This topic describes how to switch from the standard whitelist mode to the enhanced whitelist mode for an RDS for MySQL instance.

IP whitelist modes

ApsaraDB for RDS instances provide the following two IP whitelist modes:

  • Standard whitelist mode

    In this mode, the IP addresses in the whitelist do not distinguish between classic networks and VPCs. The IP addresses in the whitelist can access the RDS instance both in classics network and VPCs. We recommend that you switch from the standard whitelist to the enhanced whitelist.


    通用模式
  • Enhanced whitelist mode
    In this mode, the whitelist is classified into two IP whitelist groups by network type: the classic-network whitelist group and the VPC whitelist group. When you create an IP whitelist, you must specify a network type.
    高安全模式

Changes after switching to the enhanced whitelist mode

  • If the network type of the instance is VPC, a new whitelist of the VPC is generated and contains the same IP addresses in the original whitelist. The new IP whitelist group only applies to VPCs.
  • If the instance network type is classic network, a new whitelist group is generated and contains the same IP addresses in the original whitelist. The new IP whitelist group only applies to classic networks.
  • If the instance is in the hybrid access mode, two new whitelist groups are generated and each contains the same IP addresses in the original whitelist. One of the whitelist group applies to VPCs and the other applies to classic networks.
Note Switching to the enhanced whitelist mode does not affect the ECS instances that are in the ECS security group whitelist.

Prerequisites

The DB version used by the instance is one of the following:
  • MySQL 5.7 High-Availability Edition
  • MySQL 5.6
  • MySQL 5.5

Precautions

  • You can switch from the standard whitelist mode to the enhanced whitelist mode. However, you cannot switch from the enhanced whitelist mode to the standard whitelist mode.
  • In the enhanced whitelist mode, the classic-network whitelist group also applies to accesses from a public network. If you want to access the RDS instance from an instance, host, or application in the public network, you must add the public IP address to the classic-network whitelist group.

Procedure

  1. Log on to the RDS console.
  2. In the upper-left corner, select the region where the target RDS instance is located.
    选择地域
  3. Find the target RDS instance and click the instance ID.
  4. In the left-side navigation pane, click Data Security.
  5. On the Whitelist Settings tab, click Switch to Enhanced Whitelist (Recommended).
    切换高安全白名单模式(推荐)
  6. In the message box that appears, click OK.