All Products
Search
Document Center

PolarDB:Configure a whitelist for a cluster

Last Updated:Nov 30, 2023

After you create a PolarDB for PostgreSQL(Compatible with Oracle) cluster, you must add IP addresses to a whitelist for the cluster and create an initial account to access and manage the cluster.

Notes

  • PolarDB for MySQL cannot automatically obtain the private IP addresses of ECS instances in virtual private clouds (VPCs). If you want to use the private IP address of an ECS instance to access a PolarDB for MySQL cluster, you must manually add the private IP address to the IP whitelist of the cluster.

  • The ali_dms_group (for Data Management), hdm_security_ips (for Database Autonomy Service), and dtspolardb (for Data Transmission Service) whitelists are automatically created when you use the relevant services. To ensure that the services can be used as normal, do not modify or delete these IP whitelists.

    Important

    Do not add your service IP addresses to these IP whitelists. Otherwise, your service IP addresses may be overwritten when the related services are updated. Consequently, service interruption may occur.

    Whitelist

Configure a whitelist

  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region in which the cluster that you want to manage is deployed.
  3. Find the cluster and click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Whitelists.

  5. On the Whitelists page, you can click Add IP Whitelist to add an IP whitelist or click Modify to modify an existing IP whitelist.

    • Add an IP whitelist

      1. Click Add IP Whitelist.

      2. In the Add IP Whitelist panel, specify the name of the IP whitelist and enter the IP addresses that are allowed to access the cluster.

        Note

        The name of the IP whitelist must meet the following requirements:

        • The name can contain lowercase letters, digits, and underscores (_).

        • The name must start with a letter and end with a letter or digit.

        • The name must be 2 to 120 characters in length.

    • Modify an IP whitelist

      1. On the right side of an IP whitelist name, click Modify.

      2. In the Modify Whitelist panel, enter the IP addresses that are allowed to access the cluster.

        Note
        • A default IP whitelist that contains only the IP address 127.0.0.1 is automatically created for each cluster. This IP whitelist blocks all IP addresses.

        • If you set an IP whitelist to a percent sign (%) or 0.0.0.0/0, all IP addresses are allowed to access the cluster. We recommend that you do not use this configuration unless necessary because it compromises database security.

  6. Click OK.

    Note

    You can create at most 50 IP whitelists and add at most 1,000 IP addresses or CIDR blocks to the 50 IP whitelists.

What to do next

After you configure whitelists and create database accounts, you can connect to the cluster and manage the databases.

FAQ

  • How can I allow a server to access only a specified node in a cluster?

    You can use the custom cluster endpoint feature. This feature allows a server to access only a specified node in a cluster.

  • What is the maximum number of IP addresses in all the IP whitelists?

    You can add a maximum of 1,000 entries to the IP whitelists. Each entry can be an IP address or a CIDR block.

  • After I add the IP address of an Elastic Compute Service (ECS) instance to the IP whitelist of my cluster, why am I unable to connect the ECS instance to the cluster?
    You can perform the following steps for troubleshooting:
    1. Check whether the IP whitelist is configured in a correct way. If you connect the ECS instance to the cluster by using an internal endpoint, you must add the private IP address of the ECS instance to the whitelist. If you connect the ECS instance to the cluster by using a public endpoint, you must add the public IP address of the ECS instance to the whitelist.
    2. Check whether the ECS instance and the cluster run in the same type of network. If the ECS instance runs in the classic network,you can migrate the ECS instance to the virtual private cloud (VPC) where the PolarDB cluster is deployed. For more information, see Classic network-to-VPC migration.
      Note If you want to connect the ECS instance to other internal resources that are located in the classic network, do not migrate the ECS instance to the VPC. The ECS instance cannot connect to the classic network after you migrate the ECS instance to the VPC.

      You can also usethe ClassicLink feature to connect the classic network to the VPC.

    3. Check whether the ECS instance and the PolarDB cluster run in the same VPC. If the instance and cluster do not run in the same VPC, you must purchase a new PolarDB cluster,or activate Cloud Enterprise Network to connect the two VPCs for data access.
  • Why am I unable to access the cluster by using a public endpoint?
    If you cannot access the cluster by using the public endpoint, perform the following steps for troubleshooting:
    • If you connect to the cluster from an ECS instance through a public endpoint, make sure that you have added the public IP address of the ECS instance to an IP whitelist.
    • Set the IP address in the IP whitelist to 0.0.0.0/0 and try again. If you can connect to the cluster, the public IP address that was specified in the IP whitelist is invalid. You must check the public endpoint. For more information, see View endpoints and ports.

Related API operations

APIDescription
DescribeDBClusterAccessWhitelistQueries the IP addresses that are allowed to access a specified database cluster.
ModifyDBClusterAccessWhitelistModifies the IP addresses that are allowed to access a specified database cluster.