This topic describes how to configure a whitelist for an RDS for SQL Server instance.

After you create an RDS instance, you must configure a whitelist to allow external devices to access the instance. The default whitelist contains only 127.0.0.1. Before you add new IP addresses to the whitelist, no devices are allowed to access the RDS instance.

A whitelist can be used to improve the security of your RDS instance. We recommend that you update the whitelist on a regular basis. Configuring whitelists does not affect the normal operation of the RDS instance.

Precautions

  • The default whitelist can only be edited or cleared. It cannot be deleted.
  • If you log on to DMS but your IP address has not been added to the whitelist, DMS will prompt you to add the IP address, and will automatically generate a whitelist containing your IP address.

Procedure

  1. Log on to the ApsaraDB for RDS console.
  2. In the upper-left corner of the page, select the region where the instance is located.
    Select a region
  3. Find the instance and click its ID.
  4. In the left-side navigation pane, click Data Security.
  5. On the Whitelist Settings tab page, click Edit corresponding to the default whitelist.
    Note You can click Create Whitelist to create a whitelist.


  6. In the displayed Edit Whitelist dialog box, specify the IP addresses or CIDR blocks used to access the instance, and then click OK.
    • If you specify the CIDR block 10.10.10.0/24, any IP addresses in the 10.10.10.X format are allowed to access the RDS instance.
    • To add multiple IP addresses or CIDR blocks, separate each entry with a comma (without spaces), for example, 192.168.0.1,172.16.213.9.
    • After you click Add Internal IP Addresses of ECS Instances, the IP addresses of all the ECS instances under your Alibaba Cloud account are displayed. You can quickly add internal IP addresses to the whitelist.
    Note After you add an IP address or CIDR block to the default whitelist, the default address 127.0.0.1 is automatically deleted.


Common errors

  • The default address 127.0.0.1 in Data Security > Whitelist Settings indicates that no device is allowed to access the RDS instance. Therefore, you need to add IP addresses of devices to the whitelist to allow access to the instance.
  • The IP address in the whitelist is set to 0.0.0.0, but the correct format is 0.0.0.0/0.
    Note 0.0.0.0/0 indicates that all devices are allowed to access the RDS instance. Exercise caution when using this IP address.
  • The public IP address that you add to the whitelist may not be the real egress IP address. The reasons are as follows:
    • The public IP address is not fixed and may dynamically change.
    • The tools or websites used to query the public IP addresses provide wrong IP addresses.

APIs

API Description
DescribeDBInstanceIPArrayList Used to view the IP address whitelist of an RDS instance.
ModifySecurityIps Used to modify the IP address whitelist of an RDS instance.