This topic describes how to configure a whitelist for an ApsaraDB RDS for MariaDB instance.

Only IP addresses in the whitelist are allowed to access the RDS instance. The default whitelist contains only the IP address 127.0.0.1. This indicates that no hosts are allowed to access the RDS instance.

ApsaraDB RDS for MariaDB allows you to configure a whitelist by using either of the following methods:
  • Add IP addresses to a whitelist of the RDS instance.
  • Add the RDS instance to a security group. ECS instances in the security group can access the RDS instance.

A whitelist is used to protect an RDS instance. It does not affect the running of the RDS instance. We recommend that you update the whitelist regularly.

Configure an IP address whitelist

Precautions

  • You can only edit or clear the default whitelist and cannot delete it.
  • You can configure up to 200 IP address whitelists for an RDS instance.
  • Each IP address whitelist can contain up to 1,000 IP addresses or CIDR blocks. If you want to add a large number of IP addresses, we recommend that you combine them into CIDR blocks, for example, 192.168.1.0/24.
  • You must check the network isolation mode of your RDS instance before you configure a whitelist. Operations to configure a whitelist vary based on the network isolation mode.
    Note RDS for MariaDB instances can be deployed only in VPCs.

Configure an enhanced whitelist

  1. Log on to the ApsaraDB for RDS console.
  2. In the top navigation bar, select the region where the target RDS instance resides.Select a region
  3. Find the RDS instance and click its ID.
  4. In the left-side navigation pane, click Data Security.
  5. On the Whitelist Settings tab, perform the following operations based on your access requirements:
    • Access the RDS instance from ECS instances in a VPC: Click Edit on the right of the default VPC whitelist.
    • Access the RDS instance from ECS instances in a classic network: RDS for MariaDB does not support classic networks. Therefore, you must assign public IP addresses to the ECS instances and allow their access to the RDS instance over the Internet.
    • Access the RDS instance from hosts or ECS instances over the Internet: Click Edit on the right of the default Classic Network whitelist.
    Note
    • To connect to the RDS instance from an ECS instance in a VPC, make sure that the instances reside in the same region and their network types are the same. Otherwise, the ECS and RDS instances cannot communicate even if you add the IP address of the ECS instance to the whitelist.
    • You can also click Create Whitelist to create a whitelist. In the Create Whitelist dialog box, set Network Isolation Mode to VPC or Classic Network/Public IP based on your access requirements.
  6. In the Edit Whitelist dialog box, enter the IP addresses or CIDR blocks that require access to the RDS instance and click OK.
    • If you enter a CIDR block, for example, 10.10.10.0/24, all IP addresses in the 10.10.10.X range are allowed to access your RDS instance.
    • If you enter more than one IP address or CIDR block, separate them with commas (,). Do not add spaces before or after the commas. For example, enter 192.168.0.1,172.16.213.9.
    • After you click Add Internal IP Addresses of ECS Instances, the IP addresses of all ECS instances under your Alibaba Cloud account are displayed. You can quickly add them to the whitelist.
    Note After you add IP addresses or CIDR blocks to the default whitelist, the default IP address 127.0.0.1 is automatically deleted.

Configure a standard whitelist

  1. Log on to the ApsaraDB for RDS console.
  2. In the top navigation bar, select the region where the target RDS instance resides.Select a region
  3. Find the instance and click its ID.
  4. In the left-side navigation pane, click Data Security.
  5. On the Whitelist Settings tab, click Edit on the right of the default whitelist.
    Note You can also click Create Whitelist to create a whitelist.
  6. In the Edit Whitelist dialog box, enter the IP addresses or CIDR blocks and click OK.
    • If you enter a CIDR block, for example, 10.10.10.0/24, all IP addresses in the 10.10.10.X range are allowed to access your RDS instance.
    • If you enter more than one IP address or CIDR block, separate them with commas (,). Do not add spaces before or after the commas. For example, enter 192.168.0.1,172.16.213.9.
    • After you click Add Internal IP Addresses of ECS Instances, the IP addresses of all ECS instances under your Alibaba Cloud account are displayed. You can quickly add them to the whitelist.
    Note After you add IP addresses or CIDR blocks to the default whitelist, the default IP address 127.0.0.1 is automatically deleted.

You may encounter the following issues when you configure a whitelist for your RDS instance:

  • On the Whitelist Settings tab of the Data Security page, the default whitelist only contains 127.0.0.1. This indicates that no hosts are allowed to access the RDS instance. Therefore, you must add IP addresses to the whitelist to allow access to the RDS instance.
  • You have added 0.0.0.0 to the whitelist. The correct format is 0.0.0.0/0.
    Note 0.0.0.0/0 indicates that all hosts are allowed to access the RDS instance. Exercise caution when you add 0.0.0.0/0 to the whitelist.
  • If the network isolation mode of your RDS instance is enhanced whitelist, perform the following operations:
    • If you want to allow ECS instances in a VPC to access your RDS instance, add their private IP addresses to a VPC whitelist.
    • If you want to use ClassicLink to allow ECS instances to access your RDS instance, add their private IP addresses to the default VPC whitelist.
    • If you want to allow ECS instances or hosts to access your RDS instance over the Internet, add their public IP addresses to a Classic Network/Public IP whitelist.
  • The public IP addresses you add to the whitelist are incorrect. Possible reasons are as follows:
    • Public IP addresses may dynamically change.

    • The public IP addresses that you obtain from a query tool or website are inaccurate.

    For more information, see Determine the public IP address of an external server or client for an apsaradb RDS for MySQL or MariaDB instance

Add an RDS instance to a security group

A security group is a virtual firewall that is used to control inbound and outbound traffic of ECS instances in the security group. After you add an RDS instance to a security group, all ECS instances in the security group can access the RDS instance.

For more information, see Create a security group.

Precautions

  • You can add RDS instances to security groups in the following regions: China (Hangzhou), China (Qingdao), and China (Hong Kong).
  • You can both configure IP address whitelists and add security groups. IP addresses in the whitelists and ECS instances in the security groups can access the RDS instance.
  • You can add an RDS instance to a maximum of 10 security groups.
  • Updates to ECS instances in a security group immediately take effect for the RDS instance.
  • You can add an RDS instance only to a security group whose network type is the same as the network type of the RDS instance. Specifically, the network types of the security group and RDS instance must both be VPC or classic network.
    Note If you add an RDS instance to a security group and then change the network type of the RDS instance, the security group becomes invalid for the RDS instance. You must add the RDS instance to a security group with the required network type again.

Follow these steps to add an RDS instance to a security group:

  1. Log on to the ApsaraDB for RDS console.
  2. In the top navigation bar, select the region where the target RDS instance resides.Select a region
  3. Find the target RDS instance and click its ID.
  4. In the left-side navigation pane, click Data Security.
  5. Click Add Security Group.
  6. Select the target security groups and click OK.
    Note The security groups are marked with VPC to indicates that their network types are VPC.

Related operations

Operation Description
DescribeDBInstanceIPArrayList Queries the IP address whitelists of an RDS instance.
ModifySecurityIps Modifies an IP address whitelist of an RDS instance.