This topic provides answers to some frequently asked questions about data security and encryption.
About IP whitelists
- How can I allow a server to access only a specified node in a cluster?
You can use a custom cluster endpoint. Servers that connect to a custom cluster endpoint of a cluster are allowed to access only a specified node in the cluster.
- How many IP addresses or CIDR blocks can I add to all IP whitelists?
You can add at most 1,000 IP addresses or CIDR blocks to all IP whitelists. Security groups do not have this limit.
- Why am I unable to connect an Elastic Compute Service (ECS) instance to a cluster after I add the IP address of the ECS instance to an IP whitelist?
You can perform the following steps to locate the cause:
- Check whether the setting of the IP whitelist is correct. If you want to connect the ECS instance to the internal endpoint of the cluster, you must add the private IP address of the ECS instance to the IP whitelist. If you want to connect the ECS instance to the public endpoint of the cluster, you must add the public IP address of the ECS instance to the IP whitelist.
- Check whether the ECS instance and the PolarDB for MySQL cluster are deployed in the same type of network. If the ECS instance runs in a classic network, you can migrate the ECS instance to the virtual private cloud (VPC) where the PolarDB cluster is deployed. For more information, see Overview of migration solutions.
Note Do not migrate the ECS instance if you want to connect the ECS instance to other cloud services in the classic network. The ECS instance cannot access these services after it is migrated to the VPC.
You can also use the ClassLink feature to connect the classic network to the VPC.
- Check whether the ECS instance and the PolarDB for MySQL cluster run in the same VPC. If the ECS instance and the cluster run in different VPCs, you must purchase another PolarDB cluster in the VPC of the ECS instance, or activate Cloud Enterprise Network (CEN) to connect the two VPCs.
- Why am I unable to connect to the public endpoint of a cluster?
You may fail to connect to the public endpoint of a cluster due to the following reasons:
- If you connect an ECS instance to the public endpoint of the cluster, you must add the public IP address of the ECS instance to an IP whitelist of the cluster. Do not add the private IP address of the ECS instance.
- Set the IP whitelist to
0.0.0.0/0and try to access the cluster. If you can access the cluster, the public endpoint that was used before is incorrect. For more information about how to check the public endpoint, see View or apply for an endpoint.
- How can I allow a user account to access a PolarDB cluster from only a specified IP address?
You can create a privileged account by running the following commands. Then, you can log on with the privileged account and specify the IP address that standard accounts can use to access the cluster.
About SSL encryption
What will happen if I do not renew an expired SSL certificate? Will my instance stop running or data security be compromised?
If you do not renew the SSL certificate after it expires, your instance can still run as normal and data security is not compromised. However, applications that connect to your instance through encrypted connections are disconnected.
About transparent data encryption (TDE)
- Can I continue to use common database tools, such as Navicat, after I enable TDE?
Yes, you can continue to use common database tools after you enable TDE.
- Why is data still displayed in plaintext after it is encrypted?
When data is queried, the data is decrypted and loaded to the memory. Therefore, the data is displayed in plaintext. After TDE is enabled, the stored data is encrypted.