This topic describes how to configure a whitelist for an RDS MySQL instance.

For more information about how to configure a whitelist in other database engines, see the following topics:

Background information

ApsaraDB RDS MySQL provides two types of whitelists:

  • IP address whitelists

    An IP address whitelist contains the IP addresses of entities that require access to your RDS instance. The IP address whitelist labeled default contains only the default IP address 127.0.0.1, which indicates that all entities are denied access to your RDS instance.

    Before you configure an IP address whitelist, you must confirm the network isolation mode of your RDS instance. The configuration procedure varies depending on the network isolation mode used.

    • Standard whitelist mode

      In standard whitelist mode, an IP address whitelist can contain IP addresses from both classic networks and VPCs. The standard whitelist mode may incur security risks. We recommend that you switch the network isolation mode from standard whitelist to enhanced whitelist.

    • Enhanced whitelist mode

      In enhanced whitelist mode, an IP address whitelist can contain only IP addresses from classic networks or VPCs. When you create an IP address whitelist, you must specify its network type.

  • Security groups

    A security group serves as a virtual firewall to limit the inbound and outbound traffic of ECS instances in that security group. After you add a security group, all ECS instances in it are granted access to your RDS instance.

    For more information, see Create a security group.

Whitelists make your RDS instance more secure, and the configuration process does not interrupt the operation of your RDS instance. Therefore, we recommend that you maintain whitelists on a regular basis.

Precautions for configuring an IP address whitelist

  • You can edit or clear a default IP address whitelist, but cannot delete it.
  • Each IP address whitelist can contain up to 1,000 IP addresses or CIDR blocks. If you want to add more than 1,000 IP addresses, we recommend that you combine them into CIDR blocks such as 192.168.1.0/24.
  • If you attempt to log on to Data Management Service (DMS) from your RDS instance without adding the IP address of DMS to a whitelist, DMS displays a message that states your logon can succeed only after its IP address is added to a whitelist. By default, DMS automatically creates an IP address whitelist that contains its IP address in your RDS instance.

Configure an IP address whitelist in enhanced whitelist mode

  1. Log on to the ApsaraDB for RDS console.
  2. In the upper-left corner of the page, select the region where the target RDS instance resides.Select a region
  3. Find the target RDS instance and click its ID.
  4. In the left-side navigation pane, click Data Security.
  5. Confirm the connection scenario and perform its required operations.
    Connection scenario Operation
    (Recommended) Your ECS and RDS instances reside in the same VPC.
    1. On the Whitelist Settings tab of the Data Security page, click Edit to the right of the IP address whitelist labeled default VPC.
    2. In the dialog box that appears, enter the internal IP address of your ECS instance in the Whitelist field and click OK.
      Note Applications running on your ECS instance connect to the internal endpoint of your RDS instance.
    Your ECS and RDS instances reside in different VPCs.
    1. Navigate to the Database Connection page and click Switch to Classic Network. In the dialog box that appears, click OK.
    2. Click Switch to VPC. In the dialog box that appears, select the VPC that houses your ECS instance and click OK.
      Note Your ECS and RDS instances can be switched to the same VPC only if they reside in the same region. If they reside in different regions, we recommend that you use Data Transmission Service (DTS) to migrate your RDS instance to the region where your ECS instance resides. This helps ensure service availability. For more information, see Migrate between RDS instances.
    3. Navigate to the Whitelist Settings tab of the Data Security page, and click Edit to the right of the IP address whitelist labeled default VPC.
    4. In the dialog box that appears, enter the internal IP address of your RDS instance in the Whitelist field and click OK.
      Note Applications running on your ECS instance connect to the internal endpoint of your RDS instance.
    Your ECS and RDS instances both reside in classic networks.
    1. Navigate to the Whitelist Settings tab of the Data Security page, and click Edit to the right of the IP address whitelist labeled default Classic Network.
    2. In the dialog box that appears, enter the internal IP address of your ECS instance in the Whitelist field and click OK.
      Note Applications running on your ECS instance connect to the internal endpoint of your RDS instance.
    Your ECS instance resides in a classic network.

    Your RDS instance resides in a VPC.
    1. Migrate your ECS instance to the VPC that houses your RDS instance. For more information, see Migrate an ECS instance.
      Note Your ECS and RDS instances can be switched to the same VPC only if they reside in the same region. If they reside in different regions, we recommend that you use DTS to migrate your RDS instance to the region where your ECS instance resides. This helps ensure service availability. For more information, see Migrate between RDS instances.
    2. Navigate to the Whitelist Settings tab of the Data Security page, and click Edit to the right of the IP address whitelist labeled default VPC.
    3. In the dialog box that appears, enter the internal IP address of your ECS instance in the Whitelist field and click OK.
      Note Applications running on your ECS instance connect to the internal endpoint of your RDS instance.
    Your ECS instance resides in a VPC.

