This topic describes how to configure a whitelist for an RDS MariaDB instance.
Background information
ApsaraDB for RDS provides two types of whitelists:
- IP address whitelist
- Standard whitelist mode
Note ApsaraDB RDS for MariaDB TX instances can be deployed only in VPCs.
- Enhanced whitelist mode
- Standard whitelist mode
- Security group
The configuration of IP address whitelists and security groups provides high security for your RDS instance and does not interrupt the operation of your RDS instance. We recommend that you update the IP address whitelists and security groups configured for your RDS instance on a regular basis.
Precautions for configuring an IP address whitelist
- You can modify or clear the IP address whitelist labeled default. However, you cannot delete this IP address whitelist.
- Up to 200 IP address whitelists are allowed per RDS instance.
- Up to 1,000 IP addresses and Classless Inter-Domain Routing (CIDR) blocks are allowed per RDS instance. If you want to add a large number of IP addresses, we recommend that you combine these IP addresses into CIDR blocks, such as 10.10.10.0/24. The length of the IP address prefix ranges from 1 bits to 32 bits. For example, /24 indicates that the length of the prefix is 24 bits. For more information, see CIDR block FAQ.
- When you access an Alibaba Cloud service, the service automatically creates an IP
address whitelist that contains the required IP address on your RDS instance. For
example, Alibaba Cloud Data Management (DMS) creates an IP address whitelist named ali_dms_group, and Alibaba Cloud Database Autonomy Service (DAS) creates an IP address whitelist named hdm_security_ips. Do not modify or delete these IP address whitelists. If you modify or delete these
IP address whitelists, the related services cannot access your RDS instance.
Note Do not add your own IP address to these IP address whitelists. If you add your own IP address to these IP address whitelists, your IP address will be overwritten by the updated IP addresses of the related services. If your IP address is overwritten, your workloads are interrupted.
Configure an IP address whitelist in enhanced whitelist mode
Configure an IP address whitelist in standard whitelist mode
Configure an IP address whitelist in standard whitelist mode
Common whitelist configuration errors
- Your RDS instance has only one IP address whitelist that contains only the default
IP address 127.0.0.1 in the
The default IP address 127.0.0.1 indicates that no devices can access your RDS instance. You must add the IP addresses of the devices that require access to your RDS instance to the IP address whitelist.
navigation path.
- An IP address whitelist contains only one entry, 0.0.0.0.
An IP address whitelist must contain entries similar to 0.0.0.0/0.
Note The 0.0.0.0/0 entry indicates that all devices can access your RDS instance. Exercise caution when you specify this entry. - When you configure an enhanced IP address for your RDS instance, the system reports
IP address errors.
For more information, see Switch to the enhanced whitelist mode for an RDS instance.
- If your RDS instance resides in a VPC and is connected by using its internal endpoint, make sure that the private IP address of your ECS instance is added to the IP address whitelist labeled default VPC.
- If your RDS instance resides in the classic network and is connected by using its internal endpoint, make sure that the private IP address of your ECS instance is added to the IP address whitelist labeled default Classic Network.
- If your RDS instance resides in a VPC and is connected by using ClassicLink, make sure that the private IP address of your ECS instance is added to the IP address whitelist labeled default VPC.
- If your RDS instance is connected over the Internet, make sure that the public IP address of your ECS instance is added to the IP address whitelist labeled default Classic Network. (The IP address whitelist labeled default VPC cannot be used to control access over the Internet.)
- The public IP addresses that you add to an IP address whitelist are not the actual
egress IP addresses.
This problem may occur due to the following reasons:
- Public IP addresses dynamically change.
- The tool or website that you use to query public IP addresses returns inaccurate results.
For more information, see Determine the public IP address of an external server or client for an apsaradb RDS for MySQL or MariaDB instance.
Precautions for configuring a security group
- You can configure both IP address whitelists and security groups for your RDS instance. All of the IP addresses in the configured IP address whitelists and all of the ECS instances in the configured security groups can access your RDS instance.
- Up to 10 security groups are allowed per RDS instance.
- Updates to a security group are automatically synchronized to your RDS instance.
- You can add only a security group that has the same network type as your RDS instance.
In this case, the network types of your RDS instance and the security group that you
want to add must both be VPC or classic network.
Note After you change the network type of your RDS instance, the security group that you have added becomes invalid. You must add the security group with the required network type again.
Configure a security group
FAQ
- Does an IP address whitelist immediately take effect after it is configured?
No, an IP address whitelist requires about 1 minute to take effect after it is configured.
- Why do I find IP address whitelists that I did not create?
If these IP address whitelists contain private IP addresses, they are probably generated by other Alibaba Cloud services, such as DMS and DAS. In this case, these IP address whitelists do not affect your business data, and no further actions are required.
- If I disable Internet access and enable only internal network access, will my RDS
instance be exposed to security risks?
Yes, if you disable Internet access and enable only internal network access, your RDS instance will be exposed to security risks. We recommend that you change the network type of your RDS instance to VPC. In this case, only the ECS instances that reside in the same VPC as your RDS instance are granted access after the required IP addresses are added to an IP address whitelist of your RDS instance. For more information, see Change the network type of an ApsaraDB RDS for MySQL instance
Related operations
Operation | Description |
---|---|
Query IP address whitelists | Queries the IP address whitelists of an ApsaraDB for RDS instance. |
Modify IP address whitelist | Modifies an IP address whitelist of an ApsaraDB for RDS instance. |