After you create a PolarDB for MySQL cluster, you must add IP addresses to the whitelist of the cluster and create an initial account of the cluster to access and use the cluster.

Background information

You can perform the following two operations to configure a whitelist for a cluster:
  • Configure an IP whitelist

    You can add IP addresses that are allowed to access the cluster. The default IP whitelist consists of only the default IP address 127.0.0.1. This indicates that no devices are allowed to access the cluster. Only IP addresses in the IP whitelists can access the cluster.

  • Configure a security group

    An Elastic Compute Service (ECS) security group is a virtual firewall that is used to control the inbound and outbound traffic of ECS instances in the security group. After you add an ECS security group to the whitelist of the PolarDB cluster, the ECS instances in the security group can access the PolarDB cluster.

    For more information about ECS security groups, see Create a security group.

Notes

  • By default, the IP whitelist of a cluster consists of only the IP address 127.0.0.1. This indicates that no devices are allowed to access the database cluster.
  • If you set the IP whitelist to % or 0.0.0.0/0, all IP addresses are allowed to access the database cluster. However, we recommend that you do not use this configuration unless necessary because it compromises database security.
  • PolarDB cannot automatically obtain private IP addresses of ECS instances in virtual private clouds (VPCs). If you need to use the private IP address of an ECS instance to access a PolarDB cluster, you must manually add the private IP address to the whitelists of the cluster.
  • You can configure both IP address whitelists and ECS security groups. All the IP addresses in the whitelists and all the ECS instances in the security groups can access the PolarDB cluster.
  • Only PolarDB for MySQL supports security groups. You can add a maximum of 10 security groups.
  • You can create a maximum of 50 IP whitelists. The total number of IP addresses or Classless Inter-Domain Routing (CIDR) blocks in all IP whitelists cannot exceed 1,000.
  • Whitelists such as ali_dms_group, hdm_security_ips, and dtspolardb are automatically generated when the relevant services are used. ali_dms_group is the IP whitelist for Data Management (DMS). hdm_security_ips is the IP whitelist for Database Autonomy Service (DAS). dtspolardb is the IP whitelist for Data Transmission Service (DTS). To ensure that the relevant services can be used, do not modify or delete these IP whitelists.
    Notice Do not add your own IP address to these IP whitelists. If you add your own IP address to these IP whitelists, your IP address is overwritten by the updated IP addresses of the related services. If your IP address is overwritten, your business is affected.
    Whitelist

Configure a whitelist

  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region where the cluster resides.
  3. Find the cluster, and then click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Whitelists.
  5. On the Whitelists page, you can click Add IP Whitelist to add an IP whitelist or click Modify to modify the existing whitelists.
    Modify
    • Add an IP whitelist
      1. Click Add IP Whitelist.
      2. In the Add IP Whitelist panel, enter the name of the IP whitelist, and the IP addresses that are allowed for access.Add an IP whitelist
        Note The name of the IP whitelist must meet the following requirements:
        • The name consists of lowercase letters, digits, and underscores (_).
        • The name must start with a letter and end with a letter or a digit.
        • The name must be 2 to 120 characters in length.
    • Configure the whitelist
      1. On the right side of the IP whitelist name, click Modify.
      2. In the Modify Whitelist panel, enter the IP addresses that are allowed for access.Modify
  6. Click OK.
    • If you need to connect your ECS instance to the PolarDB cluster, you can view the IP addresses of the ECS instance in the Configuration Information section on the Instance Details page. Then, add these IP addresses to the whitelist.
      Note If the ECS instance and the PolarDB cluster are deployed in the same region, such as the China (Hangzhou) region, use the private IP address of the ECS instance. If the ECS instance and the PolarDB cluster are deployed in different regions, use the public IP address of the ECS instance. You can also migrate the ECS instance to the region where the PolarDB cluster resides and use the private IP address of the ECS instance.
    • If you need to connect your on-premises servers, computers, or other cloud servers to the PolarDB cluster, add the related IP addresses to the whitelist.

Configure a security group

  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region where the cluster resides.
  3. Find the cluster, and then click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Whitelists.
  5. On the Whitelists page, click Select Security Group or Modify in the Actions column for the security group that you want to configure.
    Security groups
  6. In the Select Security Groups panel, select the security group that you want to configure and click OK.
    Select the security group
    Note For more information about how to create an ECS security group, see Create a security group.

What to do next

After you configure whitelists and create database accounts, you can connect to the cluster and manage databases.

FAQ

  • How can I allow a server to access only a specified node in a cluster?

    You can use the custom cluster endpoint feature. This feature allows the server to access only a specified node in a cluster.

  • What is the maximum total number of IP addresses in all IP whitelists?

    You can add a maximum total of 1,000 IP addresses or CIDR blocks to the IP whitelists. IP addresses that are associated with security groups are excluded.

  • Why am I unable to connect the ECS instance to the cluster after I add the IP address of the ECS instance to the IP whitelist?
    You can perform the following steps for troubleshooting:
    1. Check whether the IP whitelist is configured in a correct way. If you connect the ECS instance to the cluster by using an internal endpoint, you must add the private IP address of the ECS instance. If you connect the ECS instance to the cluster by using a public endpoint, you must add the public IP address of the ECS instance.
    2. Check whether the ECS instance and the cluster run in the same type of network. If the ECS instance runs in the classic network, you can migrate the ECS instance to the VPC where the PolarDB cluster resides. For more information, see Overview of migration solutions.
      Note If you need to connect the ECS instance to other internal resources in the classic network, do not migrate the ECS instance to the VPC. The ECS instance cannot connect to the classic network if you migrate the ECS instance to the VPC.

      You can also use the ClassLink feature to connect the classic network to the VPC.

    3. Check whether the ECS instance and the PolarDB cluster run in the same VPC. If the instance and the cluster do not run in the same VPC, you must purchase a PolarDB cluster, or activate the Cloud Enterprise Network service to connect the two VPCs.
  • Why am I unable to access the cluster by using a public endpoint?
    You cannot access the cluster by using the public endpoint due to the following reasons:
    1. If you access the cluster from an ECS instance by using the public endpoint, make sure that you add the public IP address of the ECS instance to the IP whitelist.
    2. Set the IP address in the IP whitelist to 0.0.0.0/0 and try to access the cluster again. If you can access the cluster, the public IP address that is added to the IP whitelist is invalid. You must verify the public endpoint. For more information, see View or apply for an endpoint.
  • How can I allow a user account to access a PolarDB cluster from only a specified IP address?
    You can create a privileged account by running the following commands. Then, you can log on by using the privileged account to specify the IP address that standard accounts can use to access the cluster.Command lines

Related API operations

Operation Description
DescribeDBClusterAccessWhitelist Queries the IP addresses that are allowed to access a specified database cluster.
ModifyDBClusterAccessWhitelist Modifies the IP addresses that are allowed to access a specified database cluster.