Configure an IP address whitelist for an ApsaraDB RDS for MySQL instance - ApsaraDB RDS

This topic describes how to configure an IP address whitelist for an ApsaraDB RDS for MySQL instance. After an ApsaraDB RDS for MySQL instance is created, you must configure IP address whitelists for the RDS instance. A device can access the RDS instance only after you add the IP address of the device to an IP address whitelist of the RDS instance.

Prerequisites

An ApsaraDB RDS for MySQL instance is created. For more information, see Create an ApsaraDB RDS for MySQL instance.

Procedure

Note A system whitelist is configured for your RDS instance by default. The system whitelist is invisible and is used by system accounts to perform O&M operations on the databases of the RDS instance. For more information about system accounts, see System accounts of an ApsaraDB RDS for MySQL instance.

Access RDS Instances, select a region at the top, and then click the ID of the target RDS instance.
In the left-side navigation pane of the page that appears, click Whitelist and SecGroup.
View the network isolation mode of the RDS instance.
Note If your RDS instance runs MySQL 5.1, MySQL 5.5, MySQL 5.6, or MySQL 5.7 and uses local SSDs, you can change the network isolation mode of the RDS instance to the enhanced whitelist mode. The network isolation mode of RDS instances that run other database engine versions is the standard whitelist mode.
Click Modify to the right of default.
Note You can also click Create Whitelist to create an IP address whitelist.
Use one of the following methods to configure an IP address whitelist for the RDS instance:
- Method 1: Add the IP address of the server on which your application is deployed to the IP Addresses field. For more information about how to obtain the IP address of a server, see Appendix: How to obtain IP addresses.
  Note
  If you add multiple IP addresses and CIDR blocks to an IP address whitelist, you must separate these IP addresses or CIDR blocks with commas (,). Do not add spaces preceding or following the commas.
  A maximum of 1,000 IP addresses and CIDR blocks can be configured for each RDS instance. If you want to add a large number of IP addresses, we recommend that you merge the IP addresses into CIDR blocks, such as 10.10.10.0/24.
  If the RDS instance runs in standard whitelist mode, you do not need to take note of special considerations when you configure IP address whitelists for the RDS instance. If the RDS instance runs in enhanced whitelist mode, you must take note of the following considerations when you configure IP address whitelists for the RDS instance:
  Add the public IP addresses or private IP addresses of classic network-type Elastic Compute Service (ECS) instances to IP address whitelists of the classic network type.
  Add the private IP addresses of VPC-type ECS instances to IP address whitelists of the VPC network type.
- Method 2: Click Loading ECS Inner IP to load the IP addresses of all ECS instances that are created within your Alibaba Cloud account in the region. Then, select the IP addresses and add them to an IP address whitelist.
The server on which your application is deployed can access the RDS instance only after you add the IP address of the server to an IP address whitelist of the RDS instance.
Click OK.

What to do next

Use a database client or the CLI to connect to an ApsaraDB RDS for MySQL instance

References

For more information about how to modify an IP address whitelist for an RDS instance by calling an API operation, see Modify IP address whitelists.
For more information about how to query the IP address whitelists of an RDS instance by calling an API operation, see Query IP address whitelists.
For more information about how to configure an IP address whitelist for an RDS instance that runs a different database engine, see the following topics:

Appendix: Confirm whether the conditions for internal network access are met

View the region of the ECS instance on which your application is deployed.Also, view the network type of the ECS instance.For more information, see Get ready to use ApsaraDB RDS for MySQL.
View the region and network type of the RDS instance.
Log on to the ApsaraDB RDS console and go to the Instances page. In the top navigation bar, select the region where the RDS instance resides. Then, find the RDS instance and click the instance ID. On the page that appears, you can view the region, network type, and virtual private cloud (VPC) ID of the RDS instance.
Check whether the ECS instance and the RDS instance meet the following conditions for communication over an internal network:
1. The ECS instance and the RDS instance reside in the same region.
2. The ECS instance and the RDS instance reside in the same type of network. If the ECS instance and the RDS instance both reside in VPCs, these instances must reside in the same VPC.
Note If one of the preceding conditions is not met, the ECS instance cannot communicate with the RDS instance over an internal network.

Appendix: How to obtain IP addresses

Table 1. Obtain IP addresses
Connection scenario	IP address to be obtained	How to obtain
You want to connect to the RDS instance from an ECS instance. The ECS instance and the RDS instance meet the conditions for communication over an internal network.	Private IP address of the ECS instance	Log on to the ECS console and go to the Instances page. In the top navigation bar, select the region where the ECS instance resides. View the public IP address and private IP address of the ECS instance.
You want to connect to the RDS instance from an ECS instance. The ECS instance and the RDS instance do not meet the conditions for communication over an internal network.	Public IP address of the ECS instance
You want to connect to the RDS instance from an on-premises device.	Public IP address of the on-premises device	On the on-premises device, use a search engine such as Google to search for IP. Note The IP address that you obtain by using this method may be inaccurate. For more information about how to obtain the accurate IP address of an on-premises device, see Why am I unable to connect to my ApsaraDB RDS for MySQL or ApsaraDB RDS for MariaDB instance from a local server over the Internet?

Appendix: system whitelists

If you use ApsaraDB RDS for MySQL together with Data Management (DMS), Data Transmission Service (DTS), and Database Autonomy Service (DAS), the system automatically adds the following whitelists to an RDS instance. This way, DMS, DTS, and DAS can access the RDS instance.


Whitelist name	Description
dms	The whitelist that is automatically added to an RDS instance when you use DMS to log on to the RDS instance. The whitelist enables DMS to access the RDS instance.
dts	The whitelist that is automatically added to an RDS instance when you use DTS to transmit the data of the RDS instance. The whitelist enables DMS to read data from or write data to the RDS instance.
hdm_security_ips	The whitelist that is automatically added to an RDS instance when you activate DAS for the RDS instance. The whitelist enables DAS to obtain the data of the RDS instance, optimize and maintain databases, and perform security-related operations on databases. Important If an RDS instance is created after December 2020, the IP address whitelist that is labeled hdm_security_ips is invisible to users. This prevents the IP address whitelist from being unintentionally modified or deleted. If the IP address whitelist is modified or deleted, related services cannot access the RDS instance.