To ensure the security and stability of Redis databases, ApsaraDB for Redis instances blocks access from all IP addresses by default. Before you use an ApsaraDB for Redis instance, you must add IP addresses or CIDR blocks that are used to access the ApsaraDB for Redis instance to the whitelists of the instance. We recommend that you periodically manage whitelists to secure access to and data in ApsaraDB for Redis instances.

Prerequisites

The ApsaraDB for Redis instance is updated to the latest minor version. For more information, see Upgrade the minor version.

Preparations

Before you configure a whitelist for an ApsaraDB for Redis instance, you must obtain the IP address of the client based on its installation location.

Client installation location Network type How to obtain the IP address
Elastic Compute Service (ECS) instance (recommended) Virtual Private Cloud (VPC) Method for querying the IP address of an ECS instance
Note
  • Make sure that the ECS instance and the ApsaraDB for Redis instance are deployed in the same VPC. The instances must display the same VPC ID in their basic information. If the ECS instance and the ApsaraDB for Redis instance are deployed in different VPCs, you can change the VPC to which the ECS instance belongs. For more information, see Change the VPC of an ECS instance.
  • The network types of the ECS instance and the ApsaraDB for Redis instance may be different. For example, the ECS instance belongs to the classic network and the ApsaraDB for Redis instance belongs to a VPC. For more information about how to connect to an ApsaraDB for Redis instance from an ECS instance when the instances are deployed in different networks, see Connect an ECS instance to an ApsaraDB for Redis instance in different types of networks.
On-premises device or third-party cloud Internet Select one of the following methods based on the operating system of the on-premises device:
  • Linux operating system: Run the curl ipinfo.io |grep ip command on the on-premises device to obtain the public IP address. The following figure shows the sample result. View the public IP address of the on-premises device
  • Windows operating system: Access ipinfo to obtain the public IP address of the on-premises device.

Methods of configuring a whitelist

Method Description
Method 1: Configure a whitelist Manually add the IP address of a client to a whitelist of the ApsaraDB for Redis instance to allow the client to access the instance.
Method 2: Add ECS security groups as whitelists A security group is a virtual firewall that is used to control the inbound and outbound traffic of ECS instances in the security group. To authorize multiple ECS instances to access an ApsaraDB for Redis instance, you can associate the ApsaraDB for Redis instance with the security group of the ECS instances. This method is more convenient than manually adding the IP addresses of the ECS instances to a whitelist.
Note The engine version of the ApsaraDB for Redis instance must be Redis 4.0 or later. For more information about how to upgrade the engine version, see Upgrade the major version.
Note You can set one or more IP address whitelists and specify ECS security groups as whitelists of an ApsaraDB for Redis instance. Both IP addresses in the IP address whitelists and ECS instances in the security groups are allowed to access the instance.

Method 1: Configure a whitelist

  1. Log on to the ApsaraDB for Redis console.
  2. In the top navigation bar of the page, select the region where the instance is deployed.
  3. On the Instances page, click the ID of the instance.
  4. In the left-side navigation pane, click Whitelist Settings.
  5. Find the specific whitelist and click Modify.
    Note You can also click Add Whitelist to create a whitelist. The name of a whitelist must be 2 to 32 characters in length and can contain lowercase letters, digits, and underscores (_). It must start with a lowercase letter and end with a lowercase letter or digit.
  6. In the dialog box that appears, perform one of the following operations:
    • Enter IP addresses or CIDR blocks
      Figure 1. Manually modify the whitelist
      Manually modify the whitelist
      Note
      • Separate multiple IP addresses with commas (,). A maximum of 1,000 unique IP addresses can be added. Supported formats are specific IP addresses such as 10.23.12.24 and CIDR blocks such as 10.23.12.24/24. /24 indicates the length of the IP address prefix. An IP address prefix can be 1 to 32 bits in length.
      • If you set the prefix length to 0, for example, 0.0.0.0/0 or 127.0.0.1/0, all IP addresses are allowed to access the instance. This poses a high security risk. Proceed with caution.
    • Add private IP addresses of ECS instances to the whitelist
      1. Click Load ECS Internal Network IP.
      2. Select IP addresses based on your business requirements.
        Figure 2. Select private IP addresses of ECS instances
        Select private IP addresses of ECS instances
        Note To find the ECS instance that is assigned a specific IP address, you can move the pointer over the IP address. Then, the system displays the ID and name of the ECS instance to which the IP address is assigned.
    • Delete all IP addresses from the whitelist

      To delete all IP addresses from the whitelist but retain the whitelist, click Delete.

