After you create an RDS instance, you must configure a whitelist to allow other instances, hosts, or applications to access the instance. The default whitelist contains only the IP address 127.0.0.1, which indicates that no other IP addresses are allowed to access the RDS instance.

To configure a whitelist, you can perform the following operations:
  • Configure a whitelist: adds IP addresses to the whitelist to allow them to access the RDS instance.
  • Configure a security group: adds a security group for the RDS instance to allow ECS instances in the group to access the RDS instance.
    Note Only instances of PostgreSQL 10 Cluster Edition (Local SSD), PostgreSQL 10 Basic Edition, and PostgreSQL 9.4 support security groups.

A whitelist can be used to improve the security of your RDS instances. We recommend that you update the whitelist on a regular basis. Configuring whitelists does not affect the running of the RDS instance.

For PostgreSQL 11 Cluster Edition (Standard SSD) and PostgreSQL 10 Cluster Edition (Standard SSD)

Notes

The default whitelist can only be edited or cleared, but cannot be deleted.

Procedure

  1. Log on to the ApsaraDB RDS for PostgreSQL console.
  2. In the upper-left corner of the page, select the region where the instance is located.

  3. Find the instance and click the instance ID.
  4. In the left-side navigation pane, choose Data Security > Whitelist Configurations.
  5. On the Whitelist Configurations page, click the More icon in the Actions column of the default whitelist and choose Edit, as shown in the following figure.
    Note You can also click Create Whitelist to create a new whitelist.


  6. In the Edit Whitelist dialog box that appears, specify the IP addresses or CIDR blocks used to access the instance, and then click OK. The following section describes the rules:
    • If you specify the CIDR block 10.10.10.0/24, any IP addresses in the 10.10.10.X format are allowed to access the RDS instance.
    • If you want to add multiple IP addresses or CIDR blocks, separate each entry with a comma (without spaces). For example, 192.168.0.1,172.16.213.9.
    • After you select Load Internal IP, the IP addresses of all the ECS instances under your Alibaba Cloud account are displayed. You can select the required IP addresses to add into the whitelist.
    Note If you add a new IP address or CIDR block to the default whitelist, the IP address 127.0.0.1 is deleted by default.


For PostgreSQL 10 Cluster Edition (Local SSD), PostgreSQL 10 Basic Edition, and PostgreSQL 9.4

Notes

  • The default whitelist can only be edited or cleared, but cannot be deleted.
  • If you log on to DMS without adding your IP address to the whitelist, DMS will prompt you to add the address. By default, DMS will also create a whitelist that contains your IP address.
  • You must check your instance to verify its network isolation mode before configuring whitelists. Refer to the corresponding procedures based on the network isolation mode.



Configure a whitelist in the enhanced whitelist mode

  1. Log on to the ApsaraDB for RDS console.
  2. In the upper-left corner of the page, select the region where the instance is located.

  3. Find the instance and click the instance ID.
  4. In the left-side navigation pane, click Data Security.
  5. On the Whitelist Settings tab, select the whitelist group to be modified as required. The following section describes the detailed steps:
    • If you want to access an RDS instance from an ECS instance located in the same VPC, click Edit corresponding to the default VPC whitelist group.
    • If you want to access an RDS instance from an ECS instance located in the classic network, click Edit corresponding to the default classic-network whitelist group.
    • If you want to access an RDS instance from an instance or host located in a public network, click Edit corresponding to the default classic-network whitelist group.
    Note
    • If an ECS instance connects to an RDS instance by using the internal endpoint of a VPC or classic network, you must make sure that the two instances are in the same region. The two instances must also have the same network type. Otherwise, the connection fails.
    • You can also click Create Whitelist to create a new whitelist. In the Create Whitelist dialog box that appears, select VPC or Classic Network/Public IP.


  6. In the dialog box that appears, specify the IP addresses or CIDR blocks used to access the instance, and then click OK. The following section describes the rules:
    • If you specify the CIDR block 10.10.10.0/24, any IP addresses in the 10.10.10.X format are allowed to access the RDS instance.
    • If you want to add multiple IP addresses or CIDR blocks, separate each entry with a comma (without spaces). For example, 192.168.0.1,172.16.213.9.
    • After you select Load Internal IP, the IP addresses of all the ECS instances under your Alibaba Cloud account are displayed. You can select the required IP addresses to add into the whitelist.
    Note If you add a new IP address or CIDR block to the default whitelist, the IP address 127.0.0.1 is deleted by default.


