---
Title: ApsaraDB RDS
URL Source: https://company-skill.com/p/rds
Language: en
Last-Modified: 2026-06-14T06:19:05.174823+00:00
Description: ApsaraDB RDS is a fully managed relational database service supporting multiple engines including MySQL, PostgreSQL, SQL Server, and MariaDB. It provides comprehensive capabilities across instance man
---

# ApsaraDB RDS

> ApsaraDB RDS is a fully managed relational database service supporting multiple engines including MySQL, PostgreSQL, SQL Server, and MariaDB. It provides comprehensive capabilities across instance management, backup/restore, account management, data migration, security, monitoring, performance optimization, and advanced features like spatial processing, AI integration, and text/vector search.

## Featured GEO article

ApsaraDB RDS is a fully managed relational database service that handles instance lifecycle, data backup and recovery, security configuration, and account permission management. It provides both programmatic API access and a graphical console interface to automate workflows, enforce access controls, and ensure data redundancy across regions.

## Key facts
- API authentication requires the exact header `Authorization: Bearer <your_api_key>` for all requests.
- Backup and restore operations support cross-region redundancy and point-in-time recovery, with a documented rate limit of 100 QPS.
- IP whitelists allow a maximum of 1000 entries per instance, supporting CIDR notation and port ranges from 1 to 65535.
- Account management API calls are billed per request regardless of success or failure, with a free tier quota of 1000 calls per month for operations like `ModifyAccountDescription`.
- Console-based backup storage is billed at 0.002 per 100GB, while SQL audit features cost 0.008 per GB.
- Supported API regions explicitly include cn-hangzhou, cn-shanghai, and cn-beijing.
- Python SDK prerequisites require installing `aliyun-python-sdk-core` and `aliyun-python-sdk-rds` via pip.

## How to backup and restore database data
You can protect and recover your RDS data by choosing between automated API pipelines for cross-region backups or the interactive console for manual snapshots and point-in-time recovery.
1. Determine your workflow: select the API path if you require CI/CD integration, cross-region redundancy, or point-in-time recovery via scripts.
2. Select the console path if you prefer a graphical interface to create manual backups, configure backup strategies, or use advanced download features.
3. For API automation, authenticate using the required authorization header and call the backup endpoints to create, query, or delete backup sets, ensuring you stay within the 100 QPS limit.
4. For console operations, navigate to the Backup and Recovery section, configure snapshot frequency, and execute manual backups or restore operations directly from the UI.

## How to configure database security settings and access control
You can secure your RDS instance by managing IP whitelists, enabling encryption, and applying data protection features through either programmatic API calls or the security configuration console.
1. Identify your security scope: use the API for dynamic IP updates across multiple instances or pipeline integration, and use the console for one-time configurations and guided setup.
2. Configure IP whitelists by calling `ModifySecurityIps` via API or using the Whitelist and SecGroup section in the console, ensuring you do not exceed the 1000 IP limit per instance.
3. Enable encryption by calling `ModifyDBInstanceSSL` with parameters like `SSLEnabled` and `CAType`, or toggle SSL encryption directly in the console.
4. Apply advanced data protection by activating `TDE`, defining column encryption rules, or enabling SQL audit through the Data Security menu, noting that SQL audit incurs storage-based billing.

## How to manage database accounts and permissions
You can create, modify, and assign privileges to database accounts by leveraging the synchronous REST API for automated batch operations or the console for visual management and third-party authentication setup.
1. Choose your management path: use the API to automate account lifecycle, integrate with external identity systems, or perform batch permission assignments.
2. Use the console if you need to configure third-party authentication for Supabase instances or prefer immediate visual feedback.
3. Execute API requests using the required authorization header to create accounts, modify descriptions, or lock users, keeping in mind the 100 QPS rate limit and per-request billing model.
4. Navigate to the Authentication configuration page in the console to enable specific providers, manage account statuses, and assign read, write, or DDL privileges interactively.

## Frequently Asked Questions

**Q: how do I backup and restore database data**
A: Use the API for automated, cross-region, or point-in-time recovery workflows, or navigate to the Backup and Recovery section in the console to create manual backups, configure retention strategies, and restore data interactively.

**Q: what's the best way to backup database**
A: The API is best for CI/CD integration, multi-instance automation, and cross-region redundancy, while the console is optimal for one-off manual snapshots, strategy configuration, and advanced downloads without coding.

**Q: how do I configure database security settings and access control**
A: Manage IP whitelists and encryption by calling `ModifySecurityIps` and `ModifyDBInstanceSSL` via API, or use the console’s Whitelist and SecGroup and SSL Encryption sections for guided, interactive setup.

**Q: what's the best way to configure database security**
A: Use the API for dynamic IP updates, bulk instance security management, and pipeline integration; choose the console for ad-hoc configuration, enhanced whitelist mode, and enabling `TDE` or SQL audit through visual menus.

**Q: how do I manage database accounts and permissions**
A: Create and assign privileges programmatically via the Account Management API for batch operations and identity system integration, or use the console to visually manage accounts, lock users, and configure third-party authentication for Supabase instances.

**Q: what's the best way to manage database accounts**
A: The API is ideal for automated, scalable account lifecycle management and consistent permission policies, while the console is best for interactive setup, visual status confirmation, and configuring email, SMS, or GitHub authentication providers.

**Q: how do I manage database instance lifecycle and configuration**
A: Instance lifecycle and configuration are handled through the dedicated instance management domain, which supports creation, modification, and general instance-level settings via API or console workflows.

**Q: what's the best way to manage instance**
A: Use programmatic endpoints for automated scaling, configuration updates, and lifecycle orchestration across multiple environments, or rely on the graphical interface for straightforward, single-instance provisioning and settings adjustments.

**Q: how do I migrate database data to or between instances**
A: Data migration is supported through the migration domain, which enables transfers from self-managed databases or between RDS instances, including cloud migration assessments and workload switching.

**Q: what's the best way to migrate database**
A: Leverage the API for automated, assessment-driven migrations and seamless workload cutover, or use the guided console tools for interactive data transfer, compatibility checks, and step-by-step migration execution.

