All Products
Search
Document Center

ApsaraDB for Redis:Step 2: Configure whitelists

Last Updated:Mar 06, 2024

By default, ApsaraDB for Redis blocks access from all IP addresses to ensure the security and stability of databases. Before you use an ApsaraDB for Redis instance, you must add IP addresses or CIDR blocks that are used to access the ApsaraDB for Redis instance to the whitelists of the instance. Whitelists can be used to improve the access security of ApsaraDB for Redis instances. We recommend that you maintain whitelists on a regular basis.

Methods for configuring a whitelist

Method

Description

Scenario

Add IP addresses or CIDR blocks to a whitelist

Manually add the IP address of a client to a whitelist of a Redis instance to allow the client to access the Redis instance.

Add a security group

A security group is a virtual firewall that is used to control the inbound and outbound traffic of Elastic Compute Service (ECS) instances in the security group. For more information, see Overview.

To authorize multiple ECS instances to access a Redis instance, you can associate the security groups to which the ECS instances belong with the Tair instance. You do not need to manually add the IP addresses of the ECS instances to the whitelists of the Redis instance.

Note
  • The major version of the Tair instance must be 4.0 or later. For more information, see Upgrade the major version.

  • You cannot add ECS security groups as whitelists for Tair instances deployed in the following region: China (Heyuan).

  • You cannot add ECS security groups as whitelists for cloud disk-based cluster instances or cloud disk-based read/write splitting instances.

Access an ApsaraDB for Redis instance from multiple ECS instances in the same region

Note

You can configure IP address whitelists and specify ECS security groups as whitelists for a Redis instance. Both IP addresses in the IP address whitelists and ECS instances in the security groups are allowed to access the instance.

Add public IP addresses to a whitelist

If you want to access a Redis instance from an on-premises device or if your ECS instance is not in the same virtual private cloud (VPC) as the Redis instance, perform the following steps to create a whitelist:

  1. Log on to the ApsaraDB for Redis console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.

  2. In the left-side navigation pane, click Whitelist Settings.

  3. Find the default whitelist and click Modify in the Actions column.

    Note

    You can also click Add Whitelist to create a whitelist. The name of a whitelist must be 2 to 32 characters in length and can contain lowercase letters, digits, and underscores (_). It must start with a lowercase letter and end with a lowercase letter or digit.

  4. Set Add way to Add Manually.

  5. In the Whitelist field, enter IP addresses or CIDR blocks.

    Methods for querying the public IP addresses of on-premises devices and ECS instances

    Category

    Method for querying public IP addresses

    ECS instance

    How do I query the IP addresses of ECS instances?

    On-premises device

    The method for querying the public IP address of an on-premises device may vary depending on your network environment or operation. The following list provides reference methods for obtaining the public IP address of an on-premises device by using commands in different operating systems:

    • Linux: Open the CLI, enter the curl ifconfig.me command, and then press Enter.

    • Windows: Open Command Prompt, enter the curl ip.me command, and then press Enter.

    • macOS: Start Terminal, enter the curl ifconfig.me command, and then press Enter.

    Separate multiple IP addresses with commas (,). A maximum of 1,000 unique IP addresses can be added. You can enter IP addresses and CIDR blocks in the following formats:

    • Specific IP addresses such as 10.23.12.24.

    • CIDR blocks such as 10.23.12.0/24. /24 indicates the length of the IP address prefix. An IP address prefix can be 1 to 32 bits in length. 10.23.12.0/24 indicates an IP address range from 10.23.12.0 to 10.23.12.255. For more information about CIDR blocks, see FAQ about CIDR blocks.

    Warning

    If you add 0.0.0.0/0 to a whitelist of a Tair instance, all IP addresses can connect to the instance. This operation poses security risks. Proceed with caution.

  6. Click OK.

  7. (Optional) To remove all IP addresses from a whitelist and delete the whitelist, click Delete in the Actions column corresponding to the whitelist.

    Default whitelists generated by the system cannot be deleted, such as default and hdm_security_ips.

Add private IP addresses of ECS instances to a whitelist

If your ECS instance belongs to the same VPC as a Redis instance, we recommend that you connect the ECS instance to the Tair instance over the VPC.

Note

If your ECS instance and the Redis instance do not belong to the same VPC, you can change the VPC to which the ECS instance belongs. For more information, see Change the VPC of an ECS instance.

  1. Log on to the ApsaraDB for Redis console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.

  2. In the left-side navigation pane, click Whitelist Settings.

  3. Find the default whitelist and click Modify in the Actions column.

    Note

    You can also click Add Whitelist to create a whitelist. The name of a whitelist must be 2 to 32 characters in length and can contain lowercase letters, digits, and underscores (_). It must start with a lowercase letter and end with a lowercase letter or digit.

