This topic describes how to control access to your ApsaraDB RDS for MySQL instance. This allows only the specified external devices to access your RDS instance.

Background information

The configuration of IP address whitelists and security groups provides high security for your RDS instance and does not interrupt the operation of your RDS instance. We recommend that you update the IP address whitelists and security groups configured for your RDS instance on a regular basis.

For more information about how to control access to RDS instances that run other database engines, see the following topics:

Access control types

ApsaraDB for RDS supports the following two types of access control:

  • IP address whitelists

    An IP address whitelist contains the IP addresses of the devices that require access to your RDS instance. The IP address whitelist labeled default contains only the 127.0.0.1 IP address. This IP address indicates that no devices can access your RDS instance.

    Before you configure an IP address whitelist, you must confirm the network isolation mode of your RDS instance. The configuration procedure can vary based on the network isolation mode.

    • Standard whitelist mode

      A standard IP address whitelist can contain IP addresses from both the classic network and virtual private clouds (VPCs). However, the standard whitelist mode may incur security risks. For example, after you add an IP address from a VPC to a standard IP address whitelist, the IP address is granted access over both the VPC and the classic network. Therefore, we recommend that you switch to the enhanced whitelist mode. For more information, see Switch an ApsaraDB RDS for MySQL instance to the enhanced whitelist mode.

      Standard whitelist mode
    • Enhanced whitelist mode

      An enhanced IP address whitelist can contain only IP addresses from the classic network or from VPCs. When you create an enhanced IP address whitelist, you must specify its network type. If you add an IP address from a VPC to an enhanced IP address whitelist, the IP address is granted access only over the VPC.

      Enhanced whitelist mode
  • Security groups

    A security group is a virtual firewall that is used to control the inbound and outbound traffic of ECS instances in the security group. After you add a security group to your RDS instance, all of the ECS instances in the security group can access your RDS instance.

    For more information, see Create a security group.

Precautions for configuring an IP address whitelist

  • You can modify or clear the IP address whitelist labeled default. However, you cannot delete this IP address whitelist.
  • Up to 200 IP address whitelists are allowed per RDS instance.
  • Up to 1,000 IP addresses and Classless Inter-Domain Routing (CIDR) blocks are allowed per RDS instance. If you want to add a large number of IP addresses, we recommend that you combine these IP addresses into CIDR blocks, such as 10.10.10.0/24. The length of the IP address prefix ranges from 1 bits to 32 bits. For example, /24 indicates that the length of the prefix is 24 bits. For more information, see CIDR block FAQ.
  • When you access an Alibaba Cloud service, the service automatically creates an IP address whitelist that contains the required IP address on your RDS instance. For example, Alibaba Cloud Data Management (DMS) creates an IP address whitelist named ali_dms_group, and Alibaba Cloud Database Autonomy Service (DAS) creates an IP address whitelist named hdm_security_ips. Do not modify or delete these IP address whitelists. If you modify or delete these IP address whitelists, the related services cannot access your RDS instance.
    Note Do not add your own IP address to these IP address whitelists. If you add your own IP address to these IP address whitelists, your IP address will be overwritten by the updated IP addresses of the related services. If your IP address is overwritten, your workloads are interrupted.