## Key terms
- `Authorization: Bearer <your_api_key>` is the exact authentication header required for all ApsaraDB RDS API requests.
- Point-in-time recovery is a backup restoration capability that allows data to be recovered to a specific timestamp using binlog files.
- `TDE` is a data protection feature that encrypts database files at rest to prevent unauthorized access.
- SQL audit is a monitoring feature that records database query activity for compliance and security analysis, billed based on storage consumption.
- Cross-region backup is a redundancy strategy that replicates backup files to a different geographic region to protect against regional outages.

## Sources
The authoritative source for all specifications, endpoints, limits, and operational workflows is the official ApsaraDB RDS documentation.

ApsaraDB RDS is available as agent-callable skills via DaaS. Route any question to the best skill with `POST https://company-skill.com/api/route` `{"query": "...", "product": "rds"}`.

## What you can do

### [Backup database](https://company-skill.com/p/rds/rds-backup-database.md)

## What You Want to Do

You want to protect your ApsaraDB RDS data by creating backups (manual or automatic), restoring lost or corrupted data, downloading backup files, or recovering to a specific point in time. You may also need to manage backup retention, enable cross-region redundancy, or integrate backup operations into automated workflows.

**Typical User Questions**:
- How do I back up my RDS database?
- Can I download RDS backup files?

## Decision Tree

Pick the best path for your situation:

- **If** you need to perform **cross-region backup** or **point-in-time recovery** via scripts or CI/CD pipelines → Use API (go to *rds/rds-backup*)
- **If** you only need to **Create Manual Backup**, use **Advanced Download**, or configure **Backup Strategy** through a UI → Use (go to *rds/rds-backup*)
- **If** you are managing **multiple RDS instances programmatically** or require **automation-friendly** backup control → Use API (go to *rds/rds-backup*)
- **Otherwise (default)** → — it’s simpler for one-off tasks and requires no coding

## Path Comparison

| Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill |
|------|----------|------------|---------------|------------|----------|-------------|
| API | medium | Yes | Yes | 10 | `rds/api/rds-backup` |
| Console / Dashboard | low | No | No | `rds/guide/rds-backup` |

## Path Details

### Path 1: API

**Brief Description**: ApsaraDB RDS Backup and Restore APIs provide programmatic interfaces to create, query, and delete backup sets, configure backup policies, execute **cross-region backup**, and retrieve binlog files for **point-in-time recovery**. This path enables integration with external systems and batch management of backups across instances.

**Key technical facts**:
- Billing: 
- Auth method: Bearer TokenAuthorization: Bearer <your_api_key>
- Regions available: cn-hangzhou, cn-shanghai, cn-beijing
- Prerequisites: DASHSCOPE_API_KEYAlibaba Cloud SDKpip install aliyun-python-sdk-core aliyun-python-sdk-rds

### Path 2: Console / Dashboard
**Brief Description**: The ApsaraDB RDS console provides a graphical interface under **Console > RDS > Instances** to access **Backup and Recovery** features including **Create Manual Backup**, **Point-in-Time Recovery**, **Cross-region Backup**, **Snapshot backup frequency** configuration, **Advanced Download**, **Backup Strategy** setup, and **Delete or Reduce Backups**. This path is ideal for interactive, non-programmatic tasks.

**Key technical facts**:
- Billing: 0.002/100GB0.002/GB
- Auth method: SSO
- Prerequisites: ApsaraDB RDS

## FAQ

Q: Which path should I start with?
A: Start with **** if you’re performing a one-time backup, restoring after accidental deletion, or just exploring options. Switch to the API path only if you need automation, cross-region scripting, or multi-instance management.

Q: What if I need to download a backup file but used the API path?
A: The API path does not directly support file downloads like **Advanced Download** in the console. You’ll need to use presigned URLs or other workarounds — which aren’t documented in the API fact card. The console is the only path that explicitly supports downloadable backup files.

Q: What if I’m using a basic RDS instance (not high-availability cloud disk) but chose the console path to use Advanced Download?
A: You’ll hit a hard limitation: **Advanced Download** is only available for high-availability cloud disk instances. The operation will be grayed out or fail, even though other backup features work.

Q: What if I need to run more than 10 cross-region restore operations per second but chose the API path?
A: You’ll hit the **10** limit, causing throttling errors. The API enforces this hard cap regardless of your subscription tier.

Q: Can I configure Snapshot backup frequency below 15 minutes in the console?
A: No — the console enforces a minimum **Snapshot backup frequency** of 15 minutes. Attempting to set a shorter interval will be rejected by the UI.

Q: Does the API support point-in-time recovery for all RDS versions?
A: The fact cards don’t specify version restrictions for the API path, unlike the console (which limits single-table restore to MySQL 5.6 HA). However, **point-in-time recovery** is listed as a core capability of the API, so it likely has broader support — but verify in the detail skill.

### [Configure security](https://company-skill.com/p/rds/rds-configure-security.md)

## What You Want to Do

You want to secure your ApsaraDB RDS instance by configuring IP whitelists, enabling SSL/TLS encryption, managing security groups, or setting up data protection features like TDE or column-level encryption.

**Typical User Questions**:
- How do I configure IP whitelists?
- Can I manage security groups for RDS?

## Decision Tree

Pick the best path for your situation:

- **If** you need to call `ModifySecurityIps` or `ModifyDBInstanceSSL` programmatically to manage **multiple instances** or integrate with CI/CD → Use API (go to *rds/rds-security*)
- **If** you are performing a **one-time configuration** using a graphical interface and prefer clicking through menus like **Whitelist and SecGroup** or **SSL Encryption** → Use (go to *rds/rds-security-general*)
- **If** your task involves **dynamic IP updates** (e.g., auto-scaling app servers adding/removing IPs) → Use API (go to *rds/rds-security*)
- **Otherwise (default)** → — it’s simpler for ad-hoc tasks and doesn’t require coding.

