After you create an ApsaraDB RDS for PostgreSQL instance, you must configure an IP address whitelist or security group before any client can connect to it.
Use cases
An IP address whitelist controls which IP addresses can access your RDS for PostgreSQL instance. Maintain the whitelist regularly to keep access secure.
Common scenarios:
-
Scenario 1: After you create an RDS instance, add the IP addresses of external clients to the IP address whitelist to grant them access.
-
Scenario 2: If a database connection fails, check the IP address whitelist configuration.
The following table shows the whitelist configuration for each connection scenario.
|
Connection scenario |
Network type |
Whitelist configuration |
|
An ECS instance connects to an RDS for PostgreSQL instance |
The instances are in the same Virtual Private Cloud (VPC). (Recommended) |
Add the private IP address of the ECS instance. |
|
The instances are in different VPCs |
Instances in different VPCs cannot communicate directly. Use one of the following solutions:
|
|
|
A container in an ACK cluster connects to an RDS for PostgreSQL instance |
The cluster and the instance are in the same VPC. (Recommended) |
You can find the pod and node IP addresses on the pod page of the target ACK cluster. |
|
The cluster and the instance are in different VPCs |
Instances in different VPCs cannot communicate directly. Use one of the following solutions:
|
|
|
A self-managed host outside the cloud connects to an RDS for PostgreSQL instance |
N/A |
Add the public IP address of the host to the IP address whitelist.
|
Usage notes
-
An instance can have up to 50 IP address whitelist groups.
-
Configuring an IP address whitelist does not affect the normal operation of your RDS instance.
-
Whitelist groups organize IP addresses only. All IP addresses across all groups have equal access to the instance.
-
The
defaultwhitelist group cannot be deleted. You can only clear its entries. -
Do not modify or delete system-generated groups, such as the ali_dms_group for Data Management (DMS) or the hdm_security_ips for Database Autonomy Service (DAS). Doing so may cause service interruptions.
ImportantTo prevent accidental modifications or deletions, the hdm_security_ips whitelist group is hidden for instances that are created after December 2020.
-
By default, an IP address whitelist contains only
127.0.0.1. This means no IP address other than127.0.0.1can access the RDS instance.
Configure a standard IP whitelist
-
Go to the ApsaraDB RDS console, select the region of your RDS instance, and then click the instance ID.
-
In the left-side navigation pane, click Whitelist and Security Group.
-
Click Add Whitelist Group and enter a Group Name, or click Modify next to an existing group.
-
Enter the IP addresses or CIDR blocks to add, and then click OK.
Important-
Separate multiple entries with commas (,) without spaces. Example:
192.168.0.1,172.16.213.9. -
A single instance supports up to 1,000 entries. Consolidate individual IP addresses into CIDR blocks (for example,
10.10.10.0/24) to reduce the entry count.
-
-
(Optional) If your primary instance has read-only instances, use the Sync Whitelist to Read-only Instances option to copy the primary instance's whitelist to one or more read-only instances.
-
(Optional) Click Load ECS Intranet IP to populate a list of your ECS instances, and then select an instance to add its private IP address to the whitelist.

Configure an IP whitelist in enhanced mode
Enhanced whitelist mode is not supported for cloud disk instances. The high-performance local disk storage type is no longer available for purchase.
Enhanced whitelist mode separates classic network and VPC access. Each whitelist group requires a network isolation mode — IP addresses in one mode cannot access the instance through the other.
If your high-performance local disk instance already uses enhanced whitelist mode, follow the steps below. To switch to enhanced whitelist mode, see Switch to enhanced whitelist mode.
-
Go to the ApsaraDB RDS console, select the region of your RDS instance, and then click the instance ID.
-
In the left-side navigation pane, click Whitelist and Security Group.
-
Click Add Whitelist Group and select a Network Isolation Mode.
-
Enter a Group Name.
-
In the IP Addresses in Whitelist text box, enter the IP addresses or CIDR blocks to add, and then click OK.
Important-
Separate multiple entries with commas (,) without spaces. Example:
192.168.0.1,172.16.213.9. -
A single instance supports up to 1,000 entries. Consolidate individual IP addresses into CIDR blocks (for example, 10.10.10.0/24) to reduce the entry count.
-
-
(Optional) If your primary instance has read-only instances, use the Sync Whitelist to Read-only Instances option to copy the primary instance's whitelist to one or more read-only instances.
-
(Optional) Click Load ECS Intranet IP to populate a list of your ECS instances, and then select an instance to add its private IP address to the whitelist.
NoteIn enhanced whitelist mode, make sure to select the correct network isolation mode.

Next steps
FAQ
API reference
-
DescribeDBInstanceIPArrayList — queries the IP address whitelist of an RDS instance.
-
ModifySecurityIps — modifies the IP address whitelist of an RDS instance.