This topic describes how to control access to your ApsaraDB RDS for MySQL instance. This allows only the specified external devices to access your RDS instance.
Background information
The configuration of IP address whitelists and security groups provides high security for your RDS instance and does not interrupt the operation of your RDS instance. We recommend that you update the IP address whitelists and security groups configured for your RDS instance on a regular basis.
For more information about how to control access to RDS instances that run other database engines, see the following topics:
Access control types
ApsaraDB for RDS supports the following two types of access control:
- IP address whitelists
An IP address whitelist contains the IP addresses of the devices that require access to your RDS instance. The IP address whitelist labeled default contains only the 127.0.0.1 IP address. This IP address indicates that no devices can access your RDS instance.
Before you configure an IP address whitelist, you must confirm the network isolation mode of your RDS instance. The configuration procedure can vary based on the network isolation mode.
- Standard whitelist mode
A standard IP address whitelist can contain IP addresses from both the classic network and virtual private clouds (VPCs). However, the standard whitelist mode may incur security risks. For example, after you add an IP address from a VPC to a standard IP address whitelist, the IP address is granted access over both the VPC and the classic network. Therefore, we recommend that you switch to the enhanced whitelist mode. For more information, see Switch an ApsaraDB RDS for MySQL instance to the enhanced whitelist mode.
- Enhanced whitelist mode
An enhanced IP address whitelist can contain only IP addresses from the classic network or from VPCs. When you create an enhanced IP address whitelist, you must specify its network type. If you add an IP address from a VPC to an enhanced IP address whitelist, the IP address is granted access only over the VPC.
- Standard whitelist mode
- Security groups
A security group is a virtual firewall that is used to control the inbound and outbound traffic of ECS instances in the security group. After you add a security group to your RDS instance, all of the ECS instances in the security group can access your RDS instance.
For more information, see Create a security group.
Precautions for configuring an IP address whitelist
- You can modify or clear the IP address whitelist labeled default. However, you cannot delete this IP address whitelist.
- Up to 200 IP address whitelists are allowed per RDS instance.
- Up to 1,000 IP addresses and Classless Inter-Domain Routing (CIDR) blocks are allowed per RDS instance. If you want to add a large number of IP addresses, we recommend that you combine these IP addresses into CIDR blocks, such as 10.10.10.0/24. The length of the IP address prefix ranges from 1 bits to 32 bits. For example, /24 indicates that the length of the prefix is 24 bits. For more information, see CIDR block FAQ.
- When you access an Alibaba Cloud service, the service automatically creates an IP
address whitelist that contains the required IP address on your RDS instance. For
example, Alibaba Cloud Data Management (DMS) creates an IP address whitelist named ali_dms_group, and Alibaba Cloud Database Autonomy Service (DAS) creates an IP address whitelist named hdm_security_ips. Do not modify or delete these IP address whitelists. If you modify or delete these
IP address whitelists, the related services cannot access your RDS instance.
Note Do not add your own IP address to these IP address whitelists. If you add your own IP address to these IP address whitelists, your IP address will be overwritten by the updated IP addresses of the related services. If your IP address is overwritten, your workloads are interrupted.
Configure an IP address whitelist in enhanced whitelist mode
Configure an IP address whitelist in standard whitelist mode
Error cases
- Your RDS instance has only one IP address whitelist that contains only the default
IP address 127.0.0.1 in the
The default IP address 127.0.0.1 indicates that no devices can access your RDS instance. You must add the IP addresses of the devices that require access to your RDS instance to the IP address whitelist.
navigation path.
- An IP address whitelist contains only one entry, 0.0.0.0.
An IP address whitelist must contain entries similar to 0.0.0.0/0.
Note The 0.0.0.0/0 entry indicates that all devices can access your RDS instance. Exercise caution when you specify this entry. - When you configure an enhanced IP address for your RDS instance, the system reports
IP address errors.
For more information, see Switch to the enhanced whitelist mode for an RDS instance.
- If your RDS instance resides in a VPC and is connected by using its internal endpoint, make sure that the private IP address of your ECS instance is added to the IP address whitelist labeled default VPC.
- If your RDS instance resides in the classic network and is connected by using its internal endpoint, make sure that the private IP address of your ECS instance is added to the IP address whitelist labeled default Classic Network.
- If your RDS instance resides in a VPC and is connected by using ClassicLink, make sure that the private IP address of your ECS instance is added to the IP address whitelist labeled default VPC.
- If your RDS instance is connected over the Internet, make sure that the public IP address of your ECS instance is added to the IP address whitelist labeled default Classic Network. (The IP address whitelist labeled default VPC cannot be used to control access over the Internet.)
- The public IP addresses that you add to an IP address whitelist are not the actual
egress IP addresses.
This problem may occur due to the following reasons:
- Public IP addresses dynamically change.
- The tool or website that you use to query public IP addresses returns inaccurate results.
For more information, see Determine the public IP address of an external server or client for an apsaradb RDS for MySQL or MariaDB instance.
Precautions for configuring a security group
- You can configure a security group only when your RDS instance runs MySQL 5.6, 5.7, or 8.0.
- You can configure both IP address whitelists and security groups for your RDS instance. All of the IP addresses in the configured IP address whitelists and all of the ECS instances in the configured security groups can access your RDS instance.
- Up to 10 security groups are allowed per RDS instance.
- Updates to a security group are automatically synchronized to your RDS instance.
- You can add only a security group that has the same network type as your RDS instance.
In this case, the network types of your RDS instance and the security group that you
want to add must both be VPC or classic network.
Note After you change the network type of your RDS instance, the security group that you have added becomes invalid. You must add the security group with the required network type again.
Configure a security group
What to do next
Create accounts and databases for an ApsaraDB RDS for MySQL instance
FAQ
- Does an IP address whitelist immediately take effect after it is configured?
No, an IP address whitelist requires about 1 minute to take effect after it is configured.
- Why do I find IP address whitelists that I did not create?
If these IP address whitelists contain private IP addresses, they are probably generated by other Alibaba Cloud services, such as DMS and DAS. In this case, these IP address whitelists do not affect your business data, and no further actions are required.
- If I disable Internet access and enable only internal network access, will my RDS
instance be exposed to security risks?
Yes, if you disable Internet access and enable only internal network access, your RDS instance will be exposed to security risks. We recommend that you change the network type of your RDS instance to VPC. In this case, only the ECS instances that reside in the same VPC as your RDS instance are granted access after the required IP addresses are added to an IP address whitelist of your RDS instance. For more information, see Change the network type of an ApsaraDB RDS for MySQL instance
Related operations
Operation | Description |
---|---|
Query IP address whitelists | Queries the IP address whitelists of an ApsaraDB for RDS instance. |
Modify IP address whitelist | Modifies an IP address whitelist of an ApsaraDB for RDS instance. |