This topic describes how to configure a whitelist for an ApsaraDB RDS for MySQL instance. Only entities in whitelists can access your RDS instance.

For more information about how to configure a whitelist for other database engines, see the following topics:

Background information

ApsaraDB RDS for MySQL provides two types of whitelists:

  • IP address whitelists

    An IP address whitelist contains the IP addresses of entities that require access to your RDS instance. The IP address whitelist labeled default contains only the default IP address 127.0.0.1, which indicates that all entities are denied access to your RDS instance.

    Before you configure an IP address whitelist, you must confirm the network isolation mode of your RDS instance. The configuration procedure varies depending on the network isolation mode used.

    • Standard whitelist mode

      In standard whitelist mode, an IP address whitelist can contain IP addresses from both the classic network and VPCs. The standard whitelist mode may incur security risks. We recommend that you switch the network isolation mode from standard whitelist to enhanced whitelist.

    • Enhanced whitelist mode

      In enhanced whitelist mode, an IP address whitelist can contain only IP addresses from the classic network or VPCs. When you create an IP address whitelist, you must specify its network type.

  • Security groups

    A security group serves as a virtual firewall to limit the inbound and outbound traffic of ECS instances in that security group. After you add a security group, all ECS instances in it are granted access to your RDS instance.

    For more information, see Create a security group.

Whitelists make your RDS instance more secure, and the configuration process does not interrupt the operation of your RDS instance. Therefore, we recommend that you maintain whitelists on a regular basis.

Precautions for configuring an IP address whitelist

  • You can edit or clear a default IP address whitelist, but cannot delete it.
  • You can configure up to 200 IP address whitelists for an instance.
  • Each IP address whitelist can contain up to 1,000 IP addresses or CIDR blocks. If you want to add more than 1,000 IP addresses, we recommend that you combine them into CIDR blocks such as 192.168.1.0/24.
  • If you attempt to log on to Data Management Service (DMS) from your RDS instance without adding your IP address to a whitelist, DMS will prompt you to add the address. By default, DMS automatically creates a whitelist that contains your IP address.
  • ali_dms_group (IP address whitelist of DMS) and hdm_security_ips (IP address whitelist of HDM) are automatically created when you use the related services. Do not modify or delete the whitelists to ensure that the services run normally.
    Note Do not add your business IP addresses to the whitelists. Otherwise, your business IP addresses will be overwritten during updates of the related services, failing to access the RDS instance.
    System-created whitelists

Configure an IP address whitelist in enhanced whitelist mode

  1. Log on to the ApsaraDB for RDS console.
  2. In the upper-left corner of the page, select the region where the instance resides.Select a region
  3. Find the instance and click the instance ID.
  4. In the left-side navigation pane, click Data Security.
  5. Confirm the connection scenario and perform its required operations.
    Connection scenario Operation
    (Recommended) Your ECS and RDS instances reside in the same VPC.
    1. On the Whitelist Settings tab of the Data Security page, click Edit to the right of the IP address whitelist labeled default VPC.
    2. In the dialog box that appears, enter the internal IP address of your ECS instance in the IP Addresses field and click OK.
      Note Applications running on your ECS instance connect to the internal endpoint of your RDS instance.
    Your ECS and RDS instances reside in different VPCs.
    1. Navigate to the Database Connection page and click Switch to Classic Network. In the dialog box that appears, click OK.
    2. Click Switch to VPC. In the dialog box that appears, select the VPC that hosts your ECS instance and click OK.
      Note Your ECS and RDS instances can be switched to the same VPC only if they reside in the same region. If they reside in different regions, we recommend that you use Data Transmission Service (DTS) to migrate your RDS instance to the region where your ECS instance resides. This helps ensure service availability. For more information, see Migrate between RDS instances.
    3. Navigate to the Whitelist Settings tab of the Data Security page, and click Edit to the right of the IP address whitelist labeled default VPC.
    4. In the dialog box that appears, enter the internal IP address of your ECS instance in the IP Addresses field and click OK.
      Note Applications running on your ECS instance connect to the internal endpoint of your RDS instance.
    Your ECS and RDS instances both reside in the classic network.
    1. Navigate to the Whitelist Settings tab of the Data Security page, and click Edit to the right of the IP address whitelist labeled default Classic Network.
    2. In the dialog box that appears, enter the internal IP address of your ECS instance in the IP Addresses field and click OK.
      Note Applications running on your ECS instance connect to the internal endpoint of your RDS instance.
    Your ECS instance resides in the classic network.

