This topic describes how to switch an ApsaraDB RDS for PostgreSQL instance from the standard whitelist mode to the enhanced whitelist mode. The enhanced whitelist mode offers higher security than the standard whitelist mode.

Prerequisites

The RDS instance runs one of the following PostgreSQL versions and RDS editions:

  • PostgreSQL 10 on RDS High-availability Edition (with local SSDs)
  • PostgreSQL 9.4 on RDS High-availability Edition (with local SSDs)

Background information

RDS instances support the following two network isolation modes:

  • Standard whitelist

    IP addresses from both the classic network and virtual private clouds (VPCs) can be added to the same IP address whitelist. The standard whitelist mode is less secure than the enhanced whitelist mode. We recommend that you switch to the enhanced whitelist mode.

  • Enhanced whitelist

    IP addresses from the classic network and VPCs must be added to different IP address whitelists. When you create an IP address whitelist, you must specify its network type.

Changes incurred

  • If the RDS instance resides in a VPC, an IP address whitelist of the VPC network type is created. The new IP address whitelist contains all the IP addresses from the original IP address whitelists.
  • If the RDS instance resides in the classic network, an IP address whitelist of the classic network type is created. The new IP address whitelist contains all the IP addresses from the original IP address whitelists.
  • If the RDS instance runs in hybrid access mode, two IP address whitelists are created: one with the VPC network type and the other with the classic network type. Both IP address whitelists contain all the IP addresses from the original IP address whitelists.
Note After you switch to the enhanced whitelist mode, the configured ECS security groups remain unchanged.

Precautions

  • After you switch to the enhanced whitelist mode, you cannot switch back to the standard whitelist mode.
  • In the enhanced whitelist mode, an IP address whitelist of the classic network type can also be used to allow communication over the Internet. If you want to access the RDS instance from a host over the Internet, you can add the public IP address of the host to an IP address whitelist of the classic network type.

Procedure

  1. Log on to the ApsaraDB for RDS console.
  2. In the left-side navigation pane, click Instances. In the top navigation bar, select the region where the target RDS instance resides.
    Select a region
  3. Find the target instance and click the instance ID.
  4. In the left-side navigation pane, click Data Security.
  5. On the Whitelist Settings tab, click Switch to Enhanced Whitelist (Recommended).
    Switch to the enhanced whitelist mode
  6. In the dialog box that appears, click Confirm.

FAQ

  • My RDS instance uses the enhanced whitelist mode. If I want to access my RDS instance from a host over the Internet, how do I determine the IP address whitelist to which I need to add the public IP address of the host?

    If you want to access your RDS instance from a host over the Internet, you must add the public IP address of the host to an IP address whitelist of the classic network type.

  • Why is the enhanced whitelist mode superior to the standard whitelist mode?

    The enhanced whitelist mode allows you to distinguish between IP addresses from the classic network and those from VPCs. If you add an IP address to an IP address whitelist of the VPC network type, the IP address can access your RDS instance only within the specified VPC. However, the IP address cannot access your RDS instance over the Internet. This increases the security of your RDS instance.