This topic describes how to configure an IP address whitelist for an ApsaraDB RDS for MySQL instance. After your RDS instance is created, you must configure IP address whitelists or security groups for the instance. Otherwise, your RDS instance is inaccessible.

For more information about how to configure an IP address whitelist for an RDS instance that runs another database engine, see the following topics:

Scenarios

An IP address whitelist consists of the IP addresses that are granted access to your RDS instance. You can configure IP address whitelists to provide high-level access control and security protection for your RDS instance. We recommend that you update the configured IP address whitelists on a regular basis.

You need to configure an IP address whitelist in the following scenarios:

  • Scenario 1

    After your RDS instance is created, you must add the IP addresses of specific devices to an IP address whitelist of the instance. This allows these devices to access your RDS instance.

  • Scenario 2

    If your RDS instance cannot be connected, you can check the IP address whitelists of the instance. Then, modify the IP address whitelists that are improperly configured.

    The following table provides the IP address whitelist settings in various connection scenarios.

    Note A virtual private cloud (VPC) is an isolated network on Alibaba Cloud. It is more secure than the classic network. For more information, see What is a VPC?
    Connection scenario Network type IP address whitelist setting
    Connect an Elastic Compute Service (ECS) instance to your RDS instance The ECS and RDS instances reside in the same VPC. This is the recommended connection scenario. Add the private IP address of the ECS instance to an IP address whitelist of your RDS instance.
    The ECS and RDS instances reside in different VPCs. Instances in different VPCs cannot communicate with each other over internal networks. In this case, perform the following operations:
    1. Switch your RDS instance to the same VPC as the ECS instance. For more information, see Switch an ApsaraDB RDS for MySQL instance to a new VPC and a new vSwitch.
      Note This operation is supported only when the ECS and RDS instances reside in the same region. If the ECS and RDS instances reside in different regions, we recommend that you use Data Transmission Service (DTS) to migrate your RDS instance to the region where the ECS instance resides. This ensures service availability. For more information, see Migrate data between ApsaraDB RDS for MySQL instances.
    2. Add the private IP address of the ECS instance to an IP address whitelist of your RDS instance.
    The ECS and RDS instances reside in the classic network. Add the private IP address of the ECS instance to an IP address whitelist of your RDS instance.
    The ECS instance resides in the classic network.

    Your RDS instance resides in a VPC.

    Instances in different VPCs cannot communicate with each other over internal networks. In this case, perform the following operations:
    1. Migrate the ECS instance from the classic network to the same VPC as your RDS instance.
      Note This operation is supported only when the ECS and RDS instances reside in the same region. If the ECS and RDS instances reside in different regions, we recommend that you use DTS to migrate your RDS instance to the region where the ECS instance resides. This ensures service availability. For more information, see Migrate data between ApsaraDB RDS for MySQL instances.
    2. Add the private IP address of the ECS instance to an IP address whitelist of your RDS instance.
    The ECS instance resides in a VPC.

    Your RDS instance resides in the classic network.

    Instances in different VPCs cannot communicate with each other over internal networks. In this case, perform the following operations:
    1. Migrate your RDS instance from the classic network to the same VPC as the ECS instance. For more information, see Change the network type of an ApsaraDB RDS for MySQL instance.
      Note This operation is supported only when the ECS and RDS instances reside in the same region. If the ECS and RDS instances reside in different regions, we recommend that you use DTS to migrate your RDS instance to the region where the ECS instance resides. This ensures service availability. For more information, see Migrate data between ApsaraDB RDS for MySQL instances.
    2. Add the private IP address of the ECS instance to an IP address whitelist of your RDS instance.
    Connect a self-managed host to your RDS instance None. Add the public IP address of the self-managed host to an IP address whitelist of your RDS instance.
    Note

Precautions

  • A maximum of 50 IP address whitelists are allowed per RDS instance.
  • When you configure IP address whitelists, the workloads on your RDS instance are not interrupted.
  • The IP address whitelist labeled default can be cleared but cannot be deleted.
  • Do not modify or delete the IP address whitelists that are generated by other Alibaba Cloud services. If you delete these IP address whitelists, the related Alibaba Cloud services cannot connect to your RDS instance. For example, the IP address whitelist labeled ali_dms_group is generated by Data Management (DMS), and the IP address whitelist labeled hdm_security_ips is generated by Database Autonomy Service (DAS).
  • The IP address whitelist labeled default contains only the 127.0.0.1 IP address. This indicates that no IP addresses can access your RDS instance.

