Deploy Web App Backend with Database

Scenario

When deploying a web application backend that requires persistent relational storage, developers must provision an ECS compute instance alongside an ApsaraDB RDS instance, then securely bridge them via VPC networking and least-privilege database accounts. This workflow ensures the application can authenticate and query the database without exposing credentials or ports to the public internet.

Integration steps

1. Configure ECS Security Group: Allow inbound MySQL traffic from your private subnet.

   aliyun ecs AuthorizeSecurityGroup --SecurityGroupId sg-xxx --IpProtocol tcp --PortRange 3306/3306 --SourceCidrIp 10.0.0.0/24

1. Provision RDS Instance: Create the database in the same VPC/VSwitch as the ECS target.

   aliyun rds CreateDBInstance --Engine MySQL --EngineVersion 8.0 --DBInstanceClass rds.mysql.s2.large --VPCId vpc-xxx --VSwitchId vsw-xxx --SecurityIPList 10.0.0.0/24

1. Create Application Account: Initialize a dedicated user (routes to rds-manage-accounts).

   aliyun rds CreateAccount --DBInstanceId rm-xxx --AccountName app_user --AccountPassword 'SecurePass123!' --AccountType Normal

1. Grant Privileges: Assign read/write access to the target schema.

   aliyun rds GrantAccountPrivilege --DBInstanceId rm-xxx --AccountName app_user --DBName app_db --AccountPrivilege ReadWrite

1. Launch ECS Instance: Attach to the preconfigured security group and VSwitch.

   aliyun ecs RunInstances --InstanceType ecs.t6-c1m2.large --ImageId aliyun_3_x64_20G_alibase_20230920.vhd --VSwitchId vsw-xxx --SecurityGroupId sg-xxx --InstanceName web-backend

1. Inject Credentials: Export environment variables in your deployment script or CI/CD pipeline.

   export DB_HOST=rm-xxx.mysql.rds.aliyuncs.com
   export DB_PORT=3306
   export DB_USER=app_user
   export DB_PASS='SecurePass123!'

1. Validate Connectivity: Run a quick TCP and auth test from the ECS instance.

   nc -zv $DB_HOST $DB_PORT && mysql -h $DB_HOST -P $DB_PORT -u $DB_USER -p$DB_PASS -e "SELECT 1;"

Architecture

The ECS instance runs the application runtime and acts as the database client. All traffic flows over the private VPC network to the RDS endpoint, which handles query execution, connection pooling, and automated backups. Security groups enforce network-layer isolation, while RDS account privileges enforce application-layer data access control.

Prerequisites

• Alibaba Cloud CLI (aliyun) installed and authenticated with an AccessKey pair
• Existing VPC and VSwitch in the target region
• Sufficient ECS and RDS quotas for the selected instance classes
• Application code configured to read database credentials from environment variables

Common pitfalls

• Mismatched VPC/VSwitch: RDS and ECS must reside in the exact same VPC; cross-VPC routing requires CEN or peering, breaking default private connectivity.
• Overly permissive SecurityIPList: Setting 0.0.0.0/0 on RDS exposes the database to the internet. Always restrict to the ECS security group CIDR.
• Missing GrantAccountPrivilege: Creating an account without explicitly granting schema access results in Access denied errors at runtime.
• Outbound Port Blocking: Forgetting to allow outbound TCP 3306 from the ECS security group silently drops connection attempts.

Typical questions

• deploy backend application
• set up web app with database
• provision application infrastructure
• 搭建应用环境
• 部署后端应用
• create app database
• configure app networking and DB
• full-stack deployment

Q: How do I provision and deploy a web application backend with a database? A: You must provision an ECS compute instance and an ApsaraDB RDS instance within the same VPC and securely connect them via private networking and least-privilege accounts. The integration workflow involves configuring security groups for MySQL traffic, initializing a dedicated RDS user with explicit schema privileges, launching the compute instance, injecting credentials as environment variables, and validating connectivity.