All Products
Search
Document Center

ApsaraDB RDS:Configure an IP address whitelist

Last Updated:Aug 18, 2023

This topic describes how to configure an IP address whitelist for an ApsaraDB RDS for SQL Server instance. After an RDS instance is created, you must configure IP address whitelists or security groups for the RDS instance. A device can access the RDS instance only after you add the IP address of the device to an IP address whitelist or security group of the RDS instance.

For more information about how to configure an IP address whitelist for an RDS instance that runs a different database engine, see the following topics:

Scenarios

An IP address whitelist of an RDS instance consists of IP addresses and CIDR blocks that are granted access to the RDS instance. You can configure IP address whitelists for an RDS instance to provide high-level access control and security protection for the RDS instance. We recommend that you update the configured IP address whitelists on a regular basis.

You can configure an IP address whitelist in the following scenarios:

  • Scenario 1

    You want to add the IP addresses of specific devices to an IP address whitelist of an RDS instance to allow the devices to connect to the RDS instance.

  • Scenario 2

    An RDS instance cannot be connected. You must check whether the IP address whitelists of the RDS instance are correctly configured.

    The following table provides the IP address whitelist configurations in various connection scenarios.

    Note

    A virtual private cloud (VPC) is an isolated network on Alibaba Cloud and provides higher security than the classic network. For more information, see What is a VPC?

    Connection type

    Network type

    IP address whitelist setting

    Connect an Elastic Compute Service (ECS) instance to an RDS instance

    The ECS instance and the RDS instance reside in the same VPC. This is the recommended connection scenario.

    Add the private IP address of the ECS instance to an IP address whitelist of the RDS instance.

    The ECS instance and the RDS instance reside in different VPCs.

    Instances in different VPCs cannot communicate with each other over internal networks. In this case, make sure that the ECS instance and the RDS instance reside in the same VPC and add the private IP address of the ECS instance to an IP address whitelist of the RDS instance.

    The ECS instance and the RDS instance reside in the classic network.

    Add the private IP address of the ECS instance to an IP address whitelist of the RDS instance.

    The ECS instance resides in the classic network.

    Your RDS instance resides in a VPC.

    Instances of different network types cannot communicate with each other over internal networks. Perform the following operations:

    1. Migrate the ECS instance from the classic network to the VPC to which the RDS instance belongs. For more information, see Migrate an ECS instance from the classic network to a VPC.

      Note

      This operation is supported only when the ECS instance and the RDS instance reside in the same region. If the ECS instance and the RDS instance reside in different regions, we recommend that you use Data Transmission Service (DTS) to migrate the RDS instance to the region in which the ECS instance resides. This way, you can ensure the stability of your database service. For more information, see Migrate data between ApsaraDB RDS for SQL Server instances.

    2. Add the private IP address of the ECS instance to an IP address whitelist of the RDS instance.

    The ECS instance resides in a VPC.

    The RDS instance resides in the classic network.

    Instances of different network types cannot communicate with each other over internal networks. Perform the following operations:

    1. Migrate the RDS instance from the classic network to the VPC to which the ECS instance belongs. For more information, see Change the network type.

      Note

      This operation is supported only when the ECS instance and the RDS instance reside in the same region. If the ECS instance and the RDS instance reside in different regions, we recommend that you use Data Transmission Service (DTS) to migrate the RDS instance to the region in which the ECS instance resides. This way, you can ensure the stability of your database service. For more information, see Migrate data between ApsaraDB RDS for SQL Server instances.

    2. Add the private IP address of the ECS instance to an IP address whitelist of the RDS instance.

    Connect a self-managed host outside the cloud to the RDS instance

    N/A

    Add the public IP address of the self-managed host outside the cloud to an IP address whitelist of the RDS instance.

    Note

Usage notes

  • A maximum of 50 IP address whitelists can be configured for each RDS instance.

  • When you configure IP address whitelists, the workloads on the RDS instance are not interrupted.

  • You can delete the entries in the IP address whitelist that is labeled default but you cannot delete the whitelist.

