This topic describes how to configure a whitelist for an ApsaraDB for RDS instance. Only entities that are listed in a whitelist can access your RDS instance.

Background information

ApsaraDB for RDS provides two types of whitelists:

  • IP address whitelist

    An IP address whitelist contains the IP addresses of entities that require access to your RDS instance. The IP address whitelist labeled default contains only the default IP address 127.0.0.1, which denies all entities access to your RDS instance.

    Before you configure an IP address whitelist, you must confirm the network isolation mode of your RDS instance. The configuration procedure varies depending on the network isolation mode used.

    • Standard whitelist mode

      In standard whitelist mode, an IP address whitelist can contain IP addresses from both the classic network and Virtual Private Clouds (VPCs). However, the standard whitelist mode is risky. Therefore, we recommend that you use the enhanced whitelist mode.

      Note ApsaraDB RDS for MariaDB TX instances can be deployed only in VPCs.
    • Enhanced whitelist mode

      In enhanced whitelist mode, an IP address whitelist can contain only IP addresses from the classic network or VPCs. When you create an IP address whitelist, you must specify its network type. For example, if you add an IP address to a VPC whitelist, the IP address can only be used to access the RDS instance within a VPC.

  • Security group

    A security group serves as a virtual firewall to limit the inbound and outbound traffic of ECS instances in that security group. After you add a security group, all ECS instances in it are granted access to your RDS instance.

    For more information, see Create a security group.

Whitelists make your RDS instance more secure and do not interrupt the operation of your RDS instance during configuration. We recommend that you maintain whitelists on a regular basis.

Precautions for configuring an IP address whitelist

  • You can edit or clear a default IP address whitelist, but cannot delete it.
  • You can configure up to 200 IP address whitelists for an instance.
  • Each instance can contain up to 1,000 IP addresses or CIDR blocks. If you want to add more than 1,000 IP addresses, we recommend that you combine the addresses into CIDR blocks such as 192.168.1.0/24.
  • If you attempt to log on to Data Management (DMS) from your RDS instance without adding your IP address to a whitelist, DMS will prompt you to add the address. By default, DMS automatically creates a whitelist that contains your IP address.
  • ali_dms_group (IP address whitelist of DMS) and hdm_security_ips (IP address whitelist of DAS) are automatically created when you use the related services. To ensure that the services run normally, do not modify or delete these whitelists.
    Note Do not add your business IP addresses to these whitelists. Otherwise, your business IP addresses will be overwritten during update operations and you will not be able to access the RDS instance.

Configure an IP address whitelist in enhanced whitelist mode

  1. Log on to the ApsaraDB for RDS console.
  2. In the upper-left corner of the page, select the region where the instance resides.
    Select a region
  3. Find the target instance and click the instance ID.
  4. In the left-side navigation pane, click Data Security.
  5. Confirm your connection scenario and perform its required operations.
    Network typeModify a whitelist
    Connection scenario Operation
    (Recommended) Your ECS and RDS instances reside in the same VPC.
    1. On the Whitelist Settings tab of the Data Security page, click Edit to the right of the IP address whitelist labeled default VPC.
    2. In the dialog box that appears, enter the internal IP address of your ECS instance in the IP Addresses field and click OK.
      Note Applications running on your ECS instance connect to the internal endpoint of your RDS instance.
    Your ECS and RDS instances reside in different VPCs.
    1. Navigate to the Database Connection page and click Switch to Classic Network. In the dialog box that appears, click OK.
    2. Click Switch to VPC. In the dialog box that appears, select the VPC that hosts your ECS instance and click OK.
      Note Your ECS and RDS instances must be reside within the same region for them to be switched to the same VPC. If they reside in different regions, we recommend that you use Data Transmission Service (DTS) to migrate your RDS instance to the region where your ECS instance resides. This helps ensure service availability. For more information, see Migrate data between ApsaraDB for RDS instances.
    3. Navigate to the Whitelist Settings tab of the Data Security page, and click Edit to the right of the IP address whitelist labeled default VPC.
    4. In the dialog box that appears, enter the internal IP address of your ECS instance in the IP Addresses field and click OK.
      Note Applications running on your ECS instance connect to the internal endpoint of your RDS instance.
    Your ECS instance resides in the classic network.

