After you create an ApsaraDB for HBase instance, you must configure IP address allowlists for the instance or associate the ApsaraDB for HBase instance with security groups that are created in Elastic Compute Service (ECS). This way, only the clients that are allowed by the allowlists or security groups can connect to the ApsaraDB for HBase instance.

Background information

To ensure database security, a newly created ApsaraDB for HBase instance is configured to deny all access requests.
  • You cannot use open source components, such as the Apache HBase, Ganglia, and Hadoop Distributed File System (HDFS) components, to perform operations on the instance.
  • You cannot read data from or write data to the instance.

Before you access a new ApsaraDB for HBase instance, you must add the IP addresses of your clients to the IP address allowlists of the instance or associate the ApsaraDB for HBase instance with ECS security groups.

You can also configure both IP address allowlists and security groups for an ApsaraDB for HBase instance. All IP addresses in the IP address allowlists and all ECS instances that are allowed in the associated security groups can connect to the ApsaraDB for HBase instance.

Configure an allowlist

  1. Log on to the ApsaraDB for HBase console.
  2. In the top navigation bar, select the region where your ApsaraDB for HBase instance is deployed.
  3. On the Clusters page, find the instance and click the ID of the instance.
  4. In the left-side navigation pane of the page that appears, click Access Control.
  5. On the Whitelist Setting tab, click Modify Whitelist. Access control
  6. In the Modify Whitelist dialog box that appears, enter the IP addresses or CIDR blocks for which you want to enable access to the instance and click OK.
    Note
    • The default allowlist contains only 127.0.0.1. If the default allowlist is used, no clients are allowed to access the instance.
    • If the allowlist is set to 0.0.0.0/0 or empty, access requests from all IP addresses are allowed. To ensure database security, you are not allowed to enter 0.0.0.0 or 0.0.0.0/0 in the Whitelist field.
    • If you want to access the instance over the Internet, enter the public IP addresses of your clients. If you want to use an on-premises machine to access the instance, you must obtain the public IP address of the on-premises machine first.

Associate security groups with an instance

A security group is used as a virtual firewall to control the inbound and outbound traffic for specific ECS instances. After a security group is associated with an ApsaraDB for HBase instance, the ECS instances that are allowed in the security group can access the ApsaraDB for HBase instance.

Note
  • Only ApsaraDB for HBase instances of the Standard Edition and Performance-enhanced Edition support security groups.
  • Before you associate a security group with an ApsaraDB for HBase instance, make sure that the ECS instances that are allowed in the security group and the ApsaraDB for HBase instance are deployed in the same VPC.
  • You can associate up to three security groups with an ApsaraDB for HBase instance.
  1. Log on to the ApsaraDB for HBase console.
  2. In the top navigation bar, select the region where your ApsaraDB for HBase instance is deployed.
  3. On the Clusters page, find the instance and click the ID of the instance.
  4. In the left-side navigation pane of the page that appears, click Access Control.
  5. Click the Security Group tab and click Add Security Group.
  6. In the Join Security Group dialog box, select the security groups that you want to associate with the ApsaraDB for HBase instance and click OK.