS enables hybrid access, when other cloud products, such as ECS, access RDS, their network type:

        • Can be the classic network: must access the RDS instance through the internal endpoint of the classic network

        • Can also be the VPC: must access the RDS instance through the internal endpoint of the VPC.

        After the classic network endpoint expires, only access through the VPC is supported.

        After RDS switches to the VPC, when other cloud products, such as ECS, access RDS, their network type must also be the VPC.

        Public endpoint

        The public endpoint does not change in either network type switching method, so it does not affect public access to the RDS instance. It only affects the internal endpoint and internal access of the instance.

        Public access
        Note

        • If you retain the classic network address, no instance switchover occurs when the network type is switched, and the internal access of the classic network ECS to the RDS instance will not be interrupted until the classic network endpoint expires.

        • Before the classic network endpoint expires, configure the VPC endpoint to the ECS in the VPC to achieve a smooth business migration to the VPC.

    5. Add the internal IP address of the ECS under the VPC to the RDS instance's VPC whitelist group, so that the ECS can access RDS over the internal network. If no whitelist group for the VPC is available, create one.

    6. (Optional) On the Database Connection page, view the RDS instance connection address with the Network Type set to Virtual Private Cloud.

    Change the expiration date of the internal endpoint of the classic network

    During the hybrid access period, you can adjust the retention time of the original internal endpoint of the classic network at any time based on your needs. The expiration date is recalculated starting from the date of the change. For example, if the original internal endpoint of the classic network is set to expire on August 18, 2017, but you change the expiration date to "14 days later" on August 15, 2017, the original internal endpoint of the classic network will be released on August 29, 2017.

    To change the expiration date, perform the following operations:

    1. Visit the RDS instance list, select the region at the top, and then click the target instance ID.

    2. In the left navigation bar, click Database Connection.

    3. On the Instance Connection tab, click Change Expiration Date.

    4. On the Change Expiration Date confirmation page, select the expiration date, and click Confirm.

    FAQ

    Q: Does switching from the classic network to a virtual private cloud (VPC) affect the public endpoint and Internet access of the RDS instance?

    A: Switching from the classic network to a VPC involves changing the internal endpoint of the classic network to the internal endpoint of the VPC. The VPC endpoint is a type of internal endpoint and does not affect the public endpoint or Internet access of the RDS instance.