Configure a standard IP address whitelist

In standard whitelist mode, ApsaraDB RDS does not distinguish between the classic network and VPCs. The IP addresses in a standard IP address whitelist are granted access to your RDS instance over both the classic network and VPCs.

  1. Go to the Whitelist Settings tab.
    1. Log on to the ApsaraDB for RDS console. In the left-side navigation pane, click Instances. In the top navigation bar, select the region where your RDS instance resides.
      选择地域
    2. Find your RDS instance and click its ID. In the left-side navigation pane, click Data Security.
  2. Click Create Whitelist, and in the Create Whitelist dialog box set the Whitelist Name parameter. Alternatively, click Modify to the right of an IP address whitelist.
  3. Enter the IP addresses or Classless Inter-Domain Routing (CIDR) blocks that require access to your RDS instance. Then, click OK.
    Note
    • If you enter more than one IP address or CIDR block, you must separate these IP addresses or CIDR blocks with commas (,). Do not add spaces preceding or following the commas. Example: 192.168.0.1,172.16.213.9.
    • A maximum of 1,000 IP addresses and CIDR blocks are allowed per RDS instance. If you need to enter a large number of IP addresses, we recommend that you merge discontinuous IP addresses into CIDR blocks, for example, 10.10.10.0/24.
    • After you add IP addresses or CIDR blocks to the IP address whitelist labeled default, ApsaraDB RDS deletes the default IP address 127.0.0.1.
  4. Optional. Click Loading ECS Inner IP. In the dialog box that appears, view the IP addresses of all the ECS instances that are created within your Alibaba Cloud account. Then, add the required IP addresses to the IP address whitelist that you want to configure.
    Loading ECS Inner IP

Configure an enhanced IP address whitelist

In enhanced whitelist mode, ApsaraDB RDS distinguishes between the classic network and VPCs. You must specify the network isolation mode of each enhanced IP address whitelist. For example, if the Network Isolation Mode parameter is set to Classic Network for an IP address whitelist, the IP addresses in the IP address whitelist are granted access to your RDS instance only over the classic network. In this case, you cannot connect to your RDS instance over VPCs from these IP addresses.

Note The enhanced whitelist mode is supported only for some existing RDS instances.
  1. Go to the Whitelist Settings tab.
    1. Log on to the ApsaraDB for RDS console. In the left-side navigation pane, click Instances. In the top navigation bar, select the region where your RDS instance resides.
      选择地域
    2. Find your RDS instance and click its ID. In the left-side navigation pane, click Data Security.
  2. On the Whitelist Settings tab, create or modify an IP address whitelist.
    Enhanced IP address whitelist 1
    • Create an IP address whitelist.
      1. Click Create Whitelist.
      2. Set the Network Isolation Mode parameter.Create an enhanced IP address whitelist
      3. Enter a name in the Whitelist Name field, add IP addresses or CIDR blocks, and then click OK.
    • Modify an IP address whitelist.

      Click Modify to the right of the IP address whitelist.

  3. In the Edit Whitelist dialog box, add IP addresses or CIDR blocks and click OK.
    Note
    • If you enter more than one IP address or CIDR block, you must separate these IP addresses or CIDR blocks with commas (,). Do not add spaces preceding or following the commas. Example: 192.168.0.1,172.16.213.9.
    • A maximum of 1,000 IP addresses and CIDR blocks are allowed per RDS instance. If you need to enter a large number of IP addresses, we recommend that you merge discontinuous IP addresses into CIDR blocks, for example, 10.10.10.0/24.
    • After you add IP addresses or CIDR blocks to the IP address whitelist labeled default, ApsaraDB RDS deletes the default IP address 127.0.0.1.
  4. Optional. Click Loading ECS Inner IP. In the dialog box that appears, view the IP addresses of all the ECS instances that are created within your Alibaba Cloud account. Then, add the required IP addresses to the IP address whitelist that you want to configure.
    Loading ECS Inner IP

What to do next

Create accounts and databases on your RDS instance. For more information, see Create accounts and databases for an ApsaraDB RDS for MySQL instance.

Related operations

Operation Description
DescribeDBInstanceIPArrayList Queries the IP address whitelists of an ApsaraDB RDS instance.
ModifySecurityIps Modifies an IP address whitelist of an ApsaraDB RDS instance.