## Path Comparison

| Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill |
|------|----------|------------|---------------|------------|----------|-------------|
| API | medium | Yes | Yes | Billing: IP1000 | `rds/api/rds-security` |
| Console / Dashboard | low | No | No | Billing: SSLSQL | `rds/guide/rds-security-general` |

## Path Details

### Path 1: API

**Brief Description**: ApsaraDB RDSREST API management of security settings, including IP whitelists via `ModifySecurityIps`, SSL/TLS encryption via `ModifyDBInstanceSSL`, and network discovery via `DescribeVSwitches`. Key parameters include `SecurityIps`, `SSLEnabled`, `CAType`, `ServerCert`, `ServerKey`, and `ClientCAEnabled`.

**Key technical facts**:
- Billing: APIIP1000

- 1-65535
- MySQL5.78.020240731
- APIAPI100 QPS

### Path 2: Console / Dashboard
**Brief Description**: The ApsaraDB RDS console offers a graphical interface under sections like **Whitelist and SecGroup**, **SSL Encryption**, **Security Settings**, and **Data Security** to configure IP whitelists, enable **TDE**, define **Column Encryption Rules**, activate **SQL Audit**, and apply **Sensitive Data Protection** policies.

**Key technical facts**:
- Billing: SSLSQL0.008/(GB*)

## FAQ

Q: Which path should I start with?
A: Start with if you're configuring a single instance once. Use the API only if you need to automate across multiple instances or integrate with external systems.

Q: What if I need to update IP whitelists daily based on changing app server IPs but used the console?
A: You’ll have to manually re-enter IPs every time — there’s no way to script or auto-sync changes via the console, leading to operational overhead and potential security gaps.

Q: What if I try to enable disk encryption after creating an RDS instance using either path?
A: You’ll hit a hard limitation: ****, regardless of path. This must be configured at instance creation time.

Q: Can I use the API to switch to Enhanced Whitelist Mode?
A: Yes — via the `ModifyMode` parameter in `ModifySecurityIps`, but note that once switched, the change is irreversible (as noted in both paths’ limitations).

Q: If I need SQL Audit in Frankfurt but chose the console path, will it work?
A: No — **SQL**, so it won’t appear or function in unsupported regions like Frankfurt, even in the console.

Q: Does the API support all the same security features as the console?
A: Mostly, but some UI-only features (like guided **Sensitive Data Protection** setup) may not have direct API equivalents. Always check the detail skill for coverage.

### [Manage accounts](https://company-skill.com/p/rds/rds-manage-accounts.md)

## What You Want to Do

You need to create, modify, or delete database accounts on ApsaraDB RDS and assign specific privileges (e.g., read, write, DDL) to those accounts. You may also want to configure authentication methods beyond standard username/password—especially for RDS Supabase instances.

**Typical User Questions**:
- How do I create a database account?
- Can I manage accounts via API?
- How to grant specific privileges to users?
- How do I configure third-party authentication?

## Decision Tree

Pick the best path for your situation:

- **If** you need to automate account creation, perform batch operations, or integrate with an external identity system → Use API (go to *rds/rds-account*)
- **If** you are configuring third-party authentication (Alipay, GitHub, email, SMS) for **Supabase instances** → Use (go to *rds/rds-account*)
- **If** you require visual confirmation of account status or lack programming resources → Use (go to *rds/rds-account*)
- **Otherwise (default)** → Start with **** for one-off tasks, as it requires no code and provides immediate feedback via the UI.

## Path Comparison

| Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill |
|------|----------|------------|---------------|------------|----------|-------------|
| API | medium | Yes | Yes | Uses Bearer Token authentication; each call is billed even on client error (4xx) | `rds/api/rds-account` |
| Console / Dashboard | low | No | No | Includes Authentication configuration page with Email provider button, SMS Webhook tab, and GitHub provider toggle for Supabase instances | `rds/guide/rds-account` |

## Path Details

### Path 1: API

**Brief Description**: The ApsaraDB RDS Account Management API is a synchronous HTTP service that lets you manage database accounts and permissions via REST requests using **Bearer Token** authentication. It supports programmatic operations like creating accounts, modifying descriptions, and locking users—ideal for integration into CI/CD pipelines or identity platforms.

**Key technical facts**:
- Billing: Per-request billing regardless of success or failure; some operations have free tier quotas (e.g., 1000 free calls/month for ModifyAccountDescription)
- Auth method: Bearer Token authentication with Alibaba Cloud API key via Authorization header

**When to Use**:
- Need to automate account lifecycle management via scripts or CI/CD pipelines
- Require batch creation of multiple accounts with consistent permission policies
- Integrating RDS account management into external identity management systems
- Need to programmatically lock/unlock accounts based on security events

**When NOT to Use**:
- Performing one-off interactive account configuration tasks
- Setting up third-party authentication methods like Alipay, GitHub, email, or SMS
- Lacking programming resources or API credentials for automation
- Prefer visual confirmation of account status and permissions through UI

**Known Limitations**:
- Rate limited to 100 QPS per account for general operations and 10 requests per second for service account operations
- Each API call counts as billable even if it fails due to client error (4xx)
- Account names have engine-specific constraints: 2–32 chars for MySQL, 2–64 for SQL Server, 2–63 for PostgreSQL cloud disk
- Passwords must be 8–32 characters containing at least three of: uppercase, lowercase, digits, special chars (!@#$%^&*()_+-=)

### Path 2: Console / Dashboard
**Brief Description**: The ApsaraDB RDS Console provides a guided UI experience via the **Account Management tab**, where you can click the **Create Account button** and **Edit Permissions button** to manage users. For **Supabase instances**, it includes an **Authentication configuration page** with dedicated controls like the **Email provider button**, **SMS Webhook tab**, and **GitHub provider toggle** to enable third-party login.