    Your RDS instance resides in a VPC.

    1. Migrate your ECS instance to the VPC that hosts your RDS instance. For more information, see Migrate an ECS instance.
      Note Your ECS and RDS instances must be reside within the same region for them to be switched to the same VPC. If they reside in different regions, we recommend that you use DTS to migrate your RDS instance to the region where your ECS instance resides. This helps ensure service availability. For more information, see Migrate data between ApsaraDB for RDS instances.
    2. Navigate to the Whitelist Settings tab of the Data Security page, and click Edit to the right of the IP address whitelist labeled default VPC.
    3. In the dialog box that appears, enter the internal IP address of your ECS instance in the IP Addresses field and click OK.
      Note Applications running on your ECS instance connect to the internal endpoint of your RDS instance.
    The host that requires access to your RDS instance resides outside the cloud.
    1. Navigate to the Whitelist Settings tab of the Data Security page, and click Edit to the right of the IP address whitelist labeled default Classic Network.
    2. In the dialog box that appears, enter the public IP address of your host in the IP Addresses field and click OK.
      Note
    Note
    • On the Whitelist Settings tab of the Data Security page, you can click Create Whitelist. In the Create Whitelist dialog box that appears, select VPC or Classic Network/Public IP for Network Type.
    • If you enter the CIDR block 10.10.10.0/24 in the IP Addresses field, all IP addresses in the 10.10.10.X format are granted access to your RDS instance.
    • If you enter more than one IP address or CIDR block, you must separate them with commas (,). Do not add spaces before or after the commas. Example: 192.168.0.1,172.16.213.9.
    • If you click Add Internal IP Addresses of ECS Instances, IP addresses of all ECS instances created in your Alibaba Cloud account are displayed. You can select the required IP addresses to add to the whitelist.

Configure an IP address whitelist in standard whitelist mode

  1. Log on to the ApsaraDB for RDS console.
  2. In the upper-left corner of the page, select the region where the instance resides.
    Select a region
  3. Find the target instance and click the instance ID.
  4. In the left-side navigation pane, click Data Security.
  5. On the Whitelist Settings tab, click Edit corresponding to the default whitelist.
    Note You can also click Create Whitelist to create an IP address whitelist.
  6. In the Edit Whitelist dialog box that appears, enter the IP addresses or CIDR blocks used to access the instance, and then click OK.
    Note
    • After you add IP addresses or CIDR blocks to the IP address whitelist labeled default, the system deletes the default IP address 127.0.0.1.
    • If you enter the CIDR block 10.10.10.0/24 in the IP Addresses field, all IP addresses in the 10.10.10.X format are granted access to your RDS instance.
    • If you enter more than one IP address or CIDR block, you must separate them with commas (,). Do not add spaces before or after the commas. Example: 192.168.0.1,172.16.213.9.
    • If you click Add Internal IP Addresses of ECS Instances, the IP addresses of all created ECS instances within your Alibaba Cloud account are displayed. You can select the required IP addresses to add to the whitelist.

Configure an IP address whitelist in standard whitelist mode

  1. Log on to the ApsaraDB for RDS console.
  2. In the upper-left corner of the page, select the region where the instance resides.
    Select a region
  3. Find the target instance and click the instance ID.
  4. In the left-side navigation pane, click Data Security.
  5. On the Whitelist Settings tab, click Edit corresponding to the default whitelist.
    Note You can also click Create Whitelist to create an IP address whitelist.
  6. In the Edit Whitelist dialog box that appears, enter the IP addresses or CIDR blocks used to access the instance, and then click OK.
    Note
    • After you add IP addresses or CIDR blocks to the IP address whitelist labeled default, the system deletes the default IP address 127.0.0.1.
    • If you enter the CIDR block 10.10.10.0/24 in the IP Addresses field, all IP addresses in the 10.10.10.X format are granted access to your RDS instance.
    • If you enter more than one IP address or CIDR block, you must separate them with commas (,). Do not add spaces before or after the commas. Example: 192.168.0.1,172.16.213.9.
    • If you click Add Internal IP Addresses of ECS Instances, the IP addresses of all created ECS instances within your Alibaba Cloud account are displayed. You can select the required IP addresses to add to the whitelist.

