Step 2: Set IP address whitelists - Quick Start| Alibaba Cloud Documentation Center

Step 2: Set IP address whitelists

Edit in GitHub

Last Updated: Aug 07, 2020 Edit in GitHub

Before you use an ApsaraDB for Redis instance, you must set one or more IP address whitelists or specify Elastic Compute Service (ECS) security groups as whitelists. This ensures data security and guarantee high performance of ApsaraDB for Redis. You can add client IP addresses or Classless Inter-Domain Routing (CIDR) blocks to a whitelist. We recommend that you update your whitelists on a regular basis to improve data security in ApsaraDB for Redis.

Prerequisites

The ApsaraDB for Redis instance is upgraded to the latest minor version.

Note If your instance is not upgraded to the latest minor version, a message may appear when you set a whitelist. In this case, you can upgrade the instance to the latest minor version. For more information, see Upgrade the minor version.
To specify an ECS security group as a whitelist, the engine version of the instance must be Redis 4.0 or later.

Notes

When you use Data Management Service (DMS) to log on to the ApsaraDB for Redis instance, the system automatically creates a whitelist named ali_dms_group. Do not manually add other IP addresses to this whitelist. Otherwise, IP address loss may occur due to the DMS changes.

Set one or more whitelists

Note You can set one or more IP whitelists and specify ECS security groups as whitelists of an ApsaraDB for Redis instance. Both IP addresses in IP whitelists and ECS instances in security groups are allowed to access the instance.

Log on to the ApsaraDB for Redis console.
On the top of the page, select the region where the instance is deployed.
On the Instances page, click the instance ID of the target instance or choose More > Manage in the Actions column for the instance.
In the left-side navigation pane of the Instance Information page, click Whitelist Settings.
On the Whitelist Settings page, use the following methods to manage whitelists:
Danger When you use DMS to log on to the ApsaraDB for Redis instance, the system automatically creates a whitelist named ali_dms_group. Do not manually add other IP addresses to this whitelist. Otherwise, IP address loss may occur due to the DMS changes.
- Create a whitelist with a custom whitelist name:
  1. Click Add Whitelist.
  2. In the Add Whitelist dialog box, set Whitelist Name.
    Note
    
    The name of the whitelist must be 2 to 32 characters in length, and can contain lowercase letters, digits, and underscores (_). It must start with a lowercase letter and end with a letter or digit.
    
    After you create a whitelist, you cannot change the name of the whitelist.
- If you want to use an existing whitelist, click Modify on the right of the whitelist.
In the Add Whitelist or Modify Whitelist dialog box, perform one of the following steps:
- Manually modify the value of Whitelist:
  1. In the Whitelist field, enter the IP addresses or CIDR blocks that can be used to connect to the ApsaraDB for Redis instance.
    
    Figure 1. Manually modify the whitelist
    Note
    
    If you set the whitelist to 0.0.0.0/0, you allow connections from all IP addresses. To ensure data security, we recommended that you do not specify this CIDR block.
    
    If you set the whitelist to a CIDR block, such as 10.10.10.0/24, you allow connections from all the IP addresses within the CIDR block.
    
    Separate multiple IP addresses or CIDR blocks with commas (,) and do not leave spaces before or after each comma.
    
    You can add up to 1,000 IP addresses or CIDR blocks to each whitelist.
  2. Click OK.
- Load internal IP addresses of ECS instances under your Alibaba Cloud account:
  1. Click Load ECS Internal IP Addresses.
    
    Figure 2. Load ECS internal IP addresses
  2. Select internal IP addresses of ECS instances.
    
    Figure 3. Select internal IP addresses of ECS instances
    
    Note You can search ECS instances by instance name, ID, or IP address in the search bar above the list of ECS internal IP addresses.
  3. Click OK.

Specify ECS security groups as whitelists

A security group serves as a virtual firewall to limit the inbound and outbound network traffic of ECS instances that belong to the security group. After you specify a security group as a whitelist of the ApsaraDB for Redis instance, all ECS instances in the security group are allowed to access the instance. For more information about ECS security groups, see Security group overview.

Log on to the ApsaraDB for Redis console.
On the top of the page, select the region where the instance is deployed.
On the Instances page, click the instance ID of the target instance or choose More > Manage in the Actions column for the instance.
In the left-side navigation pane of the Instance Information page, click Whitelist Settings.
On the Whitelist Settings page, click Add Security Group to add an ECS security group.
In the Add Security Group dialog box, perform the following steps:

Note You can add up to 10 ECS security groups for each ApsaraDB for Redis instance.
1. Select one or more security groups that you want to add.
2. Click OK.

Related operations


API	Description
DescribeSecurityIps	Queries IP address whitelists of an ApsaraDB for Redis instance.
ModifySecurityIps	Modifies IP address whitelists of an ApsaraDB for Redis instance.