Configure an IP address whitelist in enhanced whitelist mode

Note The enhanced whitelist mode is supported only for RDS instances that use local SSDs. If your RDS instance runs in enhanced whitelist mode, you can perform the following procedure to configure an enhanced IP address whitelist. If your RDS instance runs in standard whitelist mode, you must switch to the enhanced whitelist mode. For more information, see Switch an ApsaraDB RDS for MySQL instance to the enhanced whitelist mode.
  1. Log on to the ApsaraDB for RDS console.
  2. In the left-side navigation pane, click Instances. In the top navigation bar, select the region where your RDS instance resides.
    Select a region
  3. Find your RDS instance and click its ID.
  4. In the left-side navigation pane, click Data Security.
  5. Confirm the connection scenario and perform the required operations.
    Connection scenario Operation
    Recommended. Your ECS and RDS instances reside in the same VPC.
    1. On the Whitelist Settings tab of the Data Security page, click Edit to the right of the IP address whitelist labeled default VPC.
    2. In the dialog box that appears, enter the private IP address of your ECS instance in the IP Addresses field and click OK.
      Note Applications running on your ECS instance can only connect to the internal endpoint of your RDS instance.
    Your ECS and RDS instances reside in different VPCs.
    1. On the Database Connection page, click Switch to Classic Network. In the message that appears, click OK.
    2. Click Switch to VPC. In the dialog box that appears, select the VPC that hosts your ECS instance and click OK.
      Note Your ECS and RDS instances can be migrated to the same VPC only when they reside in the same region. If they reside in different regions, we recommend that you use Alibaba Cloud Data Transmission Service (DTS) to migrate your RDS instance to the region where your ECS instance resides. This allows you to ensure service availability. For more information, see Migrate data between ApsaraDB RDS for MySQL instances.
    3. On the Whitelist Settings tab of the Data Security page, click Edit to the right of the IP address whitelist labeled default VPC.
    4. In the dialog box that appears, enter the private IP address of your ECS instance in the IP Addresses field and click OK.
      Note Applications running on your ECS instance can only connect to the internal endpoint of your RDS instance.
    Your ECS and RDS instances both reside in the classic network.
    1. On the Whitelist Settings tab of the Data Security page, click Edit to the right of the IP address whitelist labeled default Classic Network.
    2. In the dialog box that appears, enter the private IP address of your ECS instance in the IP Addresses field and click OK.
      Note Applications running on your ECS instance can only connect to the internal endpoint of your RDS instance.
    Your ECS instance resides in the classic network.

    Your RDS instance resides in a VPC.
    1. Migrate your ECS instance to the VPC that hosts your RDS instance. For more information, see Migrate an ECS instance.
      Note Your ECS and RDS instances can be migrated to the same VPC only when they reside in the same region. If they reside in different regions, we recommend that you use DTS to migrate your RDS instance to the region where your ECS instance resides. This allows you to ensure service availability. For more information, see Migrate data between ApsaraDB RDS for MySQL instances.
    2. On the Whitelist Settings tab of the Data Security page, click Edit to the right of the IP address whitelist labeled default VPC.
    3. In the dialog box that appears, enter the private IP address of your ECS instance in the IP Addresses field and click OK.
      Note Applications running on your ECS instance can only connect to the internal endpoint of your RDS instance.
    Your ECS instance resides in a VPC.

    Your RDS instance resides in the classic network.
    1. On the Database Connection page, click Switch to VPC. In the dialog box that appears, select the VPC that hosts your ECS instance and click OK.
      Note Your ECS and RDS instances can be migrated to the same VPC only when they reside in the same region. If they reside in different regions, we recommend that you use DTS to migrate your RDS instance to the region where your ECS instance resides. This allows you to ensure service availability. For more information, see Migrate data between ApsaraDB RDS for MySQL instances.
    2. On the Whitelist Settings tab of the Data Security page, click Edit to the right of the IP address whitelist labeled default VPC.
    3. In the dialog box that appears, enter the private IP address of your ECS instance in the IP Addresses field and click OK.
      Note Applications running on your ECS instance can only connect to the internal endpoint of your RDS instance.
    An on-premises server requires access to your RDS instance.
    1. On the Whitelist Settings tab of the Data Security page, click Edit to the right of the IP address whitelist labeled default Classic Network.
    2. In the dialog box that appears, enter the public IP address of the on-premises server in the IP Addresses field and click OK.
      Note
    Note
    • On the Whitelist Settings tab of the Data Security page, you can click Create Whitelist. In the Create Whitelist dialog box, you can set the Network Type parameter to VPC or Classic Network/Public IP.
    • If you enter more than one IP address or CIDR block, you must separate them with commas (,). Example: 192.168.0.1,172.16.213.9.
    • If you click Add Internal IP Addresses of ECS Instances, the IP addresses of all of the ECS instances that are created in your Alibaba Cloud account appear. Then, you can select the IP addresses that you want to add to the IP address whitelist.

Configure an IP address whitelist in standard whitelist mode

  1. Log on to the ApsaraDB for RDS console.
  2. In the left-side navigation pane, click Instances. In the top navigation bar, select the region where your RDS instance resides.
    Select a region
  3. Find your RDS instance and click its ID.
  4. In the left-side navigation pane, click Data Security.
  5. On the Whitelist Settings tab, click Edit to the right of the IP address whitelist labeled default.
    Note You can also click Create Whitelist to create an IP address whitelist.
  6. In the Edit Whitelist dialog box, enter the required IP addresses or CIDR blocks in the IP Addresses field and click OK.
    Note
    • After you add IP addresses or CIDR blocks to the IP address whitelist labeled default, the system deletes the default IP address 127.0.0.1.
    • If you enter more than one IP address or CIDR block, you must separate them with commas (,). Example: 192.168.0.1,172.16.213.9.
    • If you click Add Internal IP Addresses of ECS Instances, the IP addresses of all of the ECS instances that are created in your Alibaba Cloud account appear. Then, you can select the IP addresses that you want to add to the IP address whitelist.

