Set whitelist

Last Updated: Dec 12, 2017

A whitelist is used to restrict access to specified IP addresses and specified IP segments. A database instance cannot be accessed unless a whitelist has been set. We recommend that you periodically check and adjust your whitelists according to your requirements to maintain RDS security. This article mainly introduces how to set the whitelist.

Background information

You can access the RDS instances through the intranet, the Internet, or both of the intranet and Internet. For more information on the applicable scenarios of each connection type (intranet and Internet), see the Background information of Set intranet and Internet addresses.

Before setting the connection type, you must add the IP addresses or IP segments of your application service or the ECS instance to the whitelist of RDS instance. When the whitelist is set, the system automatically generates the intranet address for the RDS instance. If you need an Internet address, see the detailed steps for applying for an Internet address.

Note: If you cannot connect to the RDS instance after adding the application service IP address to the whitelist, see How to locate the local IP address using ApsaraDB for MySQL to obtain the actual IP address of the application service.

Attentions

  • The system automatically creates a default whitelist group for each newly created RDS instance. This default whitelist group can only be modified or cleared, but cannot be deleted.

  • For each newly created RDS instance, the local loopback IP address 127.0.0.1 is added to the default whitelist group by default. This means that all the IP addresses or IP segments are prohibited to access this RDS instance. Therefore, before you add other IP addresses or IP segments to the RDS whitelist, you must delete 127.0.0.1 from the default whitelist group first.

  • % or 0.0.0.0/0 indicates any IP address is allowed to access the RDS instance. This configuration greatly reduces the security of the database and is not recommended.

Procedure

  1. Log on to the RDS console.

  2. Select the region where the target instance is located.

  3. Click the name of the target instance to go to the Basic Information page.

  4. Select Security Controls in the left-side navigation pane to visit the Security Controls page.

  5. On the whitelist Settings tab page, click Modify of the default whitelist group, as shown in the following figure.

    Note: If you want to add a custom whitelist group to the RDS instance, you can click Clear of the default whitelist group to delete the IP address 127.0.0.1 first, and then click Add a whitelist Group. The setting steps for a custom whitelist are similar to the following steps.

    Modify the default whitelist group

  6. On the Modify Group page, add the IP addresses or IP segments to access the RDS instance to whitelist field. If you must add the ECS intranet IP addresses, click Upload ECS intranet IP Address and select the IP addresses according to the prompt, as shown in the following picture.

    Set the whitelist

    Parameters description:

    • Group Name: it can contain 2 to 32 characters including lowercase letters, digits, or underscores. The group name must start with a lowercase letter and end with a letter or digit. This name cannot be modified when the whitelist group is successfully created.

    • whitelist: you can enter the custom IP addresses or IP segments that can access the RDS instance.

      • If you enter an IP segment, such as 10.10.10.0/24, it indicates that any IP address in the format of 10.10.10.X can access the RDS instance.

      • If you must enter multiple IP addresses or IP segments, separate them by commas (do not add blank spaces), such as 192.168.0.1,172.16.213.9.

      • For each whitelist group, up to 1,000 IP addresses or IP segments can be set for MySQL, PostgreSQL, and PPAS instances; and up to 800 can be set for SQL Server instances.

    • Upload ECS intranet IP Address: by clicking this button, you can select the intranet IP addresses of the ECS instances under the same account with the RDS instance, which is a quick method to add ECS intranet IP addresses.

  7. Click OK.

Modify or delete the whitelist group

You can modify or delete the whitelist group according to your business requirements. The detailed procedure is as follows:

  1. Log on to the RDS console.

  2. Select the region where the target instance is located.

  3. Click the name of the target instance to go to the Basic Information page.

Thank you! We've received your feedback.