This topic describes how to configure a whitelist for an ApsaraDB for MongoDB instance. After you create an ApsaraDB for MongoDB instance, you must configure an IP address whitelist or add an ECS security group to allow access from authorized devices only. The default IP address whitelist contains only the IP address 127.0.0.1, which indicates that no devices can access the ApsaraDB for MongoDB instance.

Prerequisites

When you add an ECS security group, make sure that the ApsaraDB for MongoDB instance has the same network type as the ECS instances in the ECS security group. If both the ApsaraDB for MongoDB instance and ECS instances have the VPC network type, make sure that they reside in the same VPC.

Background information

  • Before the first time you use an ApsaraDB for MongoDB instance, you must configure a whitelist for it. After you configure the whitelist, the connection addresses of the instance appear on the Basic Information and Database Connection pages.
  • Whitelists make your ApsaraDB for MongoDB instance more secure. We recommend that you maintain the whitelists on a regular basis.

Configure an IP address whitelist

  1. Log on to the ApsaraDB for MongoDB console.
  2. In the upper-left corner of the page, select the region of the target instance.
  3. In the left-side navigation pane, click Replica Set Instances or Sharding Instances.
  4. Find the target instance and click its ID.
  5. In the left-side navigation pane, choose Data Security > Whitelist Settings.
  6. Configure an IP address whitelist.
    To manually modify an IP address whitelist, follow these steps:
    1. Find the target IP address whitelist, and choose More > Manually Modify in the Operation column.
      Manually modify an IP address whitelist
    2. Enter IP addresses or Classless Inter-Domain Routing (CIDR) blocks.
      Note
      • Separate multiple IP addresses with commas (,). You can add a maximum of 1,000 different IP addresses to an IP address whitelist. Supported formats are: 0.0.0.0/0,10.23.12.24(IP),10.23.12.24/24 ( CIDR blocks, that is, Classless Inter-Domain Routing. /24 indicates the prefix length in the address, ranging from 1 to 32.
      • If the IP address whitelist is empty or only contains 0.0.0.0/0, all devices are granted access. This is risky for your ApsaraDB for MongoDB instance. We recommend that you only add the IP addresses or CIDR blocks of your own web servers to the IP address whitelist.
    3. Click OK.
    To load the private IP addresses of ECS instances to an IP address whitelist, follow these steps:
    1. Find the target IP address whitelist, and choose More > Import ECS Intranet IP in the Operation column.
      Load the private IP addresses of ECS instances
    2. From the displayed private IP addresses of ECS instances created by the current account, select the target IP addresses and add them to the IP address whitelist.
      Select the private IP addresses of ECS instances
    3. Click OK.
      Note For easy O&M and access control, we recommend that you add an ECS security group. For more information, see Add an ECS security group.

Add an ECS security group

An ECS security group relieves you from the tedious work of adding IP addresses or CIDR blocks. It makes database O&M easier.

  1. Log on to the ApsaraDB for MongoDB console.
  2. In the upper-left corner of the page, select the region of the target instance.
  3. In the left-side navigation pane, click Replica Set Instances or Sharding Instances.
  4. Find the target instance and click its ID.
  5. In the left-side navigation pane, choose Data Security > Whitelist Settings.
  6. Click Add Security Group.
  7. In the dialog box that appears, select the security group to be associated.
    Add a security group
    Note
    • Each ApsaraDB for MongoDB instance can be added in up to 10 security group. After you add an ECS security group, all its ECS instances can access the ApsaraDB for MongoDB instance either over an internal network or over the Internet. For access over an internal network, the two types of instances must have the same network type. If the network type is VPC, they must be in the same VPC. For access over the Internet, you must have applied for a public endpoint for the ApsaraDB for MongoDB instance.
    • If you move your pointer over an ECS security group, you can view its name and description. If you move your pointer over VPC, you can view the VPC ID. This way, you can quickly find the target ECS security group.

Delete an IP address whitelist or ECS security group

  1. Log on to the ApsaraDB for MongoDB console.
  2. In the upper-left corner of the page, select the region of the target instance.
  3. In the left-side navigation pane, click Replica Set Instances or Sharding Instances.
  4. Find the target instance and click its ID.
  5. In the left-side navigation pane, choose Data Security > Whitelist Settings.
  6. Delete an IP address whitelist or ECS security group.
    To delete an IP address whitelist, follow these steps:
    1. Find the target IP address whitelist, and choose More > Delete Whitelist Group in the Operation column.
      Delete an IP address whitelist
      Note You cannot delete the default IP address whitelist.
    2. In the message that appears, click OK.
    To delete an ECS security group, follow these steps:
    1. Click Clear.
      Clear an ECS security group
    2. In the message that appears, click OK.

Common connection scenarios