This topic describes how to configure a whitelist for an RDS MariaDB instance.

After you create an RDS instance, you must configure a whitelist to allow external devices to access the instance. The default whitelist contains only the default IP address 127.0.0.1. Before you add new IP addresses to the whitelist, no devices are allowed to access the RDS instance.

RDS PostgreSQL provides two types of whitelists::
  • IP address whitelist: Add IP addresses to the whitelist to allow access to the RDS instance.
  • ECS security group: Add an ECS security group for the RDS instance to allow ECS instances in the group to access the RDS instance.

A whitelist can be used to improve the security of your RDS instance. We recommend that you update the whitelist on a regular basis. Configuring a whitelist does not affect the normal operation of your RDS instance.

Configure an IP address whitelist

Precautions

  • The default IP whitelist can only be edited or cleared, but cannot be deleted.
  • Each IP whitelist can have up to 1,000 IP addresses or CIDR blocks. If you want to add a large number of IP addresses, we recommend that you group these IP addresses into CIDR blocks, for example, 192.168.1.0/24.
  • Before configuring a whitelist, you must confirm which network isolation mode your RDS instance is in, and then perform operations accordingly.Whitelist SettingsWhitelist Settings 2
    Note The intranet where an RDS MariaDB instance is located must be a VPC.

Configure an enhanced whitelist

  1. In the upper-left corner, select the region where the target instance is located.选择地域
  2. Find the target instance and click its ID.
  3. In the left-side navigation pane, click Data Security.
  4. On the Whitelist Settings tab page, follow these instructions based on your usage scenario:
    • Accessing an RDS instance from an ECS instance located within a VPC: Click Edit next to the default VPC whitelist.
    • Accessing an RDS instance from an ECS instance located within a classic network: RDS MariaDB TX instances do not support classic networks. Therefore, you can apply for an Internet IP address for your RDS MariaDB TX instance and then use the Internet IP address to connect to your RDS MariaDB TX instance.
    • Accessing an RDS instance from an instance or host located in a public network: Click Edit next to the default Classic Network whitelist.
    Note
    • If the ECS instance accesses the RDS instance by using the VPC, you must make sure that the two instances are in the same region and have the same network type. Otherwise, the connection fails.
    • You can also click Create Whitelist. In the displayed Create Whitelist dialog box, select a network type, VPC or Classic Network/Public IP.
    Whitelist Settings 3
  5. In the displayed Edit Whitelist dialog box, specify IP addresses or CIDR blocks used to access the instance, and then click OK.
    • If you specify the CIDR block 10.10.10.0/24, any IP addresses in the 10.10.10.X format are allowed to access the RDS instance.
    • To add multiple IP addresses or CIDR blocks, separate each entry with a comma (without spaces), for example, 192.168.0.1,172.16.213.9.
    • After you click Add Internal IP Addresses of ECS Instances, the IP addresses of all the ECS instances under your Alibaba Cloud account are displayed. You can quickly add internal IP addresses to the whitelist.
    Note After you add an IP address or CIDR block to the default whitelist, the default address 127.0.0.1 is automatically deleted.
    Edit Whitelist 2

Configure a standard whitelist

  1. Log on to the RDS console.
  2. In the upper-left corner, select the region where the target instance is located.选择地域
  3. Find the target instance and click its ID.
  4. In the left-side navigation pane, click Data Security.
  5. On the Whitelist Settings tab page, click Edit corresponding to the default whitelist.
    Note You can also click Create Whitelist to create a whitelist.
    Whitelist Settings 4
  6. In the displayed Edit Whitelist dialog box, specify the IP addresses or CIDR blocks used to access the instance, and then click OK.
    • If you specify the CIDR block 10.10.10.0/24, any IP addresses in the 10.10.10.X format are allowed to access the RDS instance.
    • To add multiple IP addresses or CIDR blocks, separate each entry with a comma (without spaces), for example, 192.168.0.1,172.16.213.9.
    • After you click Add Internal IP Addresses of ECS Instances, the IP addresses of all the ECS instances under your Alibaba Cloud account are displayed. You can select the internal IP addresses to add to the whitelist.
    Note After you add a new IP address or CIDR block to the default whitelist, the default address 127.0.0.1 is automatically deleted.
    Edit Whitelist

Common errors

  • The default address 127.0.0.1 in Data Security > Whitelist Settings indicates that no device is allowed to access the RDS instance. Therefore, you must add IP addresses of devices to the whitelist to allow access to the instance.
  • The IP address in the whitelist is set to 0.0.0.0, but the correct format is 0.0.0.0/0.
    Note 0.0.0.0/0 indicates that all devices are allowed to access the RDS instance. Exercise caution when using this IP address.
  • If you enable the enhanced whitelist mode, you must make sure that:
    • If the network type is VPC, the internal IP address of the ECS instance is added to the whitelist whose network isolation mode is default VPC.
    • If you are connecting to the RDS instance through ClassicLink, the internal IP address of the ECS instance must be added to the default VPC whitelist.
    • If you are connecting to the RDS instance through a public network, the public IP address of the device must be added to the whitelist whose network isolation mode is default Classic Network .
  • The Internet IP address that you add to the whitelist may not be the real egress IP address. The reasons are as follows:
    • The Internet IP address is not fixed and may dynamically change.
    • The tools or websites used to query the Internet IP addresses provide wrong IP addresses.

    For more information, see Determine the public IP address of an external server or client for an apsaradb RDS for MySQL or MariaDB instance

Configure an ECS security group

An ECS security group is a virtual firewall that is used to control the inbound and outbound traffic of ECS instances in a security group. After an ECS security group is added to the RDS whitelist, the ECS instances in the security group can access the RDS instance.

For more information, see Create a security group.

Precautions

  • Regions that support ECS security groups are China (Hangzhou), China (Qingdao), and China(Hong Kong).
  • You can configure both an IP address whitelist and an ECS security group. The IP addresses in the whitelist and the ECS instances in the security group can all access the RDS instance.
  • You can only add one ECS security group to an RDS instance.
  • Updates to the ECS security group are automatically synchronized to the IP address whitelist in real time.

Procedure

  1. Log on to the RDS console.
  2. In the upper-left corner, select the region where the target instance is located.选择地域
  3. Find the target instance and click its ID.
  4. In the left-side navigation pane, click Data Security.
  5. On the Whitelist Settings tab page, click Add Security Group.
  6. Select the security group to be added and click OK.
    Note Security groups with a VPC tag are security groups that are within VPCs.

APIs

API Description
DescribeDBInstanceIPArrayList Used to view the IP address whitelist of an RDS instance.
ModifySecurityIps Used to modify the IP address whitelist of an RDS instance.