    Your RDS instance resides in a VPC.

    1. Migrate your ECS instance to the VPC that hosts your RDS instance. For more information, see Migrate an ECS instance.
      Note Your ECS and RDS instances can be switched to the same VPC only if they reside in the same region. If they reside in different regions, we recommend that you use DTS to migrate your RDS instance to the region where your ECS instance resides. This helps ensure service availability. For more information, see Migrate between RDS instances.
    2. Navigate to the Whitelist Settings tab of the Data Security page, and click Edit to the right of the IP address whitelist labeled default VPC.
    3. In the dialog box that appears, enter the internal IP address of your ECS instance in the IP Addresses field and click OK.
      Note Applications running on your ECS instance connect to the internal endpoint of your RDS instance.
    Your ECS instance resides in a VPC.

    Your RDS instance resides in the classic network.

    1. Navigate to the Database Connection page and click Switch to VPC. In the dialog box that appears, select the VPC that hosts your ECS instance and click OK.
      Note Your ECS and RDS instances can be switched to the same VPC only if they reside in the same region. If they reside in different regions, we recommend that you use DTS to migrate your RDS instance to the region where your ECS instance resides. This helps ensure service availability. For more information, see Migrate between RDS instances.
    2. Navigate to the Whitelist Settings tab of the Data Security page, and click Edit to the right of the IP address whitelist labeled default VPC.
    3. In the dialog box that appears, enter the internal IP address of your ECS instance in the IP Addresses field and click OK.
      Note Applications running on your ECS instance connect to the internal endpoint of your RDS instance.
    Your host that requires access to your RDS instance resides outside the cloud.
    1. Navigate to the Whitelist Settings tab of the Data Security page, and click Edit to the right of the IP address whitelist labeled default Classic Network.
    2. In the dialog box that appears, enter the public IP address of your host in the IP Addresses field and click OK.
      Note
    Note
    • On the Whitelist Settings tab of the Data Security page, you can click Create Whitelist. In the Create Whitelist dialog box that appears, select VPC or Classic Network/Public IP for Network Type.
    • If you enter the CIDR block 10.10.10.0/24 in the IP Addresses field, all IP addresses in the 10.10.10.X format are granted access to your RDS instance.
    • If you enter more than one IP address or CIDR block, make sure that they are separated with commas (,). Do not add spaces before or after the commas. Example: 192.168.0.1,172.16.213.9.
    • If you click Add Internal IP Addresses of ECS Instances, IP addresses of all ECS instances created in your Alibaba Cloud account are displayed. You can select the required IP addresses to add to the whitelist.

Configure an IP address whitelist in standard whitelist mode

  1. Log on to the ApsaraDB for RDS console.
  2. In the upper-left corner of the page, select the region where the instance resides.
  3. Find the instance and click the instance ID.
  4. In the left-side navigation pane, click Data Security.
  5. On the Whitelist Settings tab, click Edit to the right of the IP address whitelist labeled default.
    Note You can also click Create Whitelist to create an IP address whitelist.
  6. In the Edit Whitelist dialog box, enter IP addresses or CIDR blocks in the IP Addresses field and click OK.
    • If you enter the CIDR block 10.10.10.0/24 in the IP Addresses field, all IP addresses in the 10.10.10.X format are granted access to your RDS instance.
    • If you enter more than one IP address or CIDR block, make sure that they are separated with commas (,). Do not add spaces before or after the commas. Example: 192.168.0.1,172.16.213.9.
    • If you click Add Internal IP Addresses of ECS Instances, IP addresses of all ECS instances created in your Alibaba Cloud account are displayed. You can select the required IP addresses to add to the whitelist.
    Note After you add IP addresses or CIDR blocks to the IP address whitelist labeled default, the system deletes the default IP address 127.0.0.1.

