This topic describes how to configure an IP address whitelist for an ApsaraDB RDS for PostgreSQL instance. An IP address whitelist allows only the specified devices to access your RDS instance.
For more information about how to configure an IP address whitelist for an RDS instance that runs a different database engine, see the following topics:
Scenarios
An IP address whitelist consists of IP addresses and CIDR blocks that are granted access to your RDS instance. You can configure IP address whitelists to provide high-level access control and security protection for your RDS instance. We recommend that you update the configured IP address whitelists on a regular basis.
You must configure IP address whitelists in the following scenarios:
- Scenario 1
After your RDS instance is created, you must add the IP addresses of specific devices to an IP address whitelist of your RDS instance. This way, these devices can access your RDS instance.
- Scenario 2
Your RDS instance cannot be connected. In this case, you must check the IP address whitelists of your RDS instance and modify the IP address whitelists that are incorrectly configured.
The following table provides the IP address whitelist configurations in various connection scenarios.
Note A virtual private cloud (VPC) is an isolated network on Alibaba Cloud. VPCs provide higher security than the classic network. For more information, see What is a VPC?Connection scenario Network type IP address whitelist configuration Connect an Elastic Compute Service (ECS) instance to your RDS instance The ECS instance and your RDS instance reside in the same VPC. This is the recommended connection scenario. Add the private IP address of the ECS instance to an IP address whitelist of your RDS instance. The ECS instance and your RDS instance reside in different VPCs. Instances in different VPCs cannot communicate with each other over internal networks. Perform the following operations: - Migrate your RDS instance to the VPC where the ECS instance resides.
Note This operation is supported only when the ECS instance and your RDS instance reside in the same region. If the ECS instance and your RDS instance reside in different regions, we recommend that you use Data Transmission Service (DTS) to migrate your RDS instance to the region where the ECS instance resides. This way, you can ensure the stability of your database service. .
- Add the private IP address of the ECS instance to an IP address whitelist of your RDS instance.
The ECS instance and your RDS instance reside in the classic network. Add the private IP address of the ECS instance to an IP address whitelist of your RDS instance. The ECS instance resides in the classic network. Your RDS instance resides in a VPC.
Instances of different network types cannot communicate with each other over internal networks. Perform the following operations: - Migrate the ECS instance from the classic network to the VPC where your RDS instance
resides. For more information, see Migrate an ECS instance from the classic network to a VPC.
Note This operation is supported only when the ECS instance and your RDS instance reside in the same region. If the ECS instance and your RDS instance reside in different regions, we recommend that you use DTS to migrate your RDS instance to the region where the ECS instance resides. This way, you can ensure the stability of your database service. .
- Add the private IP address of the ECS instance to an IP address whitelist of your RDS instance.
The ECS instance resides in a VPC. Your RDS instance resides in the classic network.
Instances of different network types cannot communicate with each other over internal networks. Perform the following operations: - Migrate your RDS instance from the classic network to the VPC where the ECS instance
resides.
Note This operation is supported only when the ECS instance and your RDS instance reside in the same region. If the ECS instance and your RDS instance reside in different regions, we recommend that you use DTS to migrate your RDS instance to the region where the ECS instance resides. This way, you can ensure the stability of your database service. .
- Add the private IP address of the ECS instance to an IP address whitelist of your RDS instance.
Connect a self-managed host outside the cloud to your RDS instance None. Add the public IP address of the self-managed host to an IP address whitelist of your RDS instance. Note- The applications that run on the self-managed host connect to the public endpoint of your RDS instance.
- For more information about how to obtain the public IP address of the self-managed host, see Why am I unable to connect to my ApsaraDB RDS for MySQL or ApsaraDB RDS for MariaDB instance from a local server over the Internet?
- Migrate your RDS instance to the VPC where the ECS instance resides.
Precautions
- A maximum of 50 IP address whitelists can be configured for each RDS instance.
- When you configure IP address whitelists, the workloads on your RDS instance are not interrupted.
- The IP address whitelist that is labeled default can be cleared but cannot be deleted.
- Do not modify or delete the IP address whitelists that are generated by other Alibaba Cloud services. If you delete the IP address whitelist that is generated by an Alibaba Cloud service, the Alibaba Cloud service cannot connect to your RDS instance. For example, the IP address whitelist labeled ali_dms_group is generated by Data Management (DMS), and the IP address whitelist labeled hdm_security_ips is generated by Database Autonomy Service (DAS).
- The IP address whitelist labeled default contains only the 127.0.0.1 IP address. This indicates that no IP addresses are granted access to your RDS instance.
Configure a standard IP address whitelist
In standard whitelist mode, ApsaraDB RDS does not distinguish between the classic network and VPCs. The IP addresses or CIDR blocks in a standard IP address whitelist are granted access to your RDS instance over both the classic network and VPCs.
Configure an enhanced IP address whitelist
In enhanced whitelist mode, ApsaraDB RDS distinguishes between the classic network and VPCs. You must specify the network isolation mode of each enhanced IP address whitelist. For example, if the Network Isolation Mode parameter is set to Classic Network for an IP address whitelist, the IP addresses in the IP address whitelist are granted access to your RDS instance only over the classic network and you cannot connect to your RDS instance over VPCs from these IP addresses.
The enhanced whitelist mode is supported only for RDS instances that are equipped with local SSDs. If your RDS instance runs in enhanced whitelist mode, you can perform the following procedure to configure an enhanced IP address whitelist. For more information about how to switch the network isolation mode of an RDS instance from the standard whitelist mode to the enhanced whitelist mode, see Switch an ApsaraDB RDS for PostgreSQL instance to the enhanced whitelist mode.
What to do next
Create a database and an account on an ApsaraDB RDS for PostgreSQL instance
Related operations
Operation | Description |
---|---|
DescribeDBInstanceIPArrayList | Queries the IP address whitelists of an ApsaraDB RDS instance. |
ModifySecurityIps | Modifies an IP address whitelist of an ApsaraDB RDS instance. |