After you create a ApsaraDB PolarDB MySQL-compatible edition cluster, you must configure an IP whitelist, and create an account for logging on to the cluster. Only IP addresses in the IP whitelists or Elastic Compute Service (ECS) instances in the security groups of the cluster can access the cluster. This topic describes how to configure an IP whitelist.

Scenarios

An IP whitelist contains IP addresses or CIDR blocks that are allowed to access a ApsaraDB PolarDB MySQL-compatible edition cluster. You can configure an IP whitelist to reinforce the security of a ApsaraDB PolarDB MySQL-compatible edition cluster. We recommend that you update the IP whitelist on a regular basis. In most cases, you must configure an IP whitelist in the following scenarios:

  • You want to connect your ECS instance to a PolarDB cluster. You can find the IP addresses of the ECS instance in the Configuration Information section on the Instance Details page. Then, add one of the IP addresses to the IP whitelist of the cluster.
    Note If the ECS instance and the PolarDB cluster are deployed in the same region, such as the China (Hangzhou) region, add the private IP address of the ECS instance to the IP whitelist. If the ECS instance and the PolarDB cluster are deployed in different regions, add the public IP address of the ECS instance to the IP whitelist. You can also migrate the ECS instance to the region where the PolarDB cluster is deployed and then add the private IP address of the ECS instance.
  • If you want to connect on-premises servers, computers, or other cloud instances to the PolarDB cluster, add the relevant IP addresses to the IP whitelist of the cluster.

Precautions

  • PolarDB cannot automatically obtain the private IP addresses of ECS instances in virtual private clouds (VPCs). If you want to use the private IP address of an ECS instance to access a PolarDB cluster, you must manually add the private IP address to the IP whitelist of the cluster.
  • You can configure both IP whitelists and security groups. After you add IP addresses to IP whitelists and add ECS instances to security groups of a PolarDB cluster, the specified IP addresses and ECS instances can access the cluster.
  • The ali_dms_group (for Data Management), hdm_security_ips (for Database Autonomy Service), and dtspolardb (for Data Transmission Service) whitelists are automatically created when you use the relevant services. To ensure that the services can be used as normal, do not modify or delete these IP whitelists.
    Notice Do not add your service IP addresses to these IP whitelists. Otherwise, your service IP addresses may be overwritten when the related services are updated. Consequently, service interruption may occur.
    Whitelist

Procedure

  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region where the cluster is deployed.
  3. Find the cluster and click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Whitelists.
  5. On the Whitelists page, you can click Add IP Whitelist to add an IP whitelist or click Modify to modify an existing IP whitelist.
    Modify an IP whitelist
    • Add an IP whitelist
      1. Click Add IP Whitelist.
      2. In the Add IP Whitelist panel, specify the name of the IP whitelist and enter the IP addresses that are allowed to access the cluster. Add an IP whitelist
        Note The name of the IP whitelist must meet the following requirements:
        • The name can contain lowercase letters, digits, and underscores (_).
        • The name must start with a letter and end with a letter or digit.
        • The name must be 2 to 120 characters in length.
    • Modify an IP whitelist
      1. On the right side of an IP whitelist name, click Modify.
      2. In the Modify Whitelist panel, enter the IP addresses that are allowed to access the cluster. Modify
        Note
        • A default IP whitelist that contains only the IP address 127.0.0.1 is automatically created for each cluster. This IP whitelist blocks all IP addresses.
        • If you set an IP whitelist to a percent sign (%) or 0.0.0.0/0, all IP addresses are allowed to access the cluster. We recommend that you do not use this configuration unless necessary because it compromises database security.
  6. Click OK.
    Note You can create at most 50 IP whitelists and add at most 1,000 IP addresses or CIDR blocks to the 50 IP whitelists.

Related API operations

API operation Description
DescribeDBClusterAccessWhitelist Queries the IP addresses that are allowed to access a specified PolarDB for MySQL cluster.
ModifyDBClusterAccessWhitelist Modifies the IP addresses that are allowed to access a specified PolarDB for MySQL cluster.