To ensure the security and stability of Redis databases, the system blocks all IP addresses that attempt to access ApsaraDB for Redis instances by default. Before you use an ApsaraDB for Redis instance, you must add IP addresses or CIDR blocks that are used to access the ApsaraDB for Redis instance to an IP address whitelist of the instance. We recommend that you periodically manage your IP address whitelists to improve the access security and secure data in the ApsaraDB for Redis instances.

Prerequisites

  • The ApsaraDB for Redis instance is upgraded to the latest minor version. For more information about how to upgrade the minor version, see Upgrade the minor version.
  • To add security groups of Elastic Compute Service (ECS) instances to IP address whitelists, the engine version of the ApsaraDB for Redis instance must be Redis 4.0 or later.

Methods to set an IP address whitelist

Method Description
Method 1: Set an IP address whitelist Manually add the IP address of a client to the IP address whitelist of the ApsaraDB for Redis instance to allow the client to access the instance.
Method 2: Add ECS security groups to an IP address whitelist A security group is a virtual firewall that is used to control the inbound and outbound traffic of ECS instances in the security group. To authorize multiple ECS instances to access an ApsaraDB for Redis instance, you can associate the ApsaraDB for Redis instance with the security group of the ECS instances. This method is more convenient than manually adding the IP addresses of the ECS instances to the IP address whitelist.
Note You can also use both methods to set an IP address whitelist for an ApsaraDB for Redis instance. After you add client IP addresses and security groups to an IP address whitelist, both the client IP addresses and ECS instances in the security groups can access the ApsaraDB for Redis instance.

Method 1: Set an IP address whitelist

  1. Log on to the ApsaraDB for Redis console.
  2. On the top of the page, select the region where the instance is deployed.
  3. On the Instance List page, click the Instance ID of the instance.
  4. In the left-side navigation pane, click Whitelist Settings.
  5. Find the IP address whitelist that you want to manage and click Modify.
    Note You can also click Add Whitelist to create an IP address whitelist. The name of the IP address whitelist must be 2 to 32 characters in length and can contain lowercase letters, digits, and underscores (_). It must start with a lowercase letter and end with a lowercase letter or digit.
  6. In the dialog box that appears, perform one of the following operations:
    • Manually modify the IP address whitelist

      Enter IP addresses or CIDR blocks.

      Figure 1. Manually modify the IP address whitelist
      Manually modify the IP address whitelist
      Note
      • Separate multiple IP addresses with commas (,). A maximum of 1,000 unique IP addresses can be added. Supported formats are specific IP addresses such as 10.23.12.24 and CIDR blocks such as 10.23.12.24/24. /24 indicates the length of the IP address prefix. An IP address prefix can be 1 to 32 bits in length.
      • If you set the prefix length to 0, for example, 0.0.0.0/0 or 127.0.0.1/0, all IP addresses are allowed to access the instance. This poses a high security risk. Proceed with caution.
    • Add private IP addresses of ECS instances to an IP address whitelist
      1. Click Load ECS Internal Network IP.
      2. Select IP addresses based on your business requirements.
        Figure 2. Add private IP addresses of ECS instances
        Add private IP addresses of ECS instances
        Note To find the ECS instance that is assigned a specific IP address, you can move the pointer over the IP address. Then, the system displays the ID and name of the ECS instance to which the IP address is assigned.
    • Remove IP addresses from the IP address whitelist

      To remove all IP addresses from the IP address whitelist but retain the IP address whitelist, click Delete.

  7. Click OK.

Method 2: Add ECS security groups to an IP address whitelist

You can add security groups to a whitelist of the ApsaraDB for Redis instance. Then, the ECS instances in the security groups can access the ApsaraDB for Redis instance over an internal network or the Internet. The ApsaraDB for Redis instance must have a public endpoint if you want to access the ApsaraDB for Redis instance over the Internet. For more information, see Use a public endpoint to connect to an ApsaraDB for Redis instance.

Note Before you add a security group to an IP address whitelist, make sure that the network types of the ApsaraDB for Redis instance and the ECS instances in the security group are the same. If the network types of the ApsaraDB for Redis instance and ECS instances are VPC, make sure that they are deployed in the same VPC.
  1. Log on to the ApsaraDB for Redis console.
  2. On the top of the page, select the region where the instance is deployed.
  3. On the Instance List page, click the Instance ID of the instance.
  4. In the left-side navigation pane, click Whitelist Settings.
  5. Click Add Security Group.
  6. In the dialog box that appears, select the security group that you want to add.
    Figure 3. Add security groups
    Add security groups
    Note
    • You can identify a security group by moving the pointer over the ID of the security group. Then, the name and description of the security group are displayed. If you move the pointer over the VPC icon, you can view the ID of the VPC.
    • You can add up to 10 security groups to each ApsaraDB for Redis instance.
  7. Click OK.
  8. Optional:To remove all security groups, click Delete.

Common solutions

Related API operations

API Description
DescribeSecurityIps Queries the IP address whitelists of an ApsaraDB for Redis instance.
ModifySecurityIps Configures the IP address whitelists of an ApsaraDB for Redis instance.
DescribeSecurityGroupConfiguration Queries the security groups that are added to the IP address whitelists of an ApsaraDB for Redis instance.
ModifySecurityGroupConfiguration Modifies the security groups that are added to the IP address whitelists of an ApsaraDB for Redis instance.

FAQ

  • Q: Why are IP address whitelists automatically created for ApsaraDB for Redis instances? Can I delete these IP address whitelists?

    A: When you create an ApsaraDB for Redis instance, a default IP address whitelist is automatically created. After you perform specific operations on the instance, more IP address whitelists are automatically created. For more information, see the following table.

    Name of the IP address whitelist Source
    default The default IP address whitelist, which cannot be deleted.
    ali_dms_group This IP address whitelist is automatically created by Data Management (DMS) when you log on to an ApsaraDB for Redis instance through DMS. For more information, see Use DMS. Do not delete or modify the IP address whitelist. Otherwise, you may fail to log on to the ApsaraDB for Redis instance through DMS.
    hdm_security_ips This IP address whitelist is automatically created by Database Autonomy Service (DAS) when you use CloudDBA related features, such as Cache analysis. Do not delete or modify the IP address whitelist. Otherwise, the CloudDBA feature may become unavailable.
  • Q: In addition to client IP addresses, the IP address whitelist also contains IP address 127.0.0.1. In this case, can the client IP addresses connect to the ApsaraDB for Redis instance?

    A: The client can connect to the ApsaraDB for Redis instance. If only 127.0.0.1 is left in all IP address whitelists, all IP addresses are blocked from connecting to the ApsaraDB for Redis instance.

  • Q: Why does the (error) ERR illegal address message appear after I use redis-cli to connect to an ApsaraDB for Redis instance?

    A: The IP address of the client where you run redis-cli is not added to an IP address whitelist of the ApsaraDB for Redis instance. You must check the IP address whitelists of the ApsaraDB for Redis instance.

  • Q: If the IP address of my client is not added to an IP address whitelist, can I check port connectivity by running the telnet command?
    A: Yes. The following message is returned after you run the telnet command:
    Escape character is '^]'.
    Connection closed by foreign host.