After you create a PolarDB for MySQL cluster, you must add IP addresses to the whitelist of the cluster and create an initial account of the cluster to access and use the cluster.
Background information
- Configure an IP whitelist
You can add IP addresses that are allowed to access the cluster. The default IP whitelist consists of only the default IP address
127.0.0.1
. This indicates that no devices are allowed to access the cluster. Only IP addresses in the IP whitelists can access the cluster. - Configure a security group
An Elastic Compute Service (ECS) security group is a virtual firewall that is used to control the inbound and outbound traffic of ECS instances in the security group. After you add an ECS security group to the whitelist of the PolarDB cluster, the ECS instances in the security group can access the PolarDB cluster.
For more information about ECS security groups, see Create a security group.
Notes
- By default, the IP whitelist of a cluster consists of only the IP address
127.0.0.1
. This indicates that no devices are allowed to access the database cluster. - If you set the IP whitelist to
%
or0.0.0.0/0
, all IP addresses are allowed to access the database cluster. However, we recommend that you do not use this configuration unless necessary because it compromises database security. - PolarDB cannot automatically obtain private IP addresses of ECS instances in virtual private clouds (VPCs). If you need to use the private IP address of an ECS instance to access a PolarDB cluster, you must manually add the private IP address to the whitelists of the cluster.
- You can configure both IP address whitelists and ECS security groups. All the IP addresses in the whitelists and all the ECS instances in the security groups can access the PolarDB cluster.
- Only PolarDB for MySQL supports security groups. You can add a maximum of 10 security groups.
- You can create a maximum of 50 IP whitelists. The total number of IP addresses or Classless Inter-Domain Routing (CIDR) blocks in all IP whitelists cannot exceed 1,000.
- Whitelists such as ali_dms_group, hdm_security_ips, and dtspolardb are automatically generated when the relevant services are used. ali_dms_group is
the IP whitelist for Data Management (DMS). hdm_security_ips is the IP whitelist for Database Autonomy Service (DAS). dtspolardb is the IP whitelist for Data Transmission Service (DTS). To ensure that the relevant services can be used, do not modify or delete these
IP whitelists.
Notice Do not add your own IP address to these IP whitelists. If you add your own IP address to these IP whitelists, your IP address is overwritten by the updated IP addresses of the related services. If your IP address is overwritten, your business is affected.
Configure a whitelist
Configure a security group
What to do next
After you configure whitelists and create database accounts, you can connect to the cluster and manage databases.
FAQ
- How can I allow a server to access only a specified node in a cluster?
You can use the custom cluster endpoint feature. This feature allows the server to access only a specified node in a cluster.
- What is the maximum total number of IP addresses in all IP whitelists?
You can add a maximum total of 1,000 IP addresses or CIDR blocks to the IP whitelists. IP addresses that are associated with security groups are excluded.
- Why am I unable to connect the ECS instance to the cluster after I add the IP address
of the ECS instance to the IP whitelist?
You can perform the following steps for troubleshooting:
- Check whether the IP whitelist is configured in a correct way. If you connect the ECS instance to the cluster by using an internal endpoint, you must add the private IP address of the ECS instance. If you connect the ECS instance to the cluster by using a public endpoint, you must add the public IP address of the ECS instance.
- Check whether the ECS instance and the cluster run in the same type of network. If
the ECS instance runs in the classic network, you can migrate the ECS instance to
the VPC where the PolarDB cluster resides. For more information, see Overview of migration solutions.
Note If you need to connect the ECS instance to other internal resources in the classic network, do not migrate the ECS instance to the VPC. The ECS instance cannot connect to the classic network if you migrate the ECS instance to the VPC.
You can also use the ClassLink feature to connect the classic network to the VPC.
- Check whether the ECS instance and the PolarDB cluster run in the same VPC. If the instance and the cluster do not run in the same VPC, you must purchase a PolarDB cluster, or activate the Cloud Enterprise Network service to connect the two VPCs.
- Why am I unable to access the cluster by using a public endpoint?
You cannot access the cluster by using the public endpoint due to the following reasons:
- If you access the cluster from an ECS instance by using the public endpoint, make sure that you add the public IP address of the ECS instance to the IP whitelist.
- Set the IP address in the IP whitelist to
0.0.0.0/0
and try to access the cluster again. If you can access the cluster, the public IP address that is added to the IP whitelist is invalid. You must verify the public endpoint. For more information, see View or apply for an endpoint.
- How can I allow a user account to access a PolarDB cluster from only a specified IP address?
You can create a privileged account by running the following commands. Then, you can log on by using the privileged account to specify the IP address that standard accounts can use to access the cluster.
Related API operations
Operation | Description |
---|---|
DescribeDBClusterAccessWhitelist | Queries the IP addresses that are allowed to access a specified database cluster. |
ModifyDBClusterAccessWhitelist | Modifies the IP addresses that are allowed to access a specified database cluster. |