  7. Click OK.

Method 2: Add ECS security groups as whitelists

You can add ECS security groups as whitelists of the ApsaraDB for Redis instance. Then, the ECS instances in the security groups can access the ApsaraDB for Redis instance over an internal network or the Internet. The ApsaraDB for Redis instance must have a public endpoint if you want to access the ApsaraDB for Redis instance over the Internet. For more information, see Use a public endpoint to connect to an ApsaraDB for Redis instance.

Note Before you add a security group as a whitelist, make sure that the network types of the ApsaraDB for Redis instance and the ECS instances in the security group are the same. If the network types of the ApsaraDB for Redis instance and ECS instances are VPC, make sure that they are deployed in the same VPC.
Region Region ID (for API operations) Region Region ID (for API operations)
China (Hangzhou) cn-hangzhou China (Shanghai) cn-shanghai
China (Qingdao) cn-qingdao China (Beijing) cn-beijing
China (Zhangjiakou) cn-zhangjiakou China (Hohhot) cn-huhehaote
China (Shenzhen) cn-shenzhen China (Chengdu) cn-chengdu
China (Hong Kong) cn-hongkong Singapore (Singapore) ap-southeast-1
Australia (Sydney) ap-southeast-2 Malaysia (Kuala Lumpur) ap-southeast-3
Indonesia (Jakarta) ap-southeast-5 Japan (Tokyo) ap-northeast-1
Germany (Frankfurt) eu-central-1 UK (London) eu-west-1
US (Virginia) us-east-1 India (Mumbai) ap-south-1
UAE (Dubai) me-east-1

  1. Log on to the ApsaraDB for Redis console.
  2. In the top navigation bar of the page, select the region where the instance is deployed.
  3. On the Instances page, click the ID of the instance.
  4. In the left-side navigation pane, click Whitelist Settings.
  5. Click Add Security Group.
  6. In the dialog box that appears, select the security groups that you want to add as whitelists.
    Figure 3. Select security groups
    Select security groups
    Note
    • You can identify a security group by moving the pointer over the ID of the security group. Then, the name and description of the security group are displayed. If you move the pointer over the VPC icon, you can view the ID of the VPC.
    • You can add up to 10 security groups as whitelists to each ApsaraDB for Redis instance.
  7. Click OK.
  8. Optional:To remove all security groups, click Delete.

References

Related operations

Operation Description
DescribeSecurityIps Queries the IP address whitelists of an ApsaraDB for Redis instance.
ModifySecurityIps Configures the IP address whitelists of an ApsaraDB for Redis instance.
DescribeSecurityGroupConfiguration Queries the security groups that are added as whitelists to an ApsaraDB for Redis instance.
ModifySecurityGroupConfiguration Modifies the security groups that are added as whitelists to an ApsaraDB for Redis instance.

FAQ

  • Why are whitelists automatically created for ApsaraDB for Redis instances? Can I delete these whitelists?

    After you create an ApsaraDB for Redis instance, a default whitelist is automatically created. After you perform specific operations on the instance, more whitelists are automatically created, as described in the following table.

    Whitelist name Source
    default The default whitelist, which cannot be deleted.
    ali_dms_group This whitelist is automatically created by Data Management (DMS) when you log on to an ApsaraDB for Redis instance from DMS. For more information, see Use DMS. Do not delete or modify this whitelist. Otherwise, you may fail to log on to the ApsaraDB for Redis instance from DMS.
    hdm_security_ips This whitelist is automatically created by Database Autonomy Service (DAS) when you use CloudDBA related features, such as Use the cache analysis feature to display details about big keys. Do not delete or modify this whitelist. Otherwise, the CloudDBA-related features may become unavailable.
  • A whitelist contains IP address 127.0.0.1 in addition to client IP addresses. In this case, can the clients with the specified IP addresses connect to the ApsaraDB for Redis instance?

    The clients can connect to the ApsaraDB for Redis instance. If only 127.0.0.1 exists in the whitelist, all IP addresses are blocked from connecting to the ApsaraDB for Redis instance.

  • Why does the (error) ERR illegal address message appear after I use redis-cli to connect to an ApsaraDB for Redis instance?

    The IP address of the client where you run redis-cli is not added to a whitelist of the ApsaraDB for Redis instance. You must check the whitelists of the ApsaraDB for Redis instance.

  • If the IP address of my client is not added to a whitelist of an ApsaraDB for Redis instance, can I check port connectivity by running the telnet command?
    Yes. The following message is returned after you run the telnet command:
    Escape character is '^]'.
    Connection closed by foreign host.