Configure a whitelist in the standard whitelist mode

  1. Log on to the ApsaraDB for RDS console.
  2. In the upper-left corner of the page, select the region where the instance is located.

  3. Find the instance and click the instance ID.
  4. In the left-side navigation pane, click Data Security.
  5. On the Whitelist Settings tab, click Edit corresponding to the default whitelist, as shown in the following figure.
    Note You can also click Create Whitelist to create a new whitelist.


  6. In the Edit Whitelist dialog box that appears, enter the IP addresses or CIDR blocks used to access the instance, and then click OK. The following section describes the rules:
    • If you specify the CIDR block 10.10.10.0/24, any IP addresses in the 10.10.10.X format are allowed to access the RDS instance.
    • If you want to add multiple IP addresses or CIDR blocks, separate each entry with a comma (without spaces). For example, 192.168.0.1,172.16.213.9.
    • After you select Load Internal IP, the IP addresses of all the ECS instances under your Alibaba Cloud account are displayed. You can select the required IP addresses to add into the whitelist.
    Note If you add a new IP address or CIDR block to the default whitelist, the default address 127.0.0.1 is deleted by default.


Common whitelist configuration errors

  • The default whitelist contains only the IP address 127.0.0.1, which indicates that no other IP addresses are allowed to access the RDS instance. Therefore, you must add the IP addresses of the instances, hosts, or applications into the whitelist to access the RDS instance.
  • The IP address in the whitelist is set to 0.0.0.0, while the correct setting is 0.0.0.0/0.
    Note 0.0.0.0/0 indicates that all IP addresses are allowed to access the RDS instance. Use caution when adding this IP CIDR block.
  • The instance has enabled the enhanced whitelist mode, but the IP addresses are added into the incorrect group. To avoid this issue, check the IP addresses as follows:
    • If the network type is VPC, the internal IP address of the ECS instance is added to the default VPC whitelist group.
    • If the network type is a classic network, the internal IP address of the ECS instance is added to the default classic-network whitelist group.
    • If you connect to an RDS internal endpoint through ClassicLink, make sure that the internal IP address of the ECS instance is added to the default VPC whitelist group.
    • If you connect to an RDS instance through a public network, the public IP address of the instance or host must be added to the default classic-network whitelist group.
  • The public IP address of the specified instance, host, or application is invalid. The IP address you entered may not be the actual public IP address of the instance, host, or application. The reasons are as follows:
    • The public IP address may be a dynamic IP address.

    • The tools or websites used to query the public IP addresses provide the incorrect IP addresses.

    For more information about how to fix this issue, see Locate the public IP address for ApsaraDB RDS for PostgreSQL and ApsaraDB RDS for PPAS instances.

Configure a security group

A security group is a virtual firewall that is used to control the inbound and outbound traffic of ECS instances in the security group. After a security group is added to the RDS whitelist, the ECS instances in the security group can access the RDS instance.

For more information about security groups, see Create a security group.

Notes

  • Security groups are available in the following three editions: PostgreSQL 10 Cluster Edition (Local SSD), PostgreSQL 10 Basic Edition, and PostgreSQL 9.4.
  • Security groups are available in the following regions: China (Hangzhou), China (Qingdao), and Hong Kong.
  • You can configure both the IP whitelist and the ECS security group. Both the IP addresses in the whitelists and the ECS instances in the security group can all access the RDS instance.
  • You can only add one security group to an RDS instance.
  • Changes to the security group are automatically synchronized to the whitelist.

Procedure

  1. Log on to the ApsaraDB for RDS console.
  2. In the upper-left corner of the page, select the region where the instance is located.

  3. Find the instance and click the instance ID.
  4. In the left-side navigation pane, click Data Security.
  5. On the Whitelist Settings tab, click Add Security Group.
    Note Security groups with a VPC tag are security groups that contain ECS instances within VPCs.
  6. Select the security group to be added and click OK.

API reference

Operation Description
DescribeDBInstanceIPArrayList You can call this operation to query the IP whitelist of an RDS instance.
ModifySecurityIps You can call this operation to modify the IP whitelist of an RDS instance.