This topic describes how to configure an IP address whitelist on an ApsaraDB RDS for SQL Server instance. An IP address whitelist allows only the specified devices to access your RDS instance.

For more information about how to configure an IP address whitelist for an RDS instance that runs a different database engine, see the following topics:

Scenarios

An IP address whitelist of an RDS instance consists of IP addresses and CIDR blocks that are granted access to the RDS instance. You can configure IP address whitelists for an RDS instance to provide high-level access control and security protection for the RDS instance. We recommend that you update the configured IP address whitelists on a regular basis.

You can configure an IP address whitelist in the following scenarios:

  • Scenario 1

    After an RDS instance is created, you must add the IP addresses of specific devices to an IP address whitelist of the RDS instance. These devices can access the RDS instance only after the IP addresses of these devices are added to an IP address whitelist of the RDS instance.

  • Scenario 2

    An RDS instance cannot be connected. You must check whether the IP address whitelists of the instance are correctly configured.

    The following table provides the IP address whitelist configurations in various connection scenarios.

    Note A virtual private cloud (VPC) is an isolated network on Alibaba Cloud and provides higher security than the classic network. For more information, see What is a VPC?
    Connection scenario Network type IP address whitelist configuration
    Connect an Elastic Compute Service (ECS) instance to an RDS instance The ECS instance and the RDS instance reside in the same VPC. This is the recommended connection scenario. Add the private IP address of the ECS instance to an IP address whitelist of the RDS instance.
    The ECS instance and the RDS instance reside in different VPCs. Instances in different VPCs cannot communicate with each other over internal networks. Make sure that the ECS instance and the RDS instance reside in the same VPC and add the private IP address of the ECS instance to an IP address whitelist of the RDS instance.
    The ECS instance and the RDS instance reside in the classic network. Add the private IP address of the ECS instance to an IP address whitelist of the RDS instance.
    The ECS instance resides in the classic network.

    The RDS instance resides in a VPC.

    Instances of different network types cannot communicate with each other over internal networks. Perform the following operations:
    1. Migrate the ECS instance from the classic network to the VPC to which the RDS instance belongs. For more information, see Migrate an ECS instance from the classic network to a VPC.
      Note This operation is supported only when the ECS instance and the RDS instance reside in the same region. If the ECS instance and the RDS instance reside in different regions, we recommend that you use Data Transmission Service (DTS) to migrate the RDS instance to the region where the ECS instance resides. This way, you can ensure the stability of your database service. For more information, see Migrate data between ApsaraDB RDS for MySQL instances.
    2. Add the private IP address of the ECS instance to an IP address whitelist of the RDS instance.
    The ECS instance resides in a VPC.

    The RDS instance resides in the classic network.

    Instances of different network types cannot communicate with each other over internal networks. Perform the following operations:
    1. Migrate the RDS instance from the classic network to the VPC to which the ECS instance belongs. For more information, see Change the network type of an ApsaraDB RDS for SQL Server instance.
      Note This operation is supported only when the ECS instance and the RDS instance reside in the same region. If the ECS instance and the RDS instance reside in different regions, we recommend that you use DTS to migrate the RDS instance to the region where the ECS instance resides. This way, you can ensure the stability of your database service. For more information, see Migrate data between ApsaraDB RDS for MySQL instances.
    2. Add the private IP address of the ECS instance to an IP address whitelist of the RDS instance.
    Connect a self-managed host outside the cloud to an RDS instance None Add the public IP address of the self-managed host to an IP address whitelist of the RDS instance.
    Note

Procedure

What to do next