After you create a PolarDB-O cluster, you must add IP addresses to the whitelist and create an initial account to access and manage the cluster.
Considerations
- By default, only the IP address 127.0.0.1 is specified as a whitelist of the cluster. This whitelist blocks connections from all IP addresses.
- If you specify % or 0.0.0.0/0 as a whitelist of the cluster, the whitelist allows connections from all IP addresses. However, this setting will compromise database security. We recommend that you do not use this setting.
- An Apsara PolarDB cluster cannot automatically retrieve internal IP addresses of Elastic Compute Service (ECS) instances in a Virtual Private Cloud (VPC). You must add the internal IP addresses to a whitelist.
Configure a whitelist
Next
After you configure whitelists and create database accounts, you can access the cluster and manage databases.
FAQ
- Why am I unable to connect the Elastic Compute Service (ECS) instance to the Apsara
PolarDB cluster after I add the IP address of the ECS instance to the IP whitelist?
- Check whether the IP whitelist is correctly configured. If you connect to the cluster through an internal endpoint, you must add the private IP address of the ECS instance to the IP whitelist. If you connect to the cluster through a public endpoint, you must add the Elastic IP address of the ECS instance to the IP whitelist.
- Check whether the ECS instance and Apsara PolarDB cluster run in the same type of
network. If the ECS instance runs in a classic network, you can migrate the ECS instance
to the VPC network where the cluster is deployed. For more information, see Overview of migration solutions.
Note If you want to connect the ECS instance to other internal resources that are located in a classic network, do not migrate the ECS instance to the VPC network. Otherwise, the ECS instance cannot connect to these internal resources after the migration.
You can also use the ClassicLink feature to connect the classic network to the VPC network.
- Confirm whether the ECS instance and Apsara PolarDB cluster run in the same VPC network. If the instance and cluster do not run in the same VPC network, you must purchase a new Apsara PolarDB cluster, or activate the Cloud Enterprise Network service to connect to these VPC networks.
- Why am I unable to access the cluster by using a public endpoint?
- If you connect to the cluster from an ECS instance through a public endpoint, make sure that you have added the Elastic IP address of the ECS instance to an IP whitelist.
- Set the IP Address of the IP whitelist to 0.0.0.0/0 and try again. If you can connect to the cluster, the Elastic IP address that is specified in the IP whitelist is invalid. You must check the public endpoint. For more information, see View endpoints.
- How can I connect to an Apsara PolarDB cluster through an internal endpoint?
If you want to connect to an Apsara PolarDB cluster from an ECS instance through an internal endpoint, the following conditions must be met:
- The ECS instance and Apsara PolarDB cluster must be deployed in the same region.
- The ECS instance and Apsara PolarDB cluster must run in the same type of network. If the network is a VPC network, they must run in the same VPC network.
- The internal IP address of the ECS instance is added to an IP whitelist of the cluster.
- How can I allow an account to access an Apsara PolarDB cluster from a specified IP
address?
You can create a privileged account and use this account to specify the IP address for RAM users to connect to the Apsara PolarDB cluster.
Related API operations
Operation | Description |
---|---|
DescribeDBClusterAccessWhitelist | Queries the IP addresses that are allowed to access a specified Apsara PolarDB cluster. |
ModifyDBClusterAccessWhitelist | Modifies the IP addresses that are allowed to access a specified Apsara PolarDB cluster. |