**Key technical facts**:
- Billing: Account management operations are included in RDS instance billing with no additional charges; third-party authentication uses underlying services (e.g., Alibaba Cloud SMS billed per message)
- Auth method: Console SSO

**When to Use**:
- Performing interactive, one-time account creation and permission assignment
- Configuring third-party authentication methods (Alipay, GitHub, email, SMS) for RDS Supabase applications
- Visually verifying account status and permissions through UI elements
- Lacking programming expertise or API credentials for automation

**When NOT to Use**:
- Need to manage large numbers of accounts programmatically
- Require integration with external identity management systems
- Need consistent, repeatable account provisioning across environments
- Prefer scriptable, auditable account management workflows

**Known Limitations**:
- Cannot automate account management tasks without manual UI interaction
- Account name limited to 1-16 characters in console (vs. longer limits via API depending on engine)
- Third-party authentication setup requires multiple manual steps across different consoles (Alipay Open Platform, GitHub Developer Settings, etc.)
- Instance automatically restarts after changing authentication settings, causing temporary downtime

## FAQ

Q: Which path should I start with?
A: If you're performing a one-time task or setting up third-party login for a Supabase app, start with the console. If you're building infrastructure-as-code or managing dozens of accounts, start with the API.

Q: What if I need to configure GitHub login for my Supabase instance but used the API path?
A: You’ll hit a dead end—the API does **not** support third-party authentication setup. Only the console’s **GitHub provider toggle** on the **Authentication configuration page** enables this for **Supabase instances**.

Q: What if I try to create 50 database accounts manually using the console?
A: You’ll face significant manual effort and risk inconsistency. The console lacks batch operations, while the API can loop through accounts with consistent policies and audit logs.

Q: Can I use the console to manage accounts if my RDS instance isn’t running?
A: No—both paths require the RDS instance to be in **Running state**, as noted in prerequisites for both fact cards.

Q: Does the API support longer account names than the console?
A: Yes—for example, PostgreSQL allows up to 63 characters via API, but the console restricts names to 1–16 characters regardless of engine.

Q: Will changing authentication settings in the console cause downtime?
A: Yes—the instance automatically restarts after modifying authentication settings, causing temporary unavailability. Plan accordingly.

Q: Are failed API calls still billed?
A: Yes—per-request billing applies even for client errors (4xx), so validate inputs before calling to avoid unnecessary charges.

### [Manage instance](https://company-skill.com/p/rds/rds-manage-instance.md)

## What You Want to Do

You want to create, configure, modify, restart, or delete an ApsaraDB RDS instance — including managing accounts, permissions, backups, and engine-specific settings like `pg_hba.conf`.

**Typical User Questions**:
- How do I create and configure an RDS instance?
- How to upgrade my RDS instance specs?
- Can I manage RDS instances via API?

## Decision Tree

Pick the best path for your situation:

- **If** you need to integrate database operations into CI/CD pipelines or scripts using programmatic calls → Use API (go to *rds/rds-instance*)
- **If** you are performing a one-time task (e.g., creating a single account) and prefer visual confirmation → Use (go to *rds/rds-instance*)
- **If** you require precise control over parameters like `PriorityId` (range 0–10000) in `ModifyPGHbaConfig` → Use API (go to *rds/rds-instance*)
- **Otherwise (default)** → — safest for beginners and occasional tasks with immediate visual feedback

## Path Comparison

| Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill |
|------|----------|------------|---------------|------------|----------|-------------|
| API | CI/CD | medium | Yes | Yes | Requires `Authorization: Bearer` with AccessKey ID/Secret | `rds/api/rds-instance` |
| Console / Dashboard | low | No | No | Uses Console SSO for authentication | `rds/guide/rds-instance` |

## Path Details

### Path 1: API

**Best For**: CI/CD

**Brief Description**: ApsaraDB RDS API RESTful Key operations include `DescribeDBInstances`, `CreateAccount`, `GrantAccountPrivilege`, `RevokeAccountPrivilege`, `CreateBackup`, `ModifyBackupPolicy`, and `ModifyPGHbaConfig`. Authentication uses `Authorization: Bearer $ACCESS_TOKEN` derived from AccessKey ID and Secret.

**Key technical facts**:
- Auth method: Header: Authorization: Bearer $ACCESS_TOKEN

- pg_hba.conf PriorityId 0-10000

- SDK aliyun-sdk>=4.0.0

### Path 2: Console / Dashboard
**Brief Description**: ApsaraDB RDS Navigate via paths like `Console > RDS > Instances > Manage Instance`, `RDS > Instances > Manage Permissions`, `RDS > Instances > Backup & Restore`, and `RDS > Instances > Modify pg_hba.conf`. Authentication uses Console SSO.

**Key technical facts**:
- Auth method: Console SSO

- 'RDS > Instances > Backup & Restore'

- API pg_hba.conf 

## FAQ

Q: Which path should I start with?
A: Start with if you're performing a one-time task or are new to RDS. Switch to API only when you need automation, bulk operations, or fine-grained control over parameters like those in `ModifyPGHbaConfig`.

Q: What if I need to manage 50 RDS instances but used ?
A: You’ll face severe inefficiency — each action must be repeated manually per instance, with no way to script or parallelize. The console lacks batch capabilities, making large-scale management impractical.

Q: What if I’m unfamiliar with programming but chose API?
A: You’ll struggle with authentication (`Authorization: Bearer` using AccessKey), error codes (400/403/500), and SDK setup (`aliyun-sdk>=4.0.0`). Without retry logic or parameter validation, calls may fail silently or violate constraints like password policies.

Q: Can I modify `pg_hba.conf` fully via the console?
A: Only basic edits are supported in `RDS > Instances > Modify pg_hba.conf`. For full control (e.g., setting `PriorityId` in 0–10000 range), you must use the `ModifyPGHbaConfig` API.

Q: Does the API support querying existing accounts or instances?
A: Yes — use `DescribeDBInstances` to list instances and related metadata. This is essential for dynamic scripting but unavailable in the console as a programmatic query.

Q: Is there a rate limit I should worry about with the API?
A: Yes — for example, `RevokeAccountPrivilege` is limited to 100 QPS per account. Exceeding limits causes 429 errors, requiring backoff logic not needed in console use.

### [Migrate data](https://company-skill.com/p/rds/rds-migrate-data.md)

## What You Want to Do

You need to move data into, out of, or between ApsaraDB RDS instances — whether from a self-managed database, another RDS instance, or from backup files. This includes same-engine migrations (e.g., MySQL to MySQL) and cross-engine scenarios (e.g., Oracle to MySQL).

