All Products
Search
Document Center

ApsaraDB RDS:Change the whitelist mode to the enhanced whitelist mode

Last Updated:Oct 25, 2023

This topic describes how to switch an ApsaraDB RDS for PostgreSQL instance from the standard whitelist mode to the enhanced whitelist mode. The enhanced whitelist mode provides higher security than the standard whitelist mode.

Prerequisites

Your RDS instance runs one of the following PostgreSQL versions and RDS editions:

  • PostgreSQL 10 on RDS High-availability Edition with local disks

  • PostgreSQL 9.4 on RDS High-availability Edition with local disks

Background information

RDS instances support the following network isolation modes:

  • Standard whitelist mode

    A standard IP address whitelist can contain IP addresses from both the classic network and VPCs.

  • Enhanced whitelist mode

    An enhanced IP address whitelist can contain only the IP addresses from the classic network or VPCs. When you create an enhanced IP address whitelist, you must specify the network type of the enhanced IP address whitelist.

Changes incurred

  • If your RDS instance resides in a VPC, an IP address whitelist of the VPC network type is automatically created. The new IP address whitelist contains all IP addresses and CIDR blocks that are replicated from the original IP address whitelists.

  • If your RDS instance resides in the classic network, an IP address whitelist of the classic network type is automatically created. The new IP address whitelist contains all IP addresses and CIDR blocks that are replicated from the original IP address whitelist.

  • If your RDS instance runs in hybrid access mode, the following two IP address whitelists are created: an IP address whitelist of the VPC network type and an IP address whitelist of the classic network type. Both IP address whitelists contain all IP addresses and CIDR blocks that are replicated from the original IP address whitelists. For more information, see Configure the hybrid access solution for an ApsaraDB RDS for MySQL instance.

Note
  • After you switch to the enhanced whitelist mode, the security group of the Elastic Compute Service (ECS) instance remains unchanged. For more information, see Configure an IP address whitelist for an ApsaraDB RDS for PostgreSQL instance.

  • ApsaraDB RDS requires approximately 3 minutes to switch your RDS instance to the enhanced whitelist mode. Your application remains connected to your RDS instance during the switching period.

Usage notes

  • After you switch to the enhanced whitelist mode, you cannot roll the instance back to the standard whitelist mode.

  • In enhanced whitelist mode, an IP address whitelist of the classic network type can also be used to allow access over the Internet. If you want to access your RDS instance from a host over the Internet, you must add the public IP address of the host to an IP address whitelist of the classic network type.

Procedure

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
  2. In the left-side navigation pane, click Whitelist and SecGroup.

  3. On the Whitelist Settings tab, click Switch to Enhanced Whitelist (Recommended).

  4. In the message that appears, click Confirm.

FAQ

  • My RDS instance runs in enhanced whitelist mode. If I want to access my RDS instance from a host over the Internet, how do I determine the IP address whitelist to which I must add the public IP address of the host?

    If you want to access your RDS instance from a host over the Internet, you must add the public IP address of the host to an IP address whitelist of the classic network type.

  • What advantages does the enhanced whitelist mode have over the standard whitelist mode?

    The enhanced whitelist mode allows you to manage access to your RDS instance based on the network types of the IP addresses. For example, if you add an IP address to an IP address whitelist of the VPC network type, the IP address is granted access to your RDS instance only over the specified VPC. However, the IP address is not granted access to your RDS instance over the Internet. This increases the security of your RDS instance.