To ensure data security and guarantee high performance of ApsaraDB for Redis, before you use an ApsaraDB for Redis instance, you must set one or more IP address whitelists or specify Elastic Compute Service (ECS) security groups as whitelists. You can add client IP addresses or Classless Inter-Domain Routing (CIDR) blocks to a whitelist. We recommend that you update your whitelists on a regular basis to improve data security in ApsaraDB for Redis.

Prerequisites

  • The ApsaraDB for Redis instance is upgraded to the latest minor version.
    Note If your instance is not upgraded to the latest minor version, an error may occur when you set a whitelist. In this case, you can upgrade to the latest minor version to resolve the error. For more information, see Upgrade the minor version.
  • To specify an ECS security group as a whitelist, the engine version of ApsaraDB for Redis must be Redis 4.0 or later.
    Note If the engine version is Redis 2.8, upgrade the engine version to specify an ECS security group as a whitelist. For more information, see Upgrade the major version.

Precautions

  • When you use Data Management Service (DMS) to log on to the ApsaraDB for Redis instance, the system automatically generates a whitelist group with the name ali_dms_group. Do not manually add other IP addresses to this group. Otherwise, IP address loss may occur due to DMS changes.
  • Up to 512 IP addresses can be included in both whitelists and security groups of an ApsaraDB for Redis instance. After you set a security group for the ApsaraDB for Redis instance, if you add more IP addresses to the security groups and the total number of IP addresses exceeds the upper limit, the exceeding IP addresses do not take effect. The existing valid IP addresses are still effective.
    Note Each IP address or CIDR block, such as 10.0.0.1 and 10.0.0.1/16, is counted as one entry.

Set one or more IP address whitelists

Note You can set one or more IP address whitelists and specify security groups as whitelists. All these whitelists can take effect at the same time. For more information, see Specify ECS security groups as whitelists. Only the IP addresses in the whitelists and the ECS instances in the security groups can be used to connect to the ApsaraDB for Redis instance.
  1. Log on to the ApsaraDB for Redis console.
  2. On the top of the page, select the region where the instance is deployed.
  3. In the left-side navigation pane, click Instances to go to the Instances page. Find the instance that you want to manage. Click the instance ID, or click the More icon and select Manage in the Action column for the instance.
  4. The Instance Information page is displayed by default. In the left-side navigation pane, click Whitelist Settings.
  5. On the Whitelist Settings page that appears, you can use the following methods to manage whitelists:
    Danger When you use DMS to log on to the ApsaraDB for Redis instance, the system automatically generates a whitelist group with the name ali_dms_group. Do not manually add other IP addresses to this group. Otherwise, IP address loss may occur due to DMS changes.
    • Create a whitelist with a custom whitelist name:
      1. Click Add Whitelist.
      2. In the Add Whitelist dialog box that appears, set Whitelist Name.
        Note
        • The whitelist name must be 2 to 32 characters in length, and can contain only lowercase letters, digits, and underscores (_). It must start with a lowercase letter and end with a letter or digit.
        • After you create the whitelist, you cannot change the whitelist name.
    • If you want to use an existing whitelist, click Modify on the right of the whitelist.
  6. In the Add Whitelist or Modify Whitelist of Group​​ dialog box that appears, proceed with one of the following steps:
    • Modify a whitelist in the Whitelist of Group field:
      1. In the Whitelist of Group field, enter the IP addresses or CIDR blocks that can be used to connect to the ApsaraDB for Redis instance.
        Figure 1. Modify the whitelist
        Note
        • If you set the whitelist to 0.0.0.0/0, you allow connections from all IP addresses. To ensure data security, we recommended that you do not specify this CIDR block.
        • If you set the whitelist to a CIDR block, such as 10.10.10.0/24, you allow connections from the IP addresses within the CIDR block.
        • When you enter multiple IP addresses or CIDR blocks, separate them with commas (,) and leave no space before or after each comma.
        • You can add up to 1,000 IP addresses or CIDR blocks to each whitelist.
      2. Click OK.
    • Load internal IP addresses of the ECS instances for your Alibaba Cloud account:
      1. Click Load ECS Internal IP Addresses.
        Figure 2. Load ECS internal IP addresses
      2. Select internal IP addresses of ECS instances that have access to the ApsaraDB for Redis instance.
        Figure 3. Select internal IP addresses of ECS instances allowed for connections
        Note You can search ECS instances by instance name, ID, or IP address in the search bar above the list of ECS internal IP addresses.
      3. Click OK.

Specify ECS security groups as whitelists

A security group serves as a virtual firewall to limit the inbound and outbound network traffic of ECS instances that belong to this security group. After you specify a security group as a whitelist of the ApsaraDB for Redis instance, all ECS instances in the security group have access to the instance. For more information about ECS security groups, see Security group overview.

Note You can set one or more IP address whitelists and specify ECS security groups as whitelists. All these whitelists can take effect at the same time. For more information, see Set one or more IP address whitelists. The IP addresses in the whitelists and the ECS instances in the security groups can be used to connect to the ApsaraDB for Redis instance.
  1. Log on to the ApsaraDB for Redis console.
  2. On the top of the page, select the region where the instance is deployed.
  3. On the Instances page, find the instance that you want to manage, and click the instance ID, or click the More icon and select Manage in the Action column for the instance.
  4. The Instance Information page is displayed by default. In the left-side navigation pane, click Whitelist Settings.
  5. On the Whitelist Settings page that appears, click Add Security Group to add an ECS security group.
  6. On Add Security Group dialog box that appears, proceed with the following steps:
    Note You can add up to 10 ECS security groups to the whitelist for each ApsaraDB for Redis instance.
    1. Select one or more security groups that you want to add to the whitelist.
    2. Click OK.

Related API operations

API Description
DescribeSecurityIps Queries IP address whitelists of an ApsaraDB for Redis instance.
ModifySecurityIps Modifies IP address whitelists of an ApsaraDB for Redis instance.