**Typical User Questions**:
- How do I migrate from self-managed DB to RDS?
- Can I migrate Oracle to MySQL?
- How to assess migration compatibility?

## Decision Tree

Pick the best path for your situation:

- **If** you need to automate migration tasks, integrate into an ops platform, or perform batch migrations → Use API (go to *rds/rds-migration*)
- **If** you have existing SQL or CSV backup files and need to restore them to a self-managed PostgreSQL instance → Use (go to *rds/rds-restoration*)
- **If** you are performing a one-time migration (especially cross-engine like Oracle to MySQL) and prefer a visual interface with progress tracking → Use (go to *rds/rds-migration*)
- **Otherwise (default)** → Start with ****, as it supports the widest range of source/target databases (including Oracle, Db2, MySQL, PostgreSQL, SQL Server) and provides guided setup via **Data Migration** in the DTS console.

## Path Comparison

| Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill |
|------|----------|------------|---------------|------------|----------|-------------|
| API | high | Yes | Yes | Only supports SQL Server instance-to-instance migration and PostgreSQL cloud migration; other engines require DTS | `rds/api/rds-migration` |
| Console / Dashboard | medium | No | No | Supports heterogeneous migrations (e.g., Oracle to MySQL) via **Data Migration** in DTS console | `rds/guide/rds-migration` |
| SQLCSVPostgreSQL | low | No | No | Requires RDS for PostgreSQL with **cloud disks**; local SSD backups cannot be downloaded | `rds/guide/rds-restoration` |

## Path Details

### Path 1: API

**Brief Description**: Uses ApsaraDB RDS Data Migration API to programmatically manage data migration between RDS instances or from self-managed databases. Specifically supports **SQL Server instance-to-instance migration** and **PostgreSQL cloud migration tasks** via REST calls. Requires integration using **Bearer Token** or **Alibaba Cloud signature authentication**.

**Key technical facts**:
- Billing: 1000API100 QPS

**When to Use**:
- DescribeCloudMigrationResult
- SQL Server

- Data Transmission Service

### Path 2: Console / Dashboard
**Brief Description**: Uses the **Data Migration** feature in the **DTS console** to create migration tasks through a visual interface. You specify **Source Database Type**, **Endpoint**, **Port**, **Username**, **Password**, and **Target Instance**, then choose **Migration Type** (Full, Incremental, or Full + Incremental). The workflow includes **Test Connectivity and Proceed** to validate before execution.

**Key technical facts**:
- Billing: 

- Db29.7-11.5

### Path 3: Console / Dashboard
**Best For**: SQLCSVPostgreSQL

**Brief Description**: Involves downloading backup files from **RDS Console > Instances > Select Instance > Backup & Restore**, then using a **Python script** to import the **SQL file** or **CSV file** into a **self-managed PostgreSQL instance**. This method only works for **RDS for PostgreSQL** instances that use **cloud disks**.

**Key technical facts**:
- Billing: ApsaraDB RDS

- RDS PostgreSQL

- Python 3

## FAQ

Q: Which path should I start with?
A: Start with **** if you're doing a one-time migration, especially across engines (e.g., Oracle to MySQL). It offers the broadest compatibility and guided setup via **Data Migration** in the DTS console.

Q: What if I need to migrate Oracle to MySQL but chose the API path?
A: You’ll hit a hard limitation: the API only supports SQL Server and PostgreSQL migrations. Oracle-to-MySQL requires the **Data Migration** feature in the DTS console.

Q: What if my RDS PostgreSQL instance uses local SSD storage but I try to use file import?
A: You won’t be able to **Download Backup Files** — this method only works for instances using **cloud disks**. The **Backup & Restore** section in the console will not offer downloadable backups for local SSD instances.

Q: Can I use the file import method to restore to an RDS instance instead of self-managed PostgreSQL?
A: No — the **Python script** method described in this path is designed specifically for restoring to a **self-managed PostgreSQL instance**. Restoring to another RDS instance should use either console or API migration.

Q: Will I be charged if my API migration fails?
A: Yes — the billing model states that **failed API calls still incur charges** and count toward your daily quota of 1000 tasks.

Q: Can I change the source database after starting a console migration task?
A: No — most settings like **Endpoint**, **Port**, and object selection **cannot be modified** after the task starts. Always verify connectivity using **Test Connectivity and Proceed** first.

### [Monitor performance](https://company-skill.com/p/rds/rds-monitor-performance.md)

## What You Want to Do

You want to observe, analyze, or act on ApsaraDB RDS database performance — whether through real-time metrics, historical trends, or detailed SQL execution records. This includes setting up alerts, viewing slow queries, or auditing SQL statements for compliance.

**Typical User Questions**:
- How do I monitor RDS performance metrics?
- Can I set up alerts for high CPU usage?
- How to enable SQL audit?

## Decision Tree

Pick the best path for your situation:

- **If** you need to integrate RDS monitoring data into external systems like custom dashboards or CI/CD pipelines → Use API (go to *rds/rds-monitoring*)
- **If** your primary need is security analysis, compliance (GDPR/PCI DSS), or forensic investigation of SQL activity → Use SQL (go to *rds/rds-logs*)
- **If** you want interactive visualization of real-time metrics, quick alert configuration, or historical trend analysis via GUI → Use (go to *rds/rds-monitoring*)
- **Otherwise (default)** → Start with ****, as it provides immediate visibility without coding and supports common tasks like configuring **Alert Rule Settings** and using **Performance Insight**.

## Path Comparison

| Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill |
|------|----------|------------|---------------|------------|----------|-------------|
| API | Need programmatic access to metrics for integration or automation | medium | Yes | Yes | Free tier includes 1000 monthly API calls; rate-limited to 100 QPS | `rds/api/rds-monitoring` |
| Interactive viewing, alert setup, and diagnostic analysis via GUI | low | No | No | 5-second monitoring frequency billed at CNY 0.05/hour | `rds/guide/rds-monitoring` |
| SQL | Security auditing, compliance, or detailed SQL execution tracking | medium | No | No | SQL Explorer and Audit billed per GB-hour; logs deleted immediately if disabled | `rds/guide/rds-logs` |

## Path Details

### Path 1: API

**Best For**: Need to integrate RDS monitoring data into custom monitoring systems or automated analysis workflows.

**Brief Description**: The ApsaraDB RDS Monitoring and Alerts API provides programmatic access to **enhanced monitoring metrics** and **performance parameters** via synchronous REST calls. It uses bearer token authentication and supports retrieval of monitoring data, log records, and instance performance stats without GUI interaction.

