DaaS / Products / Deploy Web App Backend with Database

Deploy Web App Backend with Database

A developer provisions an ECS instance with proper security group rules to allow database connectivity, creates an RDS instance for the application backend, and sets up database accounts with appropriate permissions so the application can securely connect to the database.

Products involved

Scenario

When deploying a web application backend that requires persistent relational storage, developers must provision an ECS compute instance alongside an ApsaraDB RDS instance, then securely bridge them via VPC networking and least-privilege database accounts. This workflow ensures the application can authenticate and query the database without exposing credentials or ports to the public internet.

Integration steps

Configure ECS Security Group: Allow inbound MySQL traffic from your private subnet.

``bash aliyun ecs AuthorizeSecurityGroup --SecurityGroupId sg-xxx --IpProtocol tcp --PortRange 3306/3306 --SourceCidrIp 10.0.0.0/24 ``

Provision RDS Instance: Create the database in the same VPC/VSwitch as the ECS target.

``bash aliyun rds CreateDBInstance --Engine MySQL --EngineVersion 8.0 --DBInstanceClass rds.mysql.s2.large --VPCId vpc-xxx --VSwitchId vsw-xxx --SecurityIPList 10.0.0.0/24 ``

Create Application Account: Initialize a dedicated user (routes to rds-manage-accounts).

``bash aliyun rds CreateAccount --DBInstanceId rm-xxx --AccountName app_user --AccountPassword 'SecurePass123!' --AccountType Normal ``

Grant Privileges: Assign read/write access to the target schema.

``bash aliyun rds GrantAccountPrivilege --DBInstanceId rm-xxx --AccountName app_user --DBName app_db --AccountPrivilege ReadWrite ``

Launch ECS Instance: Attach to the preconfigured security group and VSwitch.

``bash aliyun ecs RunInstances --InstanceType ecs.t6-c1m2.large --ImageId aliyun_3_x64_20G_alibase_20230920.vhd --VSwitchId vsw-xxx --SecurityGroupId sg-xxx --InstanceName web-backend ``

Inject Credentials: Export environment variables in your deployment script or CI/CD pipeline.

``bash export DB_HOST=rm-xxx.mysql.rds.aliyuncs.com export DB_PORT=3306 export DB_USER=app_user export DB_PASS='SecurePass123!' ``

Validate Connectivity: Run a quick TCP and auth test from the ECS instance.

``bash nc -zv $DB_HOST $DB_PORT && mysql -h $DB_HOST -P $DB_PORT -u $DB_USER -p$DB_PASS -e "SELECT 1;" ``

Architecture

The ECS instance runs the application runtime and acts as the database client. All traffic flows over the private VPC network to the RDS endpoint, which handles query execution, connection pooling, and automated backups. Security groups enforce network-layer isolation, while RDS account privileges enforce application-layer data access control.

Prerequisites

Alibaba Cloud CLI (aliyun) installed and authenticated with an AccessKey pair
Existing VPC and VSwitch in the target region
Sufficient ECS and RDS quotas for the selected instance classes
Application code configured to read database credentials from environment variables

Common pitfalls

Mismatched VPC/VSwitch: RDS and ECS must reside in the exact same VPC; cross-VPC routing requires CEN or peering, breaking default private connectivity.
Overly permissive SecurityIPList: Setting 0.0.0.0/0 on RDS exposes the database to the internet. Always restrict to the ECS security group CIDR.
Missing GrantAccountPrivilege: Creating an account without explicitly granting schema access results in Access denied errors at runtime.
Outbound Port Blocking: Forgetting to allow outbound TCP 3306 from the ECS security group silently drops connection attempts.

Typical questions

deploy backend application
set up web app with database
provision application infrastructure
搭建应用环境
部署后端应用
create app database
configure app networking and DB
full-stack deployment