This topic describes how to configure an IP address whitelist or security group for an ApsaraDB RDS for MariaDB TX instance. Only the devices whose IP addresses are included in an IP address whitelist of your RDS instance can access your RDS instance.
Background information
You can control access to your RDS instance by using one of the following methods:
- IP address whitelists
An IP address whitelist contains the IP addresses of the devices that require access to your RDS instance. The IP address whitelist labeled default contains only the 127.0.0.1 IP address. This IP address indicates that no devices can access your RDS instance.
Before you configure an IP address whitelist, you must confirm the network isolation mode of your RDS instance. The configuration procedure vary based on the network isolation mode.
- Standard whitelist mode
A standard IP address whitelist can contain the IP addresses from both the classic network and virtual private clouds (VPCs). However, the standard whitelist mode may incur security risks. For example, after you add an IP address from a VPC to a standard IP address whitelist, the IP address is granted access over both the VPC and the classic network. Therefore, we recommend that you switch your RDS instance to the enhanced whitelist mode. For more information, see Switch an ApsaraDB RDS for MariaDB TX instance to the enhanced whitelist mode.
Note RDS instances that run MariaDB TX can be deployed only in VPCs. - Enhanced whitelist mode
An enhanced IP address whitelist can contain only the IP addresses from the classic network or from VPCs. When you create an enhanced IP address whitelist, you must specify its network type. If you add an IP address from a VPC to an enhanced IP address whitelist, the IP address is granted access only over the VPC.
- Standard whitelist mode
- Security groups
A security group serves as a virtual firewall to control the inbound and outbound traffic of the ECS instances in that security group. After you add a security group to your RDS instance, all the ECS instances in that security group can access your RDS instance.
For more information about security groups, see Create a security group.
IP address whitelists help provide high security and efficient protection for your RDS instance. We recommend that you update the configured IP address whitelists on a regular basis. When you configure an IP address whitelist, the workloads on your RDS instance run as normal.
Precautions for configuring an IP address whitelist
- You can modify or clear the IP address whitelist labeled default. However, you cannot delete this IP address whitelist.
- A maximum of 50 IP address whitelists can be configured for each RDS instance.
- Up to 1,000 IP addresses and Classless Inter-Domain Routing (CIDR) blocks can be granted access to each RDS instance. If you want to add a large number of IP addresses, we recommend that you merge these IP addresses into CIDR blocks, such as 10.10.10.0/24, in which 24 indicates that the prefix of each IP address is 24-bit long. You can replace 24 with a value within the range of 1 to 32. For more information, see CIDR block FAQ.
- When you access an Alibaba Cloud service, the service automatically creates an IP
address whitelist. The created IP address whitelist contains the IP address of the
server that runs the service. For example, Data Management (DMS) creates an IP address whitelist named ali_dms_group, and Database Autonomy Service (DAS) creates an IP address whitelist named hdm_security_ips. To ensure that the specified Alibaba Cloud services can be used, do not modify or
delete these IP address whitelists.
Notice Do not add your IP address to these IP address whitelists. If you add your IP address to these IP address whitelists, your IP address may be overwritten by the entries that are updated from the existing IP addresses in these IP address whitelists. If your IP address is overwritten, your workloads are interrupted.
Configure an enhanced IP address whitelist
Configure a standard IP address whitelist
Common errors
- Your RDS instance has only one IP address whitelist that contains only the default
IP address 127.0.0.1 on the Whitelist Settings tab of the Data Security page.
The default IP address 127.0.0.1 indicates that no devices can access your RDS instance. You must add the IP addresses of the devices that require access to your RDS instance to an IP address whitelist.
- An IP address whitelist contains only one entry, 0.0.0.0.
If you want to grant access from all devices to your RDS instance, enter the 0.0.0.0/0 entry in an IP address whitelist.
Note The 0.0.0.0/0 entry indicates that all devices can access your RDS instance. Exercise caution when you add this entry. - When you configure an enhanced IP address whitelist for your RDS instance, IP address
errors are reported.
Check that the enhanced whitelist mode is enabled. For more information, see Switch an ApsaraDB RDS for MariaDB TX instance to the enhanced whitelist mode.
- If your RDS instance resides in a VPC and is connected by using the internal endpoint, make sure that the private IP address of your ECS instance is added to the IP address whitelist labeled default VPC.
- If your RDS instance resides in the classic network and is connected by using the internal endpoint, make sure that the private IP address of your ECS instance is added to the IP address whitelist labeled default Classic Network.
- If your RDS instance is connected over the Internet, make sure that the public IP address of your ECS instance is added to the IP address whitelist labeled default Classic Network. The IP address whitelist labeled default VPC cannot be used to control access over the Internet.
- The public IP addresses that you add to an IP address whitelist are not the actual
egress IP addresses of the devices that you want to connect.
This problem may occur due to the following reasons:
- Public IP addresses dynamically change.
- The tool or website that is used to query public IP addresses returns inaccurate results.
For more information, see Why am I unable to connect to my ApsaraDB RDS for MySQL or ApsaraDB RDS for MariaDB instance from a local server over the Internet?
Precautions for configuring a security group
- You can configure both IP address whitelists and security groups for your RDS instance. All the IP addresses in the configured IP address whitelists and all the ECS instances in the configured security groups are granted access to your RDS instance.
- A maximum of 10 security groups can be configured for each RDS instance.
- After the ECS instances in a configured security group are updated, the updates are automatically synchronized to that security group.
- You can configure only a security group that has the same network type as your RDS
instance. The network types of your RDS instance and the security group that you want
to configure must both be VPC or classic network.
Note After you change the network type of your RDS instance, the security group that you have added becomes invalid. You must add the security group with the required network type again.
Configure a security group
FAQ
- After I configure an IP address whitelist, does the IP address whitelist immediately
take effect?
No, after you configure an IP address whitelist, the IP address whitelist requires about 1 minute to take effect.
- Why do I find IP address whitelists that I did not create?
If these IP address whitelists contain private IP addresses, they are probably created by other Alibaba Cloud services, such as DMS and DAS. In this case, these IP address whitelists do not affect your business data, and no further actions are required.
- If I disable Internet access and enable only internal network access, is my RDS instance
exposed to security risks?
Yes, if you disable Internet access and enable only internal network access, your RDS instance is exposed to security risks. We recommend that you change the network type of your RDS instance to VPC. In this case, only an ECS instance in the same VPC can access your RDS instance after the required IP address is added to an IP address whitelist.