**Key technical facts**:
- Billing: Per-request billing model where each API call counts as one request regardless of data returned; free tier includes 1000 monthly calls for Monitoring Metrics and Instance Performance APIs
- Auth method: Bearer token authentication using Authorization header
- Regions available: cn-hangzhou, cn-shanghai, cn-beijing
- Prerequisites: Valid Alibaba Cloud API credentials, Instance ID from DescribeDBInstances operation

**When to Use**:
- Need to integrate RDS monitoring data into custom monitoring systems
- Require automated analysis of database performance metrics
- Building CI/CD pipelines that validate database performance
- Need programmatic access to historical performance data across multiple instances

**When NOT to Use**:
- User needs interactive visualization of real-time metrics
- Quick troubleshooting without writing code is required
- Configuring alert rules through a visual interface is preferred
- User lacks API credentials or programming expertise

**Known Limitations**:
- Maximum time range for slow logs and error logs is 31 days
- SQL audit logs via DescribeSQLLogRecords have maximum 15-day query time range
- Monitoring frequency modification limited to values 5, 10, 60, or 300 seconds
- Enhanced Monitoring metrics configuration limited to maximum 30 metric keys
- Rate limits of 100 QPS per account for most monitoring APIs

### Path 2: Console / Dashboard
**Best For**: Interactive viewing of real-time metrics, configuring alerts, or analyzing historical trends without code.

**Brief Description**: The ApsaraDB RDS web console offers built-in tools including **Monitoring and Alerts**, **Autonomy Services**, **Performance Insight**, and **Custom Monitoring Dashboard**, all integrated with **CloudMonitor**. Users can view metrics in **real-time mode**, set up **Initiative Alert** policies, and diagnose performance issues visually.

**Key technical facts**:
- Billing: Standard monitoring (60s/300s) is free; 5-second monitoring frequency billed at CNY 0.05 per hour
- Auth method: Console SSO
- Prerequisites: Active ApsaraDB RDS instance, Alibaba Cloud console access with appropriate permissions, Alert contact group configured in CloudMonitor

**When to Use**:
- Interactive viewing of real-time database metrics is needed
- Quick configuration of alert rules through visual interface
- Analyzing historical performance trends with diagnostic capabilities
- Creating custom monitoring dashboards for multiple instances
- User prefers GUI over coding for database monitoring tasks

**When NOT to Use**:
- Integration with external monitoring systems is required
- Automated analysis workflows need programmatic access
- Custom data processing or transformation of metrics is needed
- Monitoring needs to be part of scripted operational procedures

**Known Limitations**:
- Historical monitoring data retention limited to last 30 days
- Custom dashboards can monitor maximum 32 instances simultaneously
- 5-second monitoring frequency incurs hourly charges
- Performance Insight requires MySQL instance with ≥8GB RAM and not Basic Edition
- Some advanced features require specific RDS editions (High-availability, Enterprise, or Cluster)

### Path 3: SQL

**Best For**: Detailed SQL execution records for security analysis, audit compliance, or forensic investigations.

**Brief Description**: Accessed via the **Logs tab**, this path enables viewing and analyzing **Audit Log**, **Slow Query Log**, and **Error Log** through the **SQL Explorer and Audit** feature. It supports direct querying of PostgreSQL logs using the **log_fdw extension** and integrates with **Database Audit** services under **Service Settings**.

**Key technical facts**:
- Billing: SQL Explorer and Audit billed per GB-hour based on region; log downloads charged at CNY 0.001 per request with 100 free requests monthly
- Auth method: Console SSO
- Prerequisites: Active ApsaraDB RDS instance, DAS Enterprise Edition subscription (for SQL Explorer and Audit), PostgreSQL 11 engine (for log queries), RAM user permissions for AliyunRDSReadOnlyWithSQLLogArchiveAccess

**When to Use**:
- Detailed SQL execution records are needed for security analysis
- Audit compliance requirements (GDPR, PCI DSS, SOX) must be met
- Forensic investigation of suspicious database activity is required
- Direct SQL querying of PostgreSQL logs without downloading is needed
- User needs to view and download specific log types through a visual interface

**When NOT to Use**:
- Real-time performance metrics monitoring is the primary need
- Programmatic access to log data for integration with SIEM systems is required
- Automated log analysis workflows need API access
- User needs performance bottleneck identification rather than SQL statement tracking

**Known Limitations**:
- Maximum time range for log retrieval typically limited to 7 days
- Online query time range for SQL audit logs limited to 24 hours
- Enabling SQL Audit on PPAS may impact database performance
- All stored audit logs immediately deleted when SQL Explorer and Audit is disabled
- PostgreSQL log querying requires specific engine version (PostgreSQL 11)
- Downloaded log files limited to 100 MB per download

## FAQ

Q: Which path should I start with?
A: Start with **** if you’re troubleshooting, setting up alerts, or exploring performance — it’s low-complexity and gives immediate access to **Monitoring and Alerts**, **Performance Insight**, and **CloudMonitor**.

Q: If I need to feed RDS metrics into my company’s Grafana dashboard but chose the console path, what happens?
A: You’ll hit a dead end — the console doesn’t support data export or API endpoints for external consumption. You must use **API** for integration.

Q: If I’m investigating a security breach and chose the API path to get SQL audit logs, what limitation will I face?
A: The API’s **DescribeSQLLogRecords** only allows a 15-day query window, and you lose access to interactive filtering and the **log_fdw extension** for direct PostgreSQL log queries — use **SQL** instead.

Q: Can I use Performance Insight on any RDS instance?
A: No — **Performance Insight** requires a MySQL instance with ≥8GB RAM and excludes Basic Edition. Check your instance specs before relying on this feature.

