This topic describes how to switch from the standard whitelist mode to the enhanced whitelist mode for an ApsaraDB RDS for MySQL instance. The enhanced whitelist mode offers higher security.

Network isolation modes

RDS instances support the following two network isolation modes:
  • Standard whitelist

    IP addresses from both the classic network and VPCs can be added to the same whitelist. A standard whitelist is less secure than an enhanced whitelist.

  • Enhanced whitelist (recommended)

    IP addresses from the classic network and VPCs are added to different whitelists. When you create an IP address whitelist, you must specify a network type.

Changes after you switch to the enhanced whitelist mode

  • If the network type of the instance is VPC, a new whitelist is generated that contains the same IP addresses as the original whitelists. The new IP address whitelist applies only to access from VPCs.
  • If the network type of the instance is classic network, a new whitelist is generated that contains the same IP addresses as the original whitelists. The new IP address whitelist applies only to access from the classic network.
  • If the instance supports access from both the classic network and VPCs, two new whitelists are generated, and each contains the same IP addresses as the original whitelists. One of the whitelists applies to access from VPCs and the other applies to access from the classic network.
Note Switching to the enhanced whitelist mode does not affect the ECS instances that are in security groups.

Prerequisites

The RDS instance uses local SSDs.

Precautions

  • You cannot switch to the standard whitelist mode after you switch to the enhanced whitelist mode.
  • In the enhanced whitelist mode, the classic network whitelist also applies to access from the Internet. If you want to access an RDS instance from a host over the Internet, add the public IP address of the host to the classic network whitelist.

Procedure

  1. Log on to the ApsaraDB for RDS console.
  2. In the top navigation bar, select the region where the target RDS instance resides.Select a region
  3. Find the target RDS instance and click its ID.
  4. In the left-side navigation pane, click Data Security.
  5. On the Whitelist Settings tab, click Switch to Enhanced Whitelist (Recommended).
  6. In the message that appears, click OK.

FAQ

  • My RDS instance uses the enhanced whitelist mode. If I want to access it from a host over the Internet, to which whitelist do I need to add the public IP address of the host?

    If you want to access your RDS instance from a host over the Internet, you must add the public IP address of the host to the classic network whitelist.

  • What are the benefits of the enhanced whitelist mode?

    In the enhanced whitelist mode, IP addresses from the classic network and VPCs are isolated. For example, if you allow access for an IP address in a VPC, the IP address can only access the RDS instance within the VPC, and the same IP address on the Internet cannot access the RDS instance. This enhances the security of the RDS instance.