After you create a PolarDB-O cluster, you must add IP addresses to a whitelist for the cluster and create an initial account to access and manage the cluster.

Notes

  • By default, the IP whitelist of a cluster consists of only the IP address 127.0.0.1. This indicates that no devices are allowed to access the database cluster.
  • If you set the IP whitelist to % or 0.0.0.0/0, all IP addresses are allowed to access the database cluster. However, we recommend that you do not use this configuration unless necessary because it compromises database security.
  • PolarDB cannot automatically obtain private IP addresses of ECS instances in virtual private clouds (VPCs). If you need to use the private IP address of an ECS instance to access a PolarDB cluster, you must manually add the private IP address to the whitelists of the cluster.
  • You can create a maximum of 50 IP whitelists. The total number of IP addresses or Classless Inter-Domain Routing (CIDR) blocks in all IP whitelists cannot exceed 1,000.
  • Whitelists such as ali_dms_group, hdm_security_ips, and dtspolardb are automatically generated when the relevant services are used. ali_dms_group is the IP whitelist for Data Management (DMS). hdm_security_ips is the IP whitelist for Database Autonomy Service (DAS). dtspolardb is the IP whitelist for Data Transmission Service (DTS). To ensure that the relevant services can be used, do not modify or delete these IP whitelists.
    Notice Do not add your own IP address to these IP whitelists. If you add your own IP address to these IP whitelists, your IP address is overwritten by the updated IP addresses of the related services. If your IP address is overwritten, your business is affected.
    Whitelist

Configure a whitelist

  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region where the cluster resides.
  3. Find the cluster, and then click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Whitelists.
  5. On the Whitelists page, you can click Add IP Whitelist to add an IP whitelist or click Modify to modify the existing whitelists.
    Modify
    • Add an IP whitelist
      1. Click Add IP Whitelist.
      2. In the Add IP Whitelist panel, enter the name of the IP whitelist, and the IP addresses that are allowed for access.Add an IP whitelist
        Note The name of the IP whitelist must meet the following requirements:
        • The name consists of lowercase letters, digits, and underscores (_).
        • The name must start with a letter and end with a letter or a digit.
        • The name must be 2 to 120 characters in length.
    • Configure the whitelist
      1. On the right side of the IP whitelist name, click Modify.
      2. In the Modify Whitelist panel, enter the IP addresses that are allowed for access.Modify
  6. Click OK.
    • If you need to connect your ECS instance to the PolarDB cluster, you can view the IP addresses of the ECS instance in the Configuration Information section on the Instance Details page. Then, add these IP addresses to the whitelist.
      Note If the ECS instance and the PolarDB cluster are deployed in the same region, such as the China (Hangzhou) region, use the private IP address of the ECS instance. If the ECS instance and the PolarDB cluster are deployed in different regions, use the public IP address of the ECS instance. You can also migrate the ECS instance to the region where the PolarDB cluster resides and use the private IP address of the ECS instance.
    • If you need to connect your on-premises servers, computers, or other cloud servers to the PolarDB cluster, add the related IP addresses to the whitelist.

What to do next

After you configure whitelists and create database accounts, you can connect to the cluster and manage the databases.

FAQ

  • How can I allow a server to access only a specified node in a cluster?

    You can use the custom cluster endpoint feature. This feature allows a server to access only a specified node in a cluster.

  • What is the maximum number of IP addresses in all the IP whitelists?

    You can add a maximum of 1,000 entries to the IP whitelists. Each entry can be an IP address or a CIDR block.

  • After I add the IP address of an Elastic Compute Service (ECS) instance to the IP whitelist of my cluster, why am I unable to connect the ECS instance to the cluster?
    You can perform the following steps for troubleshooting:
    1. Check whether the IP whitelist is configured in a correct way. If you connect the ECS instance to the cluster by using an internal endpoint, you must add the private IP address of the ECS instance to the whitelist. If you connect the ECS instance to the cluster by using a public endpoint, you must add the public IP address of the ECS instance to the whitelist.
    2. Check whether the ECS instance and the cluster run in the same type of network. If the ECS instance runs in the classic network,you can migrate the ECS instance to the virtual private cloud (VPC) where the PolarDB cluster is deployed. For more information, see Overview of migration solutions.
      Note If you want to connect the ECS instance to other internal resources that are located in the classic network, do not migrate the ECS instance to the VPC. The ECS instance cannot connect to the classic network after you migrate the ECS instance to the VPC.

      You can also usethe ClassicLink feature to connect the classic network to the VPC.

    3. Check whether the ECS instance and the PolarDB cluster run in the same VPC. If the instance and cluster do not run in the same VPC, you must purchase a new PolarDB cluster,or activate Cloud Enterprise Network to connect the two VPCs for data access.
  • Why am I unable to access the cluster by using a public endpoint?
    If you cannot access the cluster by using the public endpoint, perform the following steps for troubleshooting:
    • If you connect to the cluster from an ECS instance through a public endpoint, make sure that you have added the public IP address of the ECS instance to an IP whitelist.
    • Set the IP address in the IP whitelist to 0.0.0.0/0 and try again. If you can connect to the cluster, the public IP address that was specified in the IP whitelist is invalid. You must check the public endpoint. For more information, see View endpoints and ports.

Related API operations

API Description
DescribeDBClusterAccessWhitelist Queries the IP addresses that are allowed to access a specified database cluster.
ModifyDBClusterAccessWhitelist Modifies the IP addresses that are allowed to access a specified database cluster.