  4. If you set Add way to Load ECS Internal Network IP, the panel displays the private IP addresses of ECS instances that are deployed in the same region as the Tair instance.

  5. Move the pointer over an IP address to view the ID and name of the ECS instance to which the IP address is assigned. Then, select the required IP addresses.

  6. Click OK.

  7. (Optional) To remove all IP addresses from a whitelist and delete the whitelist, click Delete in the Actions column corresponding to the whitelist.

    Default whitelists generated by the system cannot be deleted, such as default and hdm_security_ips.

Bulk add public and private IP addresses of ECS instances by using security groups

Note
  • The major version of the Tair instance must be 4.0 or later. For more information, see Upgrade the major version.

  • You cannot add ECS security groups as whitelists for Tair instances deployed in the following region: China (Heyuan).

  • You cannot add ECS security groups as whitelists for cloud disk-based cluster instances or cloud disk-based read/write splitting instances.

If you want to connect multiple ECS instances to a Redis instance, you can add a security group as a whitelist for the Redis instance. After you add an ECS security group as a whitelist for a Redis instance, all ECS instances in the security group can access the Redis instance over an internal network or the Internet. If you want to access the Redis instance over the Internet, you must apply for a public endpoint for the Redis instance in advance. For more information, see Use a public endpoint to connect to a Tair instance.

  1. Log on to the ApsaraDB for Redis console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.

  2. In the left-side navigation pane, click Whitelist Settings.

  3. Click the Security Groups tab.

  4. On the Security Groups tab, click Add Security Group.

  5. In the dialog box that appears, select the security groups that you want to add as whitelists.

    You can use a security group name or security group ID to perform fuzzy search.

    Figure 3. Add security groups添加安全组

    Note

    You can add up to 10 security groups as whitelists for each Tair instance.

  6. Click OK.

  7. (Optional) To remove all security groups, click Delete.

References

Related API operations

API operation

Description

DescribeSecurityIps

Queries the IP address whitelists of an ApsaraDB for Redis instance.

ModifySecurityIps

Modifies the IP address whitelists of an ApsaraDB for Redis instance.

DescribeSecurityGroupConfiguration

Queries the security groups that are added as whitelists for an ApsaraDB for Redis instance.

ModifySecurityGroupConfiguration

Modifies the security groups that are added as whitelists for an ApsaraDB for Redis instance.

FAQ

Why is the (error) ERR illegal address message returned after I use the redis-cli tool to connect to a Tair instance?

The IP address of the client where you use the redis-cli tool is not added to a whitelist of the Tair instance. You must check the whitelists of the Tair instance.

Why am I unable to configure security groups for my Redis instance?

Limits are imposed on instances for which security groups can be added as whitelists.

  • The major version of the Tair instance must be 4.0 or later. For more information, see Upgrade the major version.

  • You cannot add ECS security groups as whitelists for cloud disk-based cluster instances or cloud disk-based read/write splitting instances.

I have configured access rules in a security group for a Redis instance, but they do not take effect on the instance. Why?

Symptom: Access rules are configured for a security group to allow access only from an IP address such as 118.31.XX.XX to a Redis instance. However, other IP addresses can still access the instance.

Cause: The inbound and outbound traffic rules that you configured for the security group do not apply to the Redis instance. If you add a security group as a whitelist for a Redis instance, the ECS instances in the security group can access the Redis instance over a VPC or the Internet.

Why is the Connection closed by foreign host error message returned when I check port connectivity by running the telnet command?

The following error message is reported:

Escape character is '^]'.
Connection closed by foreign host.

The IP address of the client is not added to a whitelist of the Tair instance. Refer to the preceding method to add the IP address to a whitelist of the instance and try again.

Why are whitelists automatically created for a Redis instance? Can I delete these whitelists?

After you create a Redis instance, a default whitelist is automatically created. After you perform specific operations on the instance, more whitelists are automatically created, as described in the following table.

Whitelist name

Source

default

The default whitelist that cannot be deleted.

ali_dms_group

This whitelist is automatically created by Data Management (DMS) when you log on to a Redis instance from DMS. For more information, see Use DMS to connect to a Tair instance. Do not delete or modify this whitelist. Otherwise, you may be unable to log on to the Redis instance from DMS.

hdm_security_ips

This whitelist is automatically created by Database Autonomy Service (DAS) when you use CloudDBA-related features such as cache analysis. For more information, see Use the offline key analysis feature. Do not delete or modify this whitelist. Otherwise, the CloudDBA-related features may become unavailable.

A whitelist contains the IP address 127.0.0.1 in addition to client IP addresses. In this case, can these clients connect to the Redis instance?

Yes, these clients can connect to the Redis instance. If the whitelist contains only the IP address 127.0.0.1, no IP addresses are allowed to connect to the instance.