All Products
Search
Document Center

PolarDB:Configure an IP whitelist

Last Updated:Jul 24, 2023

After you create a PolarDB for MySQL cluster, you must configure an IP whitelist, and create an account for logging on to the cluster. Only IP addresses in the IP whitelists or Elastic Compute Service (ECS) instances in the security groups of the cluster can access the cluster. This topic describes how to configure an IP whitelist.

Scenarios

An IP whitelist contains IP addresses or CIDR blocks that are allowed to access a PolarDB for MySQL cluster. You can configure an IP whitelist to reinforce the security of a PolarDB for MySQL cluster. We recommend that you update the IP whitelist on a regular basis. In most cases, you must configure an IP whitelist in the following scenarios:

  • You want to connect your ECS instance to a PolarDB for MySQL cluster. You can find the IP addresses of the ECS instance in the Configuration Information section on the Instance Details page. Then, add one of the IP addresses to the IP whitelist of the cluster.

    Note

    If the ECS instance and the PolarDB for MySQL cluster are deployed in the same region, such as the China (Hangzhou) region, add the private IP address of the ECS instance to the IP whitelist. If the ECS instance and the PolarDB for MySQL cluster are deployed in different regions, add the public IP address of the ECS instance to the IP whitelist. You can also migrate the ECS instance to the region where the PolarDB for MySQL cluster is deployed and then add the private IP address of the ECS instance.

  • If you want to connect on-premises servers, computers, or other cloud instances to the PolarDB for MySQL cluster, add the relevant IP addresses to the IP whitelist of the cluster.

Precautions

  • PolarDB for MySQL cannot automatically obtain the private IP addresses of ECS instances in virtual private clouds (VPCs). If you want to use the private IP address of an ECS instance to access a PolarDB for MySQL cluster, you must manually add the private IP address to the IP whitelist of the cluster.

  • You can configure both IP whitelists and security groups. After you add IP addresses to IP whitelists and add ECS instances to security groups of a PolarDB for MySQL cluster, the specified IP addresses and ECS instances can access the cluster.

  • The ali_dms_group (for Data Management), hdm_security_ips (for Database Autonomy Service), and dtspolardb (for Data Transmission Service) whitelists are automatically created when you use the relevant services. To ensure that the services can be used as normal, do not modify or delete these IP whitelists.

    Important

    Do not add your service IP addresses to these IP whitelists. Otherwise, your service IP addresses may be overwritten when the related services are updated. Consequently, service interruption may occur.

    Whitelist

Procedure

  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region in which the cluster that you want to manage is deployed.
  3. Find the cluster and click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Whitelists.

  5. On the Whitelists page, you can click Add IP Whitelist to add an IP whitelist or click Modify to modify an existing IP whitelist.

    • Add an IP whitelist

      1. Click Add IP Whitelist.

      2. In the Add IP Whitelist panel, specify the name of the IP whitelist and enter the IP addresses that are allowed to access the cluster.

        Note

        The name of the IP whitelist must meet the following requirements:

        • The name can contain lowercase letters, digits, and underscores (_).

        • The name must start with a letter and end with a letter or digit.

        • The name must be 2 to 120 characters in length.

    • Modify an IP whitelist

      1. On the right side of an IP whitelist name, click Modify.

      2. In the Modify Whitelist panel, enter the IP addresses that are allowed to access the cluster.

        Note
        • A default IP whitelist that contains only the IP address 127.0.0.1 is automatically created for each cluster. This IP whitelist blocks all IP addresses.

        • If you set an IP whitelist to a percent sign (%) or 0.0.0.0/0, all IP addresses are allowed to access the cluster. We recommend that you do not use this configuration unless necessary because it compromises database security.

  6. Click OK.

    Note

    You can create at most 50 IP whitelists and add at most 1,000 IP addresses or CIDR blocks to the 50 IP whitelists.

Related API operations

API operation

Description

DescribeDBClusterAccessWhitelist

Queries the IP addresses that are allowed to access a specified PolarDB for MySQL cluster.

ModifyDBClusterAccessWhitelist

Modifies the IP addresses that are allowed to access a specified PolarDB for MySQL cluster.