    Your RDS instance resides in a classic network.
    1. Navigate to the Database Connection page and click Switch to VPC. In the dialog box that appears, select the VPC that houses your ECS instance and click OK.
      Note Your ECS and RDS instances can be switched to the same VPC only if they reside in the same region. If they reside in different regions, we recommend that you use DTS to migrate your RDS instance to the region where your ECS instance resides. This helps ensure service availability. For more information, see Migrate between RDS instances.
    2. Navigate to the Whitelist Settings tab of the Data Security page, and click Edit to the right of the IP address whitelist labeled default VPC.
    3. In the dialog box that appears, enter the internal IP address of your ECS instance in the Whitelist field and click OK.
      Note Applications running on your ECS instance connect to the internal endpoint of your RDS instance.
    Your host that requires access to your RDS instance resides outside the cloud.
    1. Navigate to the Whitelist Settings tab of the Data Security page, and click Edit to the right of the IP address whitelist labeled default Classic Network.
    2. In the dialog box that appears, enter the public IP address of your host in the Whitelist field and click OK.
      Note
    Note
    • On the Whitelist Settings tab of the Data Security page, you can click Create Whitelist and then in the Create Whitelist dialog box select VPC or Classic Network/Public IP for Network Type.
    • If you enter the CIDR block 10.10.10.0/24 in the Whitelist field, all IP addresses in the 10.10.10.X format are granted access to your RDS instance.
    • If you enter more than one IP address or CIDR block in the Whitelist field, make sure that they are separated with commas (,). Do not add spaces before or after the commas. Example: 192.168.0.1,172.16.213.9.
    • If you click Add Internal IP Addresses of ECS Instances, IP addresses of all ECS instances created in your Alibaba Cloud account are displayed.

Configure an IP address whitelist in standard whitelist mode

  1. Log on to the ApsaraDB for RDS console.
  2. In the upper-left corner of the page, select the region where the target RDS instance resides.
  3. Find the target RDS instance and click its ID.
  4. In the left-side navigation pane, click Data Security.
  5. On the Whitelist Settings tab, click Edit to the right of the IP address whitelist labeled default.
    Note You can also click Create Whitelist to create an IP address whitelist.
  6. In the Edit Whitelist dialog box, enter IP addresses or CIDR blocks in the Whitelist field and click OK.
    • If you enter the CIDR block 10.10.10.0/24, all IP addresses in the 10.10.10.X format are granted access to your RDS instance.
    • If you enter more than one IP address or CIDR block, make sure that they are separated with commas (,). Do not add spaces before or after the commas. Example: 192.168.0.1,172.16.213.9.
    • If you click Add Internal IP Addresses of ECS Instances, IP addresses of all ECS instances created in your Alibaba Cloud account are displayed.
    Note After you add IP addresses or CIDR blocks to the IP address whitelist labeled default, the system deletes the default IP address 127.0.0.1.

Cases

  • Only the default IP address 127.0.0.1 is added to a whitelist in the Data Security > Whitelist Settings navigation path.

    The default IP address 127.0.0.1 indicates that all entities are denied access. You must whitelist the IP addresses of entities that require access to your RDS instance.

  • I added only one entry, 0.0.0.0, to an IP address whitelist, with the intention to grant all entities access to my RDS instance.

    Enter the CIDR block 0.0.0.0/0 instead.

    Note This CIDR block indicates that all entities are granted access to your RDS instance. Exercise caution when adding this CIDR block.
  • The system prompts me with IP address errors when my RDS instance is in enhanced whitelist mode.

    For more information, see Switch the IP whitelist mode from standard to enhanced.

    • If your RDS instance resides in a VPC and is connected by using its internal endpoint, make sure that the internal IP address of your ECS instance is added to the IP address whitelist labeled default VPC.
    • If your RDS instance resides in a classic network and is connected by using its internal endpoint, make sure that the internal IP address of your ECS instance is added to the IP address whitelist labeled default Classic Network.
    • If your RDS instance resides in a VPC and is connected by using ClassicLink, make sure that the internal IP address of your ECS instance is added to the IP address whitelist labeled default VPC.
    • If your RDS instance is connected over the Internet, make sure that the public IP address of your ECS instance is added to the IP address whitelist labeled default Classic Network. (The IP address whitelist labeled default VPC cannot be used to allow access from the Internet.)
  • The public IP addresses you add to whitelists are not real egress IP addresses.

    Possible reasons are as follows:

    • Public IP addresses dynamically change.
    • The tool or website you use to query public IP addresses yields inaccurate results.

    For more information, see How do I locate the public IP address of my computer that needs to connect to RDS for MySQL or MariaDB TX?

Precautions for configuring a security group

  • You can configure a security group only if your RDS instance runs MySQL 5.6, MySQL 5.7, or MySQL 8.0.
  • Your RDS instance can have both IP address whitelists and security groups at the same time. All IP addresses in the configured whitelists and all ECS instances in the configured security group can access your RDS instance.
  • You can only add one security group.

Configure a security group

  1. Log on to the ApsaraDB for RDS console.
  2. In the upper-left corner of the page, select the region where the target RDS instance resides.
  3. Find the target RDS instance and click its ID. The Basic Information page appears.
  4. In the left-side navigation pane, click Data Security.
  5. On the Whitelist Settings tab, click Add Security Group.
    Note If a security group is followed by a VPC tag, the ECS instances in it reside in VPCs.
  6. Select the security group you want to add. Then, click OK.

FAQ

  • Does an IP address whitelist take effect immediately after it is configured?

    An IP address whitelist takes effect approximately one minute after it is configured.

  • Why do I find IP address whitelists that are not created by me?

    If these whitelists contain internal IP addresses, they are probably generated by other Alibaba Cloud products such as DMS or DAS and do not invoke operations on your service data.

    IP address whitelist generated by HDM
  • Is my RDS instance exposed to security risks if I enable only internal network access and disable Internet access?

    We recommend that you switch the network type of your RDS instance from Classic Network to VPC. After you make the switch, only ECS instances in the same VPC as your RDS instance are granted access on the condition that their internal IP addresses are added to whitelists. For more information, see Change the network type of an RDS MySQL instance.

Related operations

Operation Description
DescribeDBInstanceIPArrayList Queries the IP address whitelists of an ApsaraDB RDS MySQL instance.
ModifySecurityIps Modifies an IP address whitelist of an ApsaraDB RDS MySQL instance.