Common whitelist configuration errors

  • Only the default IP address 127.0.0.1 is added to an IP address whitelist in the Data Security > Whitelist Settings navigation path.

    The default IP address 127.0.0.1 indicates that all entities are denied access. Therefore, you must add the IP addresses of entities that require access to your RDS instance to the whitelist.

  • The IP address in the whitelist is set to 0.0.0.0.

    To grant all entities access to your RDS instance, you must instead enter the 0.0.0.0/0 CIDR block.

    Note Exercise caution when you add this CIDR block.
  • IP address errors are reported when your RDS instance is in enhanced whitelist mode.

    For more information, see Switch the IP whitelist mode from standard to enhanced.

    • If your RDS instance resides in a VPC and is accessed using its internal endpoint, make sure that the internal IP address of your ECS instance is added to the IP address whitelist labeled default VPC.
    • If your RDS instance resides in the classic network and is accessed using its internal endpoint, make sure that the internal IP address of your ECS instance is added to the IP address whitelist labeled default Classic Network.
    • If your RDS instance resides in a VPC and is accessed using ClassicLink, make sure that the internal IP address of your ECS instance is added to the IP address whitelist labeled default VPC.
    • If your RDS instance can be accessed over the Internet, make sure that the public IP address of your ECS instance is added to the IP address whitelist labeled default Classic Network. The IP address whitelist labeled default VPC cannot be used to allow access from the Internet.
  • The public IP addresses you add to whitelists are not the actual egress IP addresses.

    Possible reasons are as follows:

    • Public IP addresses are not static and may change.
    • The tool or website you use to query public IP addresses yields inaccurate results.

    For more information, see Determine the public IP address of an external server or client for an apsaradb RDS for MySQL or MariaDB instance

Precautions for configuring a security group

  • You can have configured IP address whitelists and added security groups at the same time. All IP addresses in the configured whitelists and all ECS instances in the configured security group are able to access your RDS instance.
  • You can add up to 10 security groups to an instance.
  • Changes to the security group are automatically synchronized to the whitelist.
  • Only security groups of the same network type as your RDS instance can be added to the instance.
    Note If you change the network type of the instance, the security groups will become invalid and you will need to add new security groups of the same network type as the instance.

Configure a security group

  1. Log on to the ApsaraDB for RDS console.
  2. In the upper-left corner of the page, select the region where the instance resides.
    Select a region
  3. Find the target instance and click the instance ID.
  4. In the left-side navigation pane, click Data Security.
  5. On the Whitelist Settings tab, click Add Security Group.
  6. Select the security group you want to add and click OK.
    Note If a security group is followed by a VPC tag, the ECS instances in it reside in VPCs.

FAQ

  • Does an IP address whitelist take effect immediately after it is configured?

    An IP address whitelist takes effect approximately one minute after it is configured.

  • Why do I find IP address whitelists that are not created by me?

    If these whitelists contain internal IP addresses, they are probably generated by other Alibaba Cloud services such as DMS or DAS and will not call operations on your service data.

    IP address whitelist created by DAS
  • Is my RDS instance exposed to security risks if I only enable internal network access and disable Internet access?

    We recommend that you change the network type of your RDS instance to VPC. Only ECS instances within the same VPC can access your RDS instance after their IP addresses are added to the whitelists. For more information, see Change the network type of an ApsaraDB RDS for MySQL instance.

Related operations

Operation Description
Query IP address whitelists Queries the IP address whitelists of an ApsaraDB for RDS instance.
Modify IP address whitelists Modifies an IP address whitelist of an ApsaraDB for RDS instance.