Error cases

  • Your RDS instance has only one IP address whitelist that contains only the default IP address 127.0.0.1 in the Data Security > Whitelist Settings navigation path.

    The default IP address 127.0.0.1 indicates that no devices can access your RDS instance. You must add the IP addresses of the devices that require access to your RDS instance to the IP address whitelist.

  • An IP address whitelist contains only one entry, 0.0.0.0.

    An IP address whitelist must contain entries similar to 0.0.0.0/0.

    Note The 0.0.0.0/0 entry indicates that all devices can access your RDS instance. Exercise caution when you specify this entry.
  • When you configure an enhanced IP address for your RDS instance, the system reports IP address errors.

    For more information, see Switch to the enhanced whitelist mode for an RDS instance.

    • If your RDS instance resides in a VPC and is connected by using its internal endpoint, make sure that the private IP address of your ECS instance is added to the IP address whitelist labeled default VPC.
    • If your RDS instance resides in the classic network and is connected by using its internal endpoint, make sure that the private IP address of your ECS instance is added to the IP address whitelist labeled default Classic Network.
    • If your RDS instance resides in a VPC and is connected by using ClassicLink, make sure that the private IP address of your ECS instance is added to the IP address whitelist labeled default VPC.
    • If your RDS instance is connected over the Internet, make sure that the public IP address of your ECS instance is added to the IP address whitelist labeled default Classic Network. (The IP address whitelist labeled default VPC cannot be used to control access over the Internet.)
  • The public IP addresses that you add to an IP address whitelist are not the actual egress IP addresses.

    This problem may occur due to the following reasons:

    • Public IP addresses dynamically change.
    • The tool or website that you use to query public IP addresses returns inaccurate results.

    For more information, see Determine the public IP address of an external server or client for an apsaradb RDS for MySQL or MariaDB instance.

Precautions for configuring a security group

  • You can configure a security group only when your RDS instance runs MySQL 5.6, 5.7, or 8.0.
  • You can configure both IP address whitelists and security groups for your RDS instance. All of the IP addresses in the configured IP address whitelists and all of the ECS instances in the configured security groups can access your RDS instance.
  • Up to 10 security groups are allowed per RDS instance.
  • Updates to a security group are automatically synchronized to your RDS instance.
  • You can add only a security group that has the same network type as your RDS instance. In this case, the network types of your RDS instance and the security group that you want to add must both be VPC or classic network.
    Note After you change the network type of your RDS instance, the security group that you have added becomes invalid. You must add the security group with the required network type again.

Configure a security group

  1. Log on to the ApsaraDB for RDS console.
  2. In the left-side navigation pane, click Instances. In the top navigation bar, select the region where your RDS instance resides.
    Select a region
  3. Find your RDS instance and click its ID.
  4. In the left-side navigation pane, click Data Security.
  5. On the Whitelist Settings tab, click Add Security Group.
  6. Select the target security group and click OK.
    Note Security groups followed by a VPC tag contain ECS instances that reside in VPCs.

What to do next

Create accounts and databases for an ApsaraDB RDS for MySQL instance

FAQ

  • Does an IP address whitelist immediately take effect after it is configured?

    No, an IP address whitelist requires about 1 minute to take effect after it is configured.

  • Why do I find IP address whitelists that I did not create?

    If these IP address whitelists contain private IP addresses, they are probably generated by other Alibaba Cloud services, such as DMS and DAS. In this case, these IP address whitelists do not affect your business data, and no further actions are required.

    IP address whitelist created by HDM
  • If I disable Internet access and enable only internal network access, will my RDS instance be exposed to security risks?

    Yes, if you disable Internet access and enable only internal network access, your RDS instance will be exposed to security risks. We recommend that you change the network type of your RDS instance to VPC. In this case, only the ECS instances that reside in the same VPC as your RDS instance are granted access after the required IP addresses are added to an IP address whitelist of your RDS instance. For more information, see Change the network type of an ApsaraDB RDS for MySQL instance

Related operations

Operation Description
Query IP address whitelists Queries the IP address whitelists of an ApsaraDB for RDS instance.
Modify IP address whitelist Modifies an IP address whitelist of an ApsaraDB for RDS instance.