All Products
Search
Document Center

"ip not in whitelist" error when ECS connects to RDS over the intranet

Last Updated: Oct 09, 2020

Problem description

When you connect to an RDS instance, one of the following error messages is displayed:

  • ERROR 1045 (HY000): #28000ip not in whitelist
  • ERROR 2801 (HY000): #RDS00ip not in whitelist, client ip is XXX

New solution dialog box

Alibaba Cloud reminds you that:

  • Before you perform operations that may cause risks, such as modifying instance configurations or data, we recommend that you check the disaster recovery and fault tolerance capabilities of the instances to ensure data security.
  • You can modify the configurations and data of instances including but not limited to Elastic Compute Service (ECS) and Relational Database Service (RDS) instances. Before the modification, we recommend that you create snapshots or enable RDS log backup.
  • If you have authorized or submitted security information such as the logon account and password in the Alibaba Cloud Management console, we recommend that you modify such information in a timely manner.

Refer to the following methods to solve the problem:

  • The whitelist contains only the default IP address 127.0.0.1. The default IP address 127.0.0.1 indicates that no devices can access your RDS instance. You need to add the IP address of the device to the whitelist. For more information, see set a whitelist.
  • The whitelist is set 0.0.0.0. The correct format should be 0.0.0.0/0.
    Description: This IP address allows any device to access the RDS instance. Use this IP address with caution.
  • If enabled enhanced whitelist mode, perform the following checks:
    • If your RDS instance resides in a VPC and is accessed by using its internal endpoint, make sure that the internal IP address of your ECS instance is added to the IP address whitelist labeled default VPC.
    • If your RDS instance resides in the classic network and is accessed by using its internal endpoint, make sure that the internal IP address of your ECS instance is added to the IP address whitelist labeled default Classic Network.
    • If you want the ECS instance to communicate with the RDS instance via the Internet, make sure that the public IP address of the ECS instance is added to the IP Group of the classic network. The VPC group cannot be used for communication via the Internet.
  • The public IP addresses that you add to an IP address whitelist are invalid. This problem may occur due to the following reasons:
  • After you add the ip addresses of ECS instances or local servers to the database whitelist, the system returns the error "ip not in whitelist" when you connect to the database from these ECS instances. This may be because the ECS instances or user-created servers pass through a proxy server when they connect to the database, the IP address that is finally sent to the database is the IP address of the proxy. The whitelist should be set to the export IP address of the ECS server, or to the export proxy server IP address of the self-built server.

Application scope

  • ApsaraDB RDS for MySQL
  • Apsaradb for SQL Server
  • ApsaraDB RDS for PostgreSQL
  • Apsaradb for RDS for PPAS