:"ip not in whitelist" error when ECS connects to RDS over the intranet

Problem description

When you connect to an RDS instance, one of the following error messages is displayed:

• ERROR 1045 (HY000): #28000ip not in whitelist

• ERROR 2801 (HY000): #RDS00ip not in whitelist, client ip is XXX

New solution dialog box

Refer to the following methods to solve the problem:

• The whitelist contains only the default IP address 127.0.0.1. The default IP address 127.0.0.1 indicates that no devices can access your RDS instance. You need to add the IP address of the device to the whitelist. For more information, see set a whitelist.

• The whitelist is set 0.0.0.0. The correct format should be 0.0.0.0/0.

  Note

  This IP address allows any device to access the RDS instance. Use this IP address with caution.

• If enabled enhanced whitelist mode, perform the following checks:

  • If your RDS instance resides in a VPC and is accessed by using its internal endpoint, make sure that the internal IP address of your ECS instance is added to the IP address whitelist labeled default VPC.

  • If your RDS instance resides in the classic network and is accessed by using its internal endpoint, make sure that the internal IP address of your ECS instance is added to the IP address whitelist labeled default Classic Network.

  • If you want the ECS instance to communicate with the RDS instance via the Internet, make sure that the public IP address of the ECS instance is added to the IP Group of the classic network. The VPC group cannot be used for communication via the Internet.

• The public IP addresses that you add to an IP address whitelist are invalid. This problem may occur due to the following reasons:

  • Public IP addresses dynamically change.

  • The tool or website that you use to query public IP addresses returns inaccurate results.

    Note

    See the following link to confirm the public network IP address of the device.

    • How do I locate the local IP address of an RDS for SQL Server instance?

    • How do I locate the local IP address in an apsaradb RDS for MySQL or MariaDB instance?

    • How do I locate the local IP address of an apsaradb RDS for PostgreSQL instance?

• After you add the ip addresses of ECS instances or local servers to the database whitelist, the system returns the error "ip not in whitelist" when you connect to the database from these ECS instances. This may be because the ECS instances or user-created servers pass through a proxy server when they connect to the database, the IP address that is finally sent to the database is the IP address of the proxy. The whitelist should be set to the export IP address of the ECS server, or to the export proxy server IP address of the self-built server.

Application scope

• ApsaraDB RDS for MySQL

• Apsaradb for SQL Server

• ApsaraDB RDS for PostgreSQL