After you create a PolarDB for MySQL cluster, you must add IP addresses to the whitelist and create an initial account to access and manage the cluster.

Background information

Apsara PolarDB allows you to configure a whitelist in the following ways:
  • Configure an IP whitelist

    You can add IP addresses in an IP whitelist. These IP addresses can be allowed to connect to the cluster. By default, the whitelist contains only the IP address 127.0.0.1, which indicates that no device is allowed to access the cluster. Only IP addresses added to the whitelist can be allowed to access the cluster.

  • Configure a security group

    An Elastic Compute Service (ECS) security group is a virtual firewall that is used to control the inbound and outbound traffic of ECS instances in the security group. After you add an ECS security group on the Whitelists page in the Apsara PolarDB console, all ECS instances in the security group can access the cluster.

    For more information, see Create a security group.

Notes

  • By default, the whitelist contains only the IP address 127.0.0.1, which indicates that no devices are allowed to access the cluster.
  • If you set the IP Addresses of the IP whitelist to % or 0.0.0.0/0, all IP addresses are allowed to access the database cluster. However, we recommend that you do not use this configuration because it compromises database security.
  • Apsara PolarDB cannot automatically obtain internal IP addresses of ECS instances in VPC networks. You must manually add the internal IP addresses to the whitelist.
  • You can use IP whitelists and ECS security groups in combination. Both IP addresses in whitelists and ECS instances in security groups are allowed to access the Apsara PolarDB cluster.
  • Only PolarDB for MySQL supports security groups. You can add up to ten security groups to a cluster.
  • Apsara PolarDB supports up to 50 IP whitelists. The total number of IP addresses or CIDR blocks in all whitelists cannot exceed 1,000.

Configure an IP whitelist

  1. Log on to the Apsara PolarDB console.
  2. In the upper-left corner of the page, select the region where the instance is deployed.
  3. Click the cluster ID to go to the Basic Information page.
  4. Choose Settings and Management > Whitelists.
  5. On the Whitelists page, you can click Modify to configure the existing IP whitelist or click Add IP Whitelist to add an IP whitelist.
    Configure
    • Click Modify in the Actions column to configure the IP whitelist.
    • Click Add IP Whitelist to add an IP whitelist.
  6. In the Add IP Whitelist pane, configure the information of the IP whitelist and click Submit.
    • If you want to connect your ECS instance to the Apsara PolarDB cluster, you can retrieve IP addresses of the ECS instance from the Configuration Information section on the Instance Details page. Then you can add these IP addresses to the IP whitelist.
      Note If the ECS instance is in the same region as the Apsara PolarDB cluster such as the China (Hangzhou) region, use the private IP address of the ECS instance. If the ECS instance is in a different region from the Apsara PolarDB cluster, use the Elastic IP address of the ECS instance. You can also migrate the ECS instance to the region where the Apsara PolarDB cluster is located. Then, you can use the private IP address of the ECS instance.
    • If you want to connect your on-premises server, computer, or other cloud server to the Apsara PolarDB cluster, add the IP address to the IP whitelist.

Configure a security group

  1. Log on to the Apsara PolarDB console.
  2. In the upper-left corner of the page, select the region where the instance is deployed.
  3. Click the cluster ID to go to the Basic Information page.
  4. Choose Settings and Management > Whitelists.
  5. On the Whitelists page, you can click Modify to configure the existing security group or click Select Security Group to add a security group.
    Configure a security group
    • Click Modify in the Actions column to configure the security group.
    • Click Select Security Group to add a security group.
  6. In the Select Security Groups pane, select the security group and click Submit.

    For more information, see Create a security group.

What to do next

After you configure whitelists and create database accounts, access the cluster and manage databases.

FAQ

  1. How can I allow a server to access only a specified node in a cluster?

    You can use the custom cluster endpoint feature. This feature allows servers to access only a specified node in a cluster.

  2. How many IP addresses do IP whitelists support?

    You can add up to 1,000 IP addresses or CIDR blocks to IP whitelists. The number of IP addresses associated with security groups do not follow this rule.

  3. Why am I unable to connect the ECS instance to the Apsara PolarDB cluster after I add the IP address of the ECS instance to the IP whitelist?
    You can run the following commands to view the logs:
    1. Confirm whether the IP whitelist is correctly configured. If you connect to the cluster through an internal endpoint, you must add the private IP address of the ECS instance to the IP whitelist. If you connect to the cluster through a public endpoint, you must add the Elastic IP address of the ECS instance to the IP whitelist.
    2. Confirm whether the ECS instance and Apsara PolarDB cluster run in the same type of network. If the ECS instance runs in a classic network, you can migrate the ECS instance to the VPC network where the cluster is located. For more information, see Overview of migration solutions.
      Note If you want to connect the ECS instance to other internal resources that are located in a classic network, do not migrate the ECS instance to the VPC network. Otherwise, the ECS instance cannot connect to these internal resources after the migration.

      You can also use the ClassicLink feature to connect the classic network to the VPC network.

    3. Confirm whether the ECS instance and Apsara PolarDB cluster run in the same VPC network. If they do not run in the same VPC network, you must purchase a new Apsara PolarDB cluster, or activate the Cloud Enterprise Network service to connect to these VPC networks.
  4. Why am I unable to access the cluster through a public endpoint?
    If you connect to the cluster from an ECS instance through a public endpoint,
    1. make sure that you have added the Elastic IP address of the ECS instance to an IP whitelist.
    2. Set the IP Address of the IP whitelist to 0.0.0.0/0 and try again. If you can connect to the cluster, the Elastic IP address that is specified in the IP whitelist is incorrect. You must verify the public endpoint. For more information, see View endpoints.
  5. How can I connect to an Apsara PolarDB cluster through an internal endpoint?
    If you want to connect to an Apsara PolarDB cluster from an ECS instance through an internal endpoint, the following conditions must be met:
    • The ECS instance and Apsara PolarDB cluster must be deployed in the same region.
    • The ECS instance and Apsara PolarDB cluster must run in the same type of network. If the network is a VPC network, they must run in the same VPC network.
    • The internal IP address of the ECS instance is added to an IP whitelist of the cluster.
  6. How can I allow a user account to access an Apsara PolarDB cluster only from a specified IP address?
    You can create an authorized account with more permissions, and then log on by using this account to specify the IP address. Then, standard accounts must use this IP address to connect to the cluster.The command line

Related API operations

Operation Description
DescribeDBClusterAccessWhitelist Queries the IP addresses that are allowed to access a specified Apsara PolarDB cluster.
ModifyDBClusterAccessWhitelist Modifies the IP addresses that are allowed to access a specified Apsara PolarDB cluster.