This topic describes how to switch the standard whitelist mode to the enhanced whitelist mode for an ApsaraDB RDS for PostgreSQL instance. The enhanced whitelist mode offers higher security.

Network isolation modes

RDS instances support the following two network isolation modes:
  • Standard whitelist

    IP addresses from both the classic network and VPCs are added to the same whitelist. The standard whitelist mode is less secure than the enhanced whitelist mode.

  • Enhanced whitelist (recommended)
    IP addresses from the classic network and VPCs are added to different whitelists. When you create an IP address whitelist, you must specify a network type.

Changes after you switch to the enhanced whitelist mode

  • If the network type of the instance is VPC, a new whitelist is created and contains the same IP addresses as the original whitelists. The new whitelist only applies to VPCs.
  • If the network type of the instance is classic network, a new whitelist is created and contains the same IP addresses as the original whitelists. The new IP whitelist only applies to the classic network.
  • If the instance supports access from both the classic network and VPCs, two new whitelists are created, and each contains the same IP addresses as the original whitelists. One whitelist applies to VPCs, and the other applies to the classic network.
Note Switching to the enhanced whitelist mode does not affect ECS security groups in the whitelist.

Prerequisites

The RDS instance runs one of the following PostgreSQL versions and RDS editions:

  • PostgreSQL 10 on RDS High-availability Edition (with local SSDs)
  • PostgreSQL 9.4 on RDS High-availability Edition (with local SSDs)

Precautions

  • You can switch the standard whitelist mode to the enhanced whitelist mode, but cannot switch back.
  • In the enhanced whitelist mode, a classic network whitelist also allows access from the Internet. If you want to access the RDS instance from a host over the Internet, you can add the public IP address of the host to a classic network whitelist.

Procedure

  1. Log on to the ApsaraDB for RDS console.
  2. In the top-navigation bar, select the region where the target RDS instance resides.
  3. Find the target RDS instance and click its ID.
  4. In the left-side navigation pane, click Data Security.
  5. On the Whitelist Settings tab, click Switch to Enhanced Whitelist (Recommended).
  6. In the Enable Enhanced Whitelist dialog box, click Confirm.