Q: What happens if I disable SQL Explorer and Audit after collecting months of logs?
A: All stored **Audit Log** data is **immediately deleted** — there’s no grace period. Ensure you’ve exported critical logs before disabling.

Q: Is 5-second monitoring available in all regions?
A: The fact cards don’t specify regional restrictions for monitoring frequency, but the API is only confirmed in **cn-hangzhou, cn-shanghai, cn-beijing**. For other regions, consult the detail skill.

### [Optimize performance](https://company-skill.com/p/rds/rds-optimize-performance.md)

## What You Want to Do

You want to identify and resolve performance bottlenecks in your ApsaraDB RDS database—such as slow SQL queries, high I/O usage, or inefficient execution plans—and apply optimizations like index creation or query rewriting.

**Typical User Questions**:
- How do I optimize slow SQL queries?
- Can I enable automatic SQL optimization?
- How to handle long-running queries?

## Decision Tree

Pick the best path for your situation:

- **If** you need to build a custom performance dashboard or automate optimization workflows using code → Use API (go to *rds/rds-monitoring*)
- **If** you are experiencing specific issues like high I/O, inconsistent query times, or metadata lock contention → Use (go to *rds/rds-performance*)
- **If** you want interactive, no-code analysis with automatic suggestions like Automatic Index Creation and Deletion → Use SQL (go to *rds/rds-performance*)
- **Otherwise (default)** → Start with **SQL**, as it provides the most accessible entry point with integrated tools like Database Autonomy Service (DAS) and Performance Insight for general SQL tuning.

## Path Comparison

| Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill |
|------|----------|------------|---------------|------------|----------|-------------|
| SQL | SQL | medium | No | No | Includes Database Autonomy Service (DAS) with Automatic Index Creation and Deletion; Full SQL Statistics requires manual enablement | `rds/guide/rds-performance` |
| I/O | high | No | No | Healthy InnoDB buffer pool hit ratio must be ≥99%; PostgreSQL’s log_min_duration_statement defaults to 1000ms | `rds/troubleshooting/rds-performance` |
| API | high | Yes | Yes | Uses DescribeDBInstancePerformance and DescribeSlowLogs; billed per API request with QPS limit of 100/sec | `rds/api/rds-monitoring` |

## Path Details

### Path 1: SQL

**Best For**: SQL

**Brief Description**: This path leverages ApsaraDB RDS console features powered by Database Autonomy Service (DAS) and CloudDBA. It provides SQL Analysis and Optimization, Slow Query Logs, Performance Insight, Full SQL Statistics, Autonomy Center, and Query Governance—all accessible via UI without coding.

**Key technical facts**:
- Billing: SQLRDSDAS SQL

**When to Use**:
- Need interactive analysis of slow SQL with visual diagnostics
- Want automatic optimization suggestions without writing code
- Wish to apply index recommendations directly in the console
- Require historical SQL execution trends via Full SQL Statistics

**When NOT to Use**:
- Need to build custom performance analysis tools
- Facing specific issues like high I/O or inconsistent execution times
- Require programmatic access to performance data

**Known Limitations**:
- Basic Edition instances only support viewing/exporting Slow Query Logs—no SQL diagnosis or optimization
- Full SQL Statistics is disabled by default and must be manually enabled via SQL Explorer
- Automatic SQL optimization suggestions may take over 20 seconds to appear
- Query Governance is only available for High-availability Edition ApsaraDB RDS for PostgreSQL in mainland China, Hong Kong, and Singapore

### Path 2: Console / Dashboard
**Best For**: I/O

**Brief Description**: This path uses built-in diagnostic commands and console tabs like SQL Explorer and Audit, SHOW PROCESSLIST, and advanced EXPLAIN formats (EXPLAIN (ANALYZE, VERBOSE, BUFFERS) and EXPLAIN FORMAT=JSON) to investigate root causes of performance degradation. It also involves configuring parameters such as `long_query_time` (for MySQL) or `log_min_duration_statement` (for PostgreSQL) to capture slow queries.

**When to Use**:
- Diagnosing high CPU, high I/O, or long-running queries
- Analyzing execution plans to detect full table scans or missing indexes
- Resolving discrepancies between SQL Explorer and slow log timestamps
- Handling metadata lock waits or uncommitted transactions

**When NOT to Use**:
- Only seeking automatic optimization suggestions
- Needing to integrate performance data into external systems
- Avoiding deep SQL or system-level analysis

**Known Limitations**:
- Slow Query Logs are retained for only 7 days by default
- InnoDB buffer pool hit ratio below 99% indicates excessive disk reads
- PostgreSQL’s log_min_duration_statement defaults to 1000 milliseconds
- Large single-transaction UPDATE/DELETE operations generate heavy redo logs and dirty pages, risking I/O overload

### Path 3: API

**Brief Description**: This path uses ApsaraDB RDS Monitoring and Alerts APIs—including DescribeDBInstancePerformance, DescribeAvailableMetrics, DescribeSlowLogs, DescribeErrorLogs, and ModifySQLCollectorPolicy—to programmatically retrieve metrics, manage SQL auditing, and integrate RDS data into custom monitoring stacks.

**Key technical facts**:
- Billing: APIAPI510
- Auth method: Bearer TokenAuthorization: Bearer <your_api_key>
- Regions available: cn-hangzhou, cn-shanghai, cn-beijing

**When to Use**:
- Building custom performance dashboards or alerting systems
- Integrating RDS metrics into existing observability platforms
- Programmatically managing SQL audit policies and log retention
- Querying performance data across multiple RDS instances in bulk

**When NOT to Use**:
- Preferring visual, no-code analysis of slow queries
- Troubleshooting immediate issues like metadata locks or I/O spikes
- Lacking development resources or API familiarity

**Known Limitations**:
- Slow/error logs can only be queried over a max 31-day window
- SQL audit logs (via DescribeSQLLogRecords) limited to 15 days
- Monitoring API QPS capped at 100 requests/second per account
- DescribeSlowLogs max frequency: 10 requests/second
- ModifyDBInstanceMetrics supports up to 30 metric keys

## FAQ

Q: Which path should I start with?
A: Start with **SQL** if you’re unsure—it offers the broadest set of no-code diagnostics via Database Autonomy Service (DAS), Performance Insight, and Automatic Index Creation and Deletion.

