To ensure the security and stability of Redis databases, the system blocks all IP addresses that attempt to access ApsaraDB for Redis instances by default. Before you use an ApsaraDB for Redis instance, add IP addresses or CIDR blocks that are used to access the database to the IP address whitelist of the ApsaraDB for Redis instance. We recommend that you periodically adjust your whitelists to enhance access security and secure data in ApsaraDB for Redis.

Prerequisites

  • The ApsaraDB for Redis instance is upgraded to the latest minor version. For more information about how to upgrade the minor version of an ApsaraDB for Redis instance, see Upgrade the minor version.
  • To specify an ECS security group as a whitelist, the engine version of the instance must be Redis 4.0 or later.

Methods

Method Description
Method 1: Set one or more whitelists Manually add the IP address of a client to the whitelist of the ApsaraDB for Redis instance to allow the client to access the instance.
Method 2: Specify ECS security groups as whitelists A security group is a virtual firewall that is used to control the inbound and outbound traffic of ECS instances in the security group. To authorize multiple ECS instances to access an ApsaraDB for Redis instance, you can implement quick authorization by associating the ApsaraDB for Redis instance to the security group to which the ECS instances belong. You do not need to manually enter the IP addresses of the ECS instances. This improves the convenience of operations and maintenance.
Note You can also use both methods to set the IP whitelists for ApsaraDB for Redis instances. Both IP addresses in IP whitelists and ECS instances in security groups are allowed to access ApsaraDB for Redis instances.

Method 1: Set one or more whitelists

  1. Log on to the ApsaraDB for Redis console.
  2. On the top of the page, select the region where the instance is deployed.
  3. On the Instances page, click the Instance ID of the instance.
  4. In the left-side navigation pane, click Whitelist Settings.
  5. Find the IP address whitelist and click Modify.
    Note You can also click Add Whitelist to create a whitelist. The name of the whitelist must be 2 to 32 characters in length, and can contain lowercase letters, digits, and underscores (_). It must start with a lowercase letter and end with a letter or digit.
  6. In the dialog box that appears, perform one of the following operations:
    • Manually modify an IP address whitelist

      Enter IP addresses or CIDR blocks.

      Figure 1. Manually modify an IP address whitelist
      Manually modify an IP address whitelist
      Note
      • Separate multiple IP addresses with commas (,). A maximum of 1,000 different IP addresses can be added. Supported formats are specific IP addresses such as 10.23.12.24 and CIDR blocks such as 10.23.12.24/24. /24 indicates the length of the IP address prefix. An IP address prefix can contain 1 to 32 bits.
      • 0.0.0.0/0 indicates that all IP addresses are allowed to access the instance. This poses a high security risk.
    • Add the internal IP addresses of ECS instances to a whitelist
      1. Click Load ECS Internal Network IP.
      2. Select the IP address based on your business requirements.
        Figure 2. Add internal IP addresses of ECS instances
        Add internal IP addresses of ECS instances
        Note To locate a specific IP address, you can move your pointer over the specific IP address. The system displays the ID and name of the ECS instance to which the IP address is assigned.
    • Delete IP addresses in a whitelist

      To delete all IP addresses in a whitelist and retain the whitelist, click Delete to perform this operation.

  7. Click OK.

Method 2: Specify ECS security groups as whitelists

After you specify a security group as a whitelist of the ApsaraDB for Redis instance, all ECS instances in the security group are allowed to access the instance over the internal network or the Internet (The ApsaraDB for Redis instance must have a public endpoint. For more information, see Use a public endpoint to connect to an ApsaraDB for Redis instance).

Note When you add an ECS security group, make sure that the ApsaraDB for Redis instance has the same network type as the ECS instances. If both the ApsaraDB for Redis instance and ECS instances have the VPC network type, make sure that they reside in the same VPC.
  1. Log on to the ApsaraDB for Redis console.
  2. On the top of the page, select the region where the instance is deployed.
  3. On the Instances page, click the Instance ID of the instance.
  4. In the left-side navigation pane, click Whitelist Settings.
  5. Click Add Security Group.
  6. In the dialog box that appears, select the specified ECS security group.
    Figure 3. Add security groups
    Add a security group
    Note
    • If you move your pointer over an ECS security group, you can view its name and description. If you move your pointer over VPC, you can view the VPC ID. This way, you can find the required ECS security group.
    • You can add up to 10 ECS security groups for each ApsaraDB for Redis instance.
  7. In the dialog box that appears, click OK.
  8. Optional:To remove all security groups, click Delete.

Common connection scenarios

Related API operations

API Description
DescribeSecurityIps Queries the IP address whitelists of an ApsaraDB for Redis instance.
ModifySecurityIps Configures the IP address whitelists of an ApsaraDB for Redis instance.
DescribeSecurityGroupConfiguration Queries the security groups that have been configured in the whitelist of an ApsaraDB for Redis instance.
ModifySecurityGroupConfiguration Resets the security groups in the whitelist of an ApsaraDB for Redis instance.

FAQ

  • Q: Multiple automatically generated whitelists exist in a Redis instance. Where do these whitelists come from? Can they be deleted?

    A: When you create an ApsaraDB for Redis instance, it has a default IP address whitelist. As you perform operations on the instance, more whitelists are generated. For more information, see the following table.

    Whitelist name Description
    default The default IP address whitelist. You cannot delete it.
    ali_dms_group When you log on to the Redis instance through Data Management (DMS), the whitelist is automatically created when DMS is authorized. For more information, see Use DMS. Do not delete or modify the whitelist. Otherwise, you may fail to log on to the ApsaraDB for Redis instance through DMS.
    hdm_security_ips When you use CloudDBA related features (for example, Cache analysis), the whitelist is automatically created when Database Autonomy Service (DAS) is authorized. Do not delete or modify the whitelist. Otherwise, CloudDBA features may fail.
  • Q: Why does the message (error) ERR illegal address appear when I connect to the ApsaraDB for Redis instance by using redis-cli?

    A: The IP address of the machine on which the redis-cli runs is not added to the whitelist. Please check the whitelist.

  • Q: The IP address of my device is not added to the whitelist. Can I test port connectivity by using telnet?
    A: Yes. The following message is returned by using the telnet command:
    Escape character is '^]'.
    Connection closed by foreign host.