Cases

  • Only the default IP address 127.0.0.1 is added to a whitelist in the Data Security > Whitelist Settings navigation path.

    The default IP address 127.0.0.1 indicates that all entities are denied access. You must add the IP addresses of entities that require access to your RDS instance to the whitelist.

  • The IP address in the whitelist is set to 0.0.0.0.

    Enter the CIDR block 0.0.0.0/0 instead.

    Note This CIDR block 0.0.0.0/0 indicates that all entities are granted access to your RDS instance. Exercise caution when adding this CIDR block.
  • IP address errors are reported when your RDS instance is in enhanced whitelist mode.

    For more information, see Switch the IP whitelist mode from standard to enhanced.

    • If your RDS instance resides in a VPC and is connected by using its internal endpoint, make sure that the internal IP address of your ECS instance is added to the IP address whitelist labeled default VPC.
    • If your RDS instance resides in the classic network and is connected by using its internal endpoint, make sure that the internal IP address of your ECS instance is added to the IP address whitelist labeled default Classic Network.
    • If your RDS instance resides in a VPC and is connected by using ClassicLink, make sure that the internal IP address of your ECS instance is added to the IP address whitelist labeled default VPC.
    • If your RDS instance is connected over the Internet, make sure that the public IP address of your ECS instance is added to the IP address whitelist labeled default Classic Network. The IP address whitelist labeled default VPC cannot be used to allow access from the Internet.
  • The public IP addresses added to whitelists are not real egress IP addresses.

    Possible reasons are as follows:

    • Public IP addresses dynamically change.
    • The tool or website you use to query public IP addresses yields inaccurate results.

    For more information, see How do I locate the public IP address of my computer that needs to connect to RDS for MySQL or MariaDB TX?

Precautions for configuring a security group

  • You can configure a security group only if your RDS instance runs MySQL 5.6, MySQL 5.7, or MySQL 8.0.
  • Your RDS instance can have both IP address whitelists and security groups at the same time. All IP addresses in the configured whitelists and all ECS instances in the configured security group can access your RDS instance.
  • You can add up to 10 security groups to an instance.
  • Changes to the security group are automatically synchronized to the whitelist.
  • You can only add a security group of the same network type as your RDS instance.
    Note If you switch the network type of your RDS instance after you add a security group, you must add a new security group of the new network type.

Configure a security group

  1. Log on to the ApsaraDB for RDS console.
  2. In the upper-left corner of the page, select the region where the RDS instance resides.
  3. Find the RDS instance and click the instance ID. The Basic Information page appears.
  4. In the left-side navigation pane, click Data Security.
  5. On the Whitelist Settings tab, click Add Security Group.
    Note If a security group is followed by a VPC tag, the ECS instances in it reside in VPCs.
  6. Select the security group you want to add and click OK.

What to do next

Create databases and accounts for an ApsaraDB RDS MySQL instance

FAQ

  • Does an IP address whitelist take effect immediately after it is configured?

    An IP address whitelist takes effect approximately one minute after it is configured.

  • Why do I find IP address whitelists that are not created by me?

    If these whitelists contain internal IP addresses, they are probably generated by other Alibaba Cloud services such as DMS or HDM and do not call operations on your service data.

    IP address whitelist created by HDM
  • Is my RDS instance exposed to security risks if I only enable internal network access and disable Internet access?

    We recommend that you change the network type of your RDS instance to VPC. Only ECS instances in the same VPC can access your RDS instance after their IP addresses are added to the whitelists. For more information, see Change the network type of an ApsaraDB RDS for MySQL instance.

Related operations

Operation Description
DescribeDBInstanceIPArrayList Queries the IP address whitelists of an ApsaraDB RDS for MySQL instance.
ModifySecurityIps Modifies an IP address whitelist of an ApsaraDB RDS for MySQL instance.