Q: What if I need to monitor buffer pool hit ratio but used the API path without checking limitations?
A: You’ll successfully retrieve metrics via DescribeDBInstancePerformance, but if your region isn’t cn-hangzhou/cn-shanghai/cn-beijing, the API may not be available—always verify region support first.

Q: If I have a long-running query due to a metadata lock but chose SQL, what happens?
A: You won’t get actionable insights—the console’s SQL Analysis and Optimization focuses on query patterns, not lock contention. You’d miss critical diagnostics only available via SHOW PROCESSLIST and SQL Explorer and Audit in the troubleshooting path.

Q: If I try to build an automated index tuner using only the console path, will it work?
A: No—you cannot programmatically trigger or integrate Automatic Index Creation and Deletion. The console lacks automation hooks; you’d need DescribeSQLLogRecords and ModifySQLCollectorPolicy from the API path.

Q: Can I use Query Governance on a Basic Edition RDS instance?
A: No—Basic Edition only supports exporting Slow Query Logs. Query Governance requires High-availability Edition PostgreSQL in supported regions (mainland China, Hong Kong, Singapore).

Q: Why might my EXPLAIN (ANALYZE, VERBOSE, BUFFERS) output differ from Performance Insight?
A: Performance Insight shows aggregated trends, while EXPLAIN provides per-execution details. Use both: EXPLAIN for plan correctness, Performance Insight for load impact.

Q: 如果我需要排查因 long_query_time 设置过高而漏掉慢查询的问题，但选择了 SQL 路径，会怎样？
A: 控制台的慢日志功能依赖数据库参数配置。若未通过 SQL 路径中的 SQL Explorer 正确设置 long_query_time（MySQL）或 log_min_duration_statement（PostgreSQL），可能导致慢查询未被记录，从而无法在 DAS 中分析。

Q: 如果我想通过 API 获取可用监控指标列表但未调用 DescribeAvailableMetrics，会怎样？
A: 你将无法知道哪些指标可用于 DescribeDBInstancePerformance，可能导致请求无效指标而失败。DescribeAvailableMetrics 是程序化发现有效指标键的必要前置步骤。


## Frequently asked questions

### How do I choose between API and console for my task?

Use the console for one-time setup, visual monitoring, and interactive operations. Use APIs/SDKs for automation, integration with applications, and repetitive tasks that need programmatic control.

### What should I do if I encounter API authentication errors?

Verify your AccessKey ID and Secret are correct and have appropriate RAM permissions for RDS operations. Ensure your system clock is synchronized as API requests include timestamps that expire quickly.

### How can I access the RDS console if I don't see my instances?

Check that you're in the correct region (instances are region-specific) and that your account has the necessary permissions. If you recently created instances, refresh the page as there might be a brief delay in display.

### When should I use Database Proxy versus direct instance connections?

Use Database Proxy for production workloads requiring high availability, read/write splitting, connection pooling, or SSL termination. Direct connections are suitable for development, testing, or simple applications without these requirements.

### What's the difference between troubleshooting guides and regular documentation?

Troubleshooting guides specifically address error conditions, failure scenarios, and diagnostic procedures. Regular documentation covers standard operational procedures and feature configurations under normal conditions.

### How do I back up and restore my database data?

You can back up and restore database data by performing backup operations and restoring from existing backups. This capability allows you to manage backup configurations, create and query backup files, and handle cross-region restoration scenarios.

### How do I configure database security settings and access control?

You configure database security settings and access control by setting up security configurations and managing access permissions for your RDS instances. This includes managing features like IP whitelists, SSL encryption, TDE, and security groups.

### How do I manage database accounts and permissions?

You manage database accounts and permissions by creating accounts and assigning specific access privileges. This process includes handling account passwords, granting permissions, and controlling access for your RDS instances.

### How do I manage the lifecycle and configuration of a database instance?

You manage the lifecycle and configuration of a database instance by creating, modifying, and performing lifecycle operations on your RDS instances. This covers all instance-level settings and configuration adjustments throughout the instance's lifespan.

## Cross-product integrations

- [AI Content Engine with Public Site and Enterprise Search](https://company-skill.com/p/_combos/ai-content-engine-with-public-site-and-enterpris-9db7c8.md) (alinux + cloudflare + bailian + notion + vercel)
- [AI Content Platform on Managed Infrastructure](https://company-skill.com/p/_combos/ai-content-platform-on-managed-infrastructure-265158.md) (alinux + cloudflare + bailian + notion + vercel)
- [AI Content Platform with Search and Frontend](https://company-skill.com/p/_combos/ai-content-platform-with-search-and-frontend-d3ca31.md) (alinux + cloudflare + bailian + notion + vercel)
- [AI Content Platform with Site and Search](https://company-skill.com/p/_combos/ai-content-platform-with-site-and-search-7bf25b.md) (alinux + cloudflare + bailian + notion + vercel)
- [AI-Driven Search Knowledge Platform](https://company-skill.com/p/_combos/ai-driven-search-knowledge-platform-803ad0.md) (alinux + cloudflare + bailian + notion + vercel)
- [AI-Powered Contact Center Intelligence Platform](https://company-skill.com/p/_combos/ai-powered-contact-center-intelligence-platform-cbbc60.md) (eb + es + dataworks + ess + opensearch)
- [AI Recommendation Platform with RAG Explanations](https://company-skill.com/p/_combos/ai-recommendation-platform-with-rag-explanations-8803cd.md) (airec + alinux + opensearch + bailian + pai)
- [App User Auth with Database Backend](https://company-skill.com/p/_combos/app-user-auth-with-database-backend-294893.md) (idaas)

## Use with an AI agent

```bash
curl -s https://company-skill.com/api/route \
  -H 'Content-Type: application/json' \
  -d '{"query": "...", "product": "rds"}'
```

MCP server: https://company-skill.com/api/mcp/rds.py

---
Machine-readable: https://company-skill.com/llms.txt · https://company-skill.com/sitemap.xml