After you create a PolarDB for PostgreSQL cluster, you must set IP address whitelists and create initial accounts for the cluster. Then, you can connect to the cluster and manage databases.

Considerations

  • By default, only the IP address 127.0.0.1 is specified as a whitelist of the cluster. This whitelist blocks connections from all IP addresses.
  • If you specify % or 0.0.0.0/0 as a whitelist of the cluster, the whitelist allows connections from all IP addresses. However, this setting will compromise database security. We recommend that you do not use this setting.
  • An Apsara PolarDB cluster cannot automatically retrieve internal IP addresses of Elastic Compute Service (ECS) instances in a Virtual Private Cloud (VPC). You must add the internal IP addresses to a whitelist.

Set IP address whitelists

  1. Log on to the PolarDB console.
  2. On the top of the page, select the region where the target cluster is located.
  3. Find the target cluster and click the cluster ID to go to the Overview page.
  4. In the left-side navigation pane, choose Settings and Management > Parameters.
  5. On the Whitelists page, find the whitelist that you want to manage, and click Modify in the Actions column for the whitelist to modify the whitelist. You can also click Add IP Whitelist to add a whitelist.
    Whitelists
    • Click Modify in the Actions column to configure the IP whitelist.
    • Click Add IP Whitelist to add an IP whitelist.
  6. In the Add IP Whitelist pane, configure the information of the IP whitelist and click Submit.
    • If you want to connect your ECS instance to the Apsara PolarDB cluster, you can retrieve IP addresses of the ECS instance from the Configuration Information section on the Instance Details page. Then you can add these IP addresses to the IP whitelist.
      Note If the ECS instance is in the same region as the Apsara PolarDB cluster such as the China (Hangzhou) region, use the private IP address of the ECS instance. If the ECS instance is in a different region from the Apsara PolarDB cluster, use the Elastic IP address of the ECS instance. You can also migrate the ECS instance to the region where the Apsara PolarDB cluster is located. Then, you can use the private IP address of the ECS instance.
    • If you want to connect your on-premises server, computer, or other cloud server to the Apsara PolarDB cluster, add the IP address to the IP whitelist.

What to do next

After you set whitelists and create database accounts, you can connect to the cluster and manage databases.

FAQ

  1. Q: I have added the IP address of an ECS instance to the IP address whitelist of an Apsara PolarDB cluster, but I still cannot connect to the cluster from the ECS instance. How can I deal with this issue?
    A:
    1. Check whether the IP address whitelist is valid. If you connect to the cluster through an internal endpoint, you must add an internal IP address of the ECS instance to a whitelist. If you connect to the cluster through a public endpoint, you must add the public IP address of the ECS instance to the whitelist.
    2. Check whether both instances run in the same type of network. If the ECS instance runs in a classic network, you can migrate the ECS instance to the VPC network where the cluster is located. For more information, see Overview of migration solutions.
      Note If you want to connect the ECS instance to other internal resources that are located in a classic network, do not migrate the ECS instance to the VPC network. Otherwise, the ECS instance cannot connect to these internal resources after migration.

      You can also use the ClassicLink feature to connect the classic network to the VPC network.

    3. Check whether both instances run in the same VPC network. If they do not run in the same VPC, you must purchase a new Apsara PolarDB cluster, or activate the Cloud Enterprise Network service to connect these VPCs.
  2. Q: How can I deal with the failure to connect to the cluster through a public endpoint?
    A:
    1. If you connect to the cluster from an ECS instance through a public endpoint, make sure that you have added the public IP address of the ECS instance to an IP address whitelist of the cluster.
    2. Specify 0.0.0.0/0 as an IP address whitelist of the cluster and try to connect to the cluster. If you can connect to the cluster, the public endpoint you have ever specified as an IP address whitelist is incorrect. You must check the public endpoint. For more information, see View connection endpoints.
  3. Q: How can I connect to an Apsara PolarDB cluster through an internal endpoint?
    A: If you want to connect to an Apsara PolarDB cluster from an ECS instance through an internal endpoint, the following conditions must be met:
    • Both instances must be located in the same region.
    • Both instances must run in the same type of network. If the network is a VPC network, they must run the same VPC network.
    • The internal IP address of the ECS instance is listed in an IP address whitelist of the cluster.
  4. Q: How can I limit a user to connect to an Apsara PolarDB cluster only from a specified IP address?
    A: You can create a privileged account and use the privileged account to create a limit on the IP addresses that a standard account can use to connect to the cluster.Command line

Related API operations

Operation Description
DescribeDBClusterAccessWhitelist Queries the IP addresses that are allowed to access a specified Apsara PolarDB cluster.
ModifyDBClusterAccessWhitelist Modifies the IP addresses that are allowed to access a specified Apsara PolarDB cluster.