After you create a PolarDB for MySQL cluster, you must add IP addresses to the whitelist of the cluster and create an account to access and manage the cluster.

Background information

PolarDB allows you to configure a whitelist in the following ways:
  • Configure an IP whitelist

    You can add IP addresses to an IP whitelist. These IP addresses are allowed to connect to the cluster. The default IP whitelist contains only the IP address 127.0.0.1. This indicates that no IP address is allowed to access the cluster. Only IP addresses in the IP whitelist can access the PolarDB cluster.

  • Configure a security group

    An Elastic Compute Service (ECS) security group is a virtual firewall that is used to control the inbound and outbound traffic of ECS instances in the security group. After you add an ECS security group on the Whitelists page of the PolarDB cluster in the PolarDB console, all the ECS instances in the security group can access the PolarDB cluster.

    For more information about ECS security groups, see Create a security group.

Notes

  • The default IP whitelist contains only the IP address 127.0.0.1. This indicates that no IP address is allowed to access the cluster.
  • If you set the IP addresses of the whitelist to % or 0.0.0.0/0, all IP addresses are allowed to access the cluster. However, we recommend that you do not use this configuration because it compromises database security.
  • PolarDB cannot automatically obtain private IP addresses of ECS instances in virtual private clouds (VPCs). You must manually add the private IP addresses of ECS instances to the IP whitelist of the PolarDB cluster.
  • You can use IP whitelists and ECS security groups in combination. All the IP addresses in the whitelists and all the ECS instances in the security groups can access the PolarDB clusters.
  • Only PolarDB for MySQL supports security groups. You can add a maximum of 10 security groups.
  • PolarDB supports a maximum of 50 IP whitelists. The total number of IP addresses or CIDR blocks in all IP whitelists cannot exceed 1,000.

Configure an IP whitelist

  1. Log on to the PolarDB console.
  2. On the top of the page, select the region where the target cluster is located.
  3. Find the target cluster and click the cluster ID to go to the Overview page.
  4. In the left-side navigation pane, choose Settings and Management > Whitelists.
  5. On the Whitelists page, click Modify to modify an existing IP whitelist or click Add IP Whitelist to add an IP whitelist.
    Modify
    • To modify the existing IP whitelist, click Modify in the Actions column.
    • To add an IP whitelist, click Add IP Whitelist.
  6. In the Add IP Whitelist panel, configure the information of the IP whitelist and click OK.
    • If you need to connect your ECS instance to the PolarDB cluster, you can view the IP addresses of the ECS instance in the Configuration Information section on the Instance Details page. Then, add these IP addresses to the whitelist.
      Note If the ECS instance and the PolarDB cluster are in the same region, such as the China (Hangzhou) region, use the private IP address of the ECS instance. If the ECS instance and the PolarDB cluster are in different regions, use the public IP address of the ECS instance. You can also migrate the ECS instance to the region where the PolarDB cluster resides. Then, you can use the private IP address of the ECS instance.
    • If you need to connect your on-premises servers, computers, or other cloud servers to the PolarDB cluster, add the related IP addresses to the whitelist.

Configure a security group

  1. Log on to the PolarDB console.
  2. On the top of the page, select the region where the target cluster is located.
  3. Find the target cluster and click the cluster ID to go to the Overview page.
  4. In the left-side navigation pane, choose Settings and Management > Whitelists.
  5. On the Whitelists page, click Modify to modify an existing security group or click Select Security Group to add a security group.
    Configure a security group
    • To modify the existing security group, click Modify in the Actions column.
    • To add a security group, click Select Security Group.
  6. In the Select Security Groups panel, select the security group and click OK.

    For more information about how to create an ECS security group, see Create a security group.

What to do next

After you configure whitelists and create database accounts, access the cluster and manage databases.

FAQ

  • How can I allow a server to access only a specified node in a cluster?

    You can use the custom cluster endpoint feature. This feature allows the server to access only a specified node in a cluster.

  • What is the maximum number of IP addresses that all the IP whitelists support?

    All the IP whitelists support a maximum of 1,000 IP addresses or CIDR blocks. IP addresses that are associated with security groups are excluded.

  • Why am I unable to connect the ECS instance to the PolarDB cluster after I add the IP address of the ECS instance to the IP whitelist?
    The reasons are various. You can perform the following steps for troubleshooting:
    1. Check whether the IP whitelist is configured in a correct way. If you connect the ECS instance to the cluster by using an internal endpoint, you must add the private IP address of the ECS instance to the IP whitelist. If you connect the ECS instance to the cluster by using a public endpoint, you must add the public IP address of the ECS instance to the IP whitelist.
    2. Check whether the ECS instance and the PolarDB cluster run in the same type of network. If the ECS instance runs in the classic network, you can migrate the ECS instance to the VPC where the PolarDB cluster resides. For more information, see Overview of migration solutions.
      Note If you need to connect the ECS instance to other internal resources in the classic network, do not migrate the ECS instance to the VPC. This is because the ECS instance cannot connect to the classic network after the migration.

      You can also use the ClassLink feature to connect the classic network to the VPC.

    3. Check whether the ECS instance and the PolarDB cluster run in the same VPC. If the instance and the cluster do not run in the same VPC, you must purchase a new PolarDB cluster, or activate the Cloud Enterprise Network service to connect to the two VPCs.
  • Why am I unable to access the cluster by using a public endpoint?
    You cannot access the cluster by using the public endpoint due to the following reasons:
    1. The private IP address instead of the public IP address is added to the IP whitelist. If you access the cluster from an ECS instance by using the public endpoint, make sure that you add the public IP address of the ECS instance to the IP whitelist.
    2. The public IP address that is added to the IP whitelist is invalid. Set the IP address of the IP whitelist to 0.0.0.0/0 and try to access the cluster again. If you can access the cluster, the public IP address that is added to the IP whitelist is invalid. You must verify the public endpoint. For more information, see View or apply for an endpoint.
  • How can I allow a user account to access a PolarDB cluster from only a specified IP address?
    You can create a privileged account by executing the following statements, and then log on by using the privileged account to specify the IP address. Then, standard accounts must use this IP address to access the cluster.The command line

Related API operations

API Description
DescribeDBClusterAccessWhitelist Queries the IP addresses that are allowed to access a specified PolarDB cluster.
ModifyDBClusterAccessWhitelist Modifies the IP addresses that are allowed to access a specified PolarDB cluster.