Configure distributed transactions for ApsaraDB RDS for SQL Server-ApsaraDB RDS(RDS)-阿里云帮助中心

ApsaraDB RDS for SQL Server provides a distributed transaction whitelist to ensure transaction consistency and isolation. First, configure the whitelist on your RDS instance to authorize specific ECS instances for transaction processing. Then, adjust the security group rules on those ECS instances to match the RDS whitelist. This creates a secure, stable distributed transaction environment and simplifies troubleshooting.

Prerequisites

Your ApsaraDB RDS for SQL Server instance must meet the following requirements:

Database version: 2022 Enterprise Cluster Edition, 2019 Enterprise Cluster Edition, 2017 Enterprise Cluster Edition, 2016 Enterprise Edition, 2014 Enterprise Edition, 2012 Enterprise Edition, 2022 Standard Edition, 2019 Standard Edition, 2017 Standard Edition, 2016 Standard Edition, 2014 Standard Edition, 2012 Standard Edition, or 2008 R2 with cloud disks
Instance family: General-purpose or Dedicated. shared instances are not supported.
Billing method: subscription or pay-as-you-go. serverless instances are not supported.

Note

You can view this information on the Basic Information page of your instance.

Usage notes

If you perform a major version upgrade, minor version upgrade, or migration across zones on your ApsaraDB RDS for SQL Server instance, the hostname and IP address of the underlying ECS instance may change. You must then reconfigure the distributed transaction whitelist to match the new IP address.

You can view the current hostname and IP address on the Data Security > Whitelist for Distributed Transaction page of your instance details.

RDS configuration

Step 1: Configure an IP whitelist group

Configure an IP whitelist on the RDS instance to grant access to specific ECS instances.

Log on to the ApsaraDB RDS console and go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the instance ID.
In the left-side navigation pane, click Whitelist and SecGroup. To the right of the default whitelist group, clickModify, and then enter the IP address of the ECS instance.
Note
- If the ECS instance and the RDS instance are in the same virtual private cloud (VPC), enter the private IP of the ECS instance.
- If the ECS and RDS instances are in different VPCs, enter the public IP of the ECS instance. You must also apply for a public endpoint for the RDS instance.
- You can view the private or public IP on the Instance Details page of the ECS instance.
In the Basic Information section, check the Elastic IP Address field to find the public IP. In the Network Information section, check the Primary Private IP field to find the private IP.
Click OK.

Step 2: Configure the distributed transaction whitelist

Configure the distributed transaction whitelist on the RDS instance to authorize ECS instances by their computer name for distributed transactions.

On the instance details page, click Data Security in the left-side navigation pane, and then click the Distributed Transaction Whitelist tab.

Click Create Whitelist. Configure the following parameters and then click OK.

Parameter

Description

Whitelist Name:

The name must be 2 to 32 characters in length and can contain only lowercase letters, digits, and underscores (_). It must start with a lowercase letter and end with a letter or digit.

IP Addresses

Enter the IP address and Windows hostname of the ECS instance in the format ECS_instance_IP_address,hostname, separated by a comma (,). For example: 192.168.1.100,k3ecstest. To add multiple ECS instances, enter each on a new line.

How to find the hostname: On the Windows operating system of your ECS instance, navigate to Control Panel > System and Security > System to view the hostname.

ECS configuration

Adjust the security group rules for the ECS instance and open the required ports to match the RDS whitelist settings. This alignment creates a secure environment for distributed transactions.

Log on to the ECS console.
In the left-side navigation pane, choose Instances & Images > Instance.
In the upper-left corner of the page, select the region where the instance is located.
Find the target instance and click its ID.
Click the Security Group tab.
Find the target security group and click Manage Rules in the operation column.
Click the Inbound tab, and then click Add Rule.

Configure the following parameters and click OK.

Parameter	Description
Authorization Policy	Select Allow.
Priority	Keep the default value: 1.
Protocol	Select Custom TCP.
Access Source	Go to the Data Security > Whitelist for Distributed Transaction page for your RDS instance. In the RDS Instance Information section, find the two IP addresses associated with your RDS instance (the IP addresses of the underlying ECS instance). Enter these two IP addresses (such as `172.xxx.x.x`) in the Authorization Object field. The changes typically take about 5 minutes to take effect. Each RDS instance supports a maximum of five distributed transaction whitelist groups. Note You can also call the DescribeDBInstanceIpHostname API operation to query the IP addresses.
Port range	Select Port and enter 135. Note Port 135 is the fixed port for the RPC service.
Description	The description must be 2 to 256 characters in length and cannot start with `http://` or `https://`.

Configure another security group rule. Set the Port range Port to 1024-65535. The other parameters are the same as in Step 8.

References

For best practices related to distributed transactions, see Connect Kingdee K/3 WISE to an ApsaraDB RDS for SQL Server instance.
For more scenarios and operations related to whitelists, see Configure an IP address whitelist.
For details about security group concepts, limits, and best practices, see Security group overview.

Troubleshooting

What I do if an application fails to communicate with the distributed transaction manager and I receive the error `Communication with the underlying transaction manager has failed.`?

Possible cause	Solution
The IP address and hostname of the RDS instance have changed.	If you perform a major version upgrade, minor version upgrade, or migration across zones on your ApsaraDB RDS for SQL Server instance, the hostname and IP address of the underlying ECS instance may change. You must then reconfigure the distributed transaction whitelist to match the new IP address. You can view the current hostname and IP address on the Data Security > Whitelist for Distributed Transaction page of your instance details.
The transaction manager service is in an abnormal state.	Even if the IP address is correct, communication can fail if the transaction manager is not running properly due to misconfiguration, permission issues, or insufficient server resources. An unstable or interrupted network connection can also cause this failure.