  • Do not modify or delete the IP address whitelists that are automatically generated for other Alibaba Cloud services. If you delete the IP address whitelist that is automatically generated for an Alibaba Cloud service, the Alibaba Cloud service cannot connect to the RDS instance. For example, the IP address whitelist labeled ali_dms_group is generated for Data Management (DMS), and the IP address whitelist labeled hdm_security_ips is generated for Database Autonomy Service (DAS).

    Important

    If an RDS instance is created after December 2020, the IP address whitelist that is labeled hdm_security_ips is invisible to users. This prevents the IP address whitelist from being modified due to unintentional operations or deleted.

  • The IP address whitelist that is labeled default contains only the IP address 127.0.0.1. This indicates that no IP addresses can access the RDS instance.

Procedure

In standard whitelist mode, the system does not distinguish between the classic network and virtual private networks (VPCs). The IP addresses or CIDR blocks in a standard IP address whitelist can be used to access the RDS instance over both the classic network and VPCs.

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
  2. In the left-side navigation pane, click Whitelist and SecGroup.

    On the Whitelist Settings tab, you can view the mode of the IP address whitelist.

    Note

    Existing RDS instances may run in enhanced whitelist mode. All new RDS instances run in standard whitelist mode.

  3. Click Create Whitelist. In the dialog box that appears, configure the Whitelist Name parameter, add the IP address of the application server to the whitelist, and then click OK.

    After you add the IP address of the server on which your application runs to the IP address whitelist, the server can access the RDS instance. You must obtain the correct IP address based on your business requirements and add the IP address to the IP address whitelist. The following table describes IP addresses that are required in various scenarios.

    Scenario

    IP address to be obtained

    Method to obtain the IP address

    You want to connect to the RDS instance from an ECS instance that is accessible over an internal network.

    Private IP address of the ECS instance

    1. Log on to the ECS console and go to the Instances page.

    2. In the top navigation bar, select the region in which the ECS instance resides.

    3. View the public IP address and private IP address of the ECS instance.

    You want to connect to the RDS instance from an ECS instance that is inaccessible over an internal network.

    Public IP address of the ECS instance

    You want to connect to the RDS instance from an on-premises device.

    Public IP address of the on-premises device

    On the on-premises device, use a search engine such as Google to search for IP.

    Note

    The IP address that is obtained by using this method may be inaccurate.

    Note
    • You can also click Modify on the right of the default IP address whitelist to change the IP addresses and CIDR blocks that are added.

    • You must separate multiple IP addresses and CIDR blocks with commas (,). Do not add spaces before and after each comma. Example: 192.XXX.XXX.1,172.XXX.XXX.9.

    • A maximum of 1,000 IP addresses and CIDR blocks can be configured for each RDS instance. If you want to add a large number of IP addresses, we recommend that you merge the IP addresses into CIDR blocks, such as 10.10.10.0/24.

    • If the RDS instance runs in standard whitelist mode, you do not need to take note of special considerations when you configure IP address whitelists for the RDS instance. If the RDS instance runs in enhanced whitelist mode, you must take note of the following considerations when you configure IP address whitelists for the RDS instance:

      • Add the public IP addresses of ECS instances or the private IP addresses of classic network-type ECS instances to the IP address whitelists of the classic network type.

      • Add the private IP addresses of VPC-type ECS instances to the IP address whitelists of the VPC network type.

  4. Optional. In the Create Whitelist dialog box, click Add Internal IP Addresses of ECS Instances. In the dialog box that appears, view the IP addresses of all the ECS instances that are created within your Alibaba Cloud account. Then, add the required IP addresses to the IP address whitelist that you want to configure.添加白名单分组

What to do next

Create an account and a database for an ApsaraDB RDS instance that runs SQL Server 2012, 2016, 2017 SE, or 2019 SE

Related operations

Operation

Description

ModifySecurityIps

Modifies the IP address whitelist of an instance.

DescribeDBInstanceIPArrayList

Queries the IP address whitelists of an instance.