This topic describes how to configure an IP address whitelist or security group for an ApsaraDB RDS for MariaDB TX instance. Only the devices whose IP addresses are included in an IP address whitelist of your RDS instance can access your RDS instance.

Background information

You can control access to your RDS instance by using one of the following methods:

  • IP address whitelists

    An IP address whitelist contains the IP addresses of the devices that require access to your RDS instance. The IP address whitelist labeled default contains only the 127.0.0.1 IP address. This IP address indicates that no devices can access your RDS instance.

    Before you configure an IP address whitelist, you must confirm the network isolation mode of your RDS instance. The configuration procedure vary based on the network isolation mode.

    • Standard whitelist mode

      A standard IP address whitelist can contain the IP addresses from both the classic network and virtual private clouds (VPCs). However, the standard whitelist mode may incur security risks. For example, after you add an IP address from a VPC to a standard IP address whitelist, the IP address is granted access over both the VPC and the classic network. Therefore, we recommend that you switch your RDS instance to the enhanced whitelist mode. For more information, see Switch an ApsaraDB RDS for MariaDB TX instance to the enhanced whitelist mode.

      Note RDS instances that run MariaDB TX can be deployed only in VPCs.
    • Enhanced whitelist mode

      An enhanced IP address whitelist can contain only the IP addresses from the classic network or from VPCs. When you create an enhanced IP address whitelist, you must specify its network type. If you add an IP address from a VPC to an enhanced IP address whitelist, the IP address is granted access only over the VPC.

  • Security groups

    A security group serves as a virtual firewall to control the inbound and outbound traffic of the ECS instances in that security group. After you add a security group to your RDS instance, all the ECS instances in that security group can access your RDS instance.

    For more information about security groups, see Create a security group.

IP address whitelists help provide high security and efficient protection for your RDS instance. We recommend that you update the configured IP address whitelists on a regular basis. When you configure an IP address whitelist, the workloads on your RDS instance run as normal.

Precautions for configuring an IP address whitelist

  • You can modify or clear the IP address whitelist labeled default. However, you cannot delete this IP address whitelist.
  • A maximum of 50 IP address whitelists can be configured for each RDS instance.
  • Up to 1,000 IP addresses and Classless Inter-Domain Routing (CIDR) blocks can be granted access to each RDS instance. If you want to add a large number of IP addresses, we recommend that you merge these IP addresses into CIDR blocks, such as 10.10.10.0/24, in which 24 indicates that the prefix of each IP address is 24-bit long. You can replace 24 with a value within the range of 1 to 32. For more information, see CIDR block FAQ.
  • When you access an Alibaba Cloud service, the service automatically creates an IP address whitelist. The created IP address whitelist contains the IP address of the server that runs the service. For example, Data Management (DMS) creates an IP address whitelist named ali_dms_group, and Database Autonomy Service (DAS) creates an IP address whitelist named hdm_security_ips. To ensure that the specified Alibaba Cloud services can be used, do not modify or delete these IP address whitelists.
    Notice Do not add your IP address to these IP address whitelists. If you add your IP address to these IP address whitelists, your IP address may be overwritten by the entries that are updated from the existing IP addresses in these IP address whitelists. If your IP address is overwritten, your workloads are interrupted.

Configure an enhanced IP address whitelist

  1. Visit the RDS instance list, select a region above, and click the target instance ID.
  2. In the left-side navigation pane, click Data Security.
  3. Confirm the connection scenario and perform the required operations.
    Connection scenario Operation
    Your ECS and RDS instances reside in the same VPC. This is the recommended connection scenario.
    1. On the Whitelist Settings tab of the Data Security page, click Modify to the right of the IP address whitelist labeled default Classic Network.
    2. In the dialog box that appears, enter the private IP address of your ECS instance in the IP Addresses field and click OK.
      Note The applications that run on your ECS instance connect to the internal endpoint of your RDS instance.
    Your ECS and RDS instances reside in different VPCs.
    1. On the Database Connection page, click Switch to Classic Network. In the message that appears, click OK.
    2. Click Switch to VPC. In the dialog box that appears, select the VPC of your ECS instance and click OK.
      Note Your ECS and RDS instances can reside in the same VPC only when they belong to the same region. If these instances belong to different regions, we recommend that you use Data Transmission Service (DTS) to migrate your RDS instance to the region of your ECS instance. For more information, see Migrate data between ApsaraDB RDS for MariaDB TX instances.
    3. On the Whitelist Settings tab of the Data Security page, click Modify to the right of the IP address whitelist labeled default VPC.
    4. In the dialog box that appears, enter the private IP address of your ECS instance in the IP Addresses field and click OK.
      Note The applications that run on your ECS instance connect to the internal endpoint of your RDS instance.
    Your ECS instance resides in the classic network.

    Your RDS instance resides in a VPC.
    1. Migrate your ECS instance to the VPC of your RDS instance. For more information, see Migrate an ECS instance from a classic network to a VPC.
      Note Your ECS and RDS instances can reside in the same VPC only when they belong to the same region. If these instances belong to different regions, we recommend that you use DTS to migrate your RDS instance to the region of your ECS instance. For more information, see Migrate data between ApsaraDB RDS for MariaDB TX instances.
    2. On the Whitelist Settings tab of the Data Security page, click Modify to the right of the IP address whitelist labeled default VPC.
    3. In the dialog box that appears, enter the private IP address of your ECS instance in the IP Addresses field and click OK.
      Note The applications that run on your ECS instance connect to the internal endpoint of your RDS instance.
    Your host that requires access to your RDS instance resides outside the cloud.
    1. On the Whitelist Settings tab of the Data Security page, click Modify to the right of the IP address whitelist labeled default Classic Network.
    2. In the dialog box that appears, enter the public IP address of the on-premises server in the IP Addresses field and click OK.
      Note
    Note
    • On the Whitelist Settings tab of the Data Security page, you can click Create Whitelist. In the Create Whitelist dialog box, you can set the Network Type parameter to VPC or Classic Network/Public IP.
    • If you enter more than one IP address or CIDR block, you must separate them with commas (,). Example: 192.168.0.1,172.16.213.9.
    • If you click Loading ECS Inner IP, the IP addresses of all the ECS instances that are created within your Alibaba Cloud account appear. Then, you can select the IP addresses that you want to add to the IP address whitelist.

Configure a standard IP address whitelist

  1. Visit the RDS instance list, select a region above, and click the target instance ID.
  2. In the left-side navigation pane, click Data Security.
  3. On the Whitelist Settings tab of the page that appears, click Modify to the IP address whitelist labeled default.
    Note You can also click Create Whitelist to create an IP address whitelist.
  4. In the Edit Whitelist dialog box, enter the IP addresses or CIDR blocks that require access to your RDS instance and click OK.
    Note
    • After you add IP addresses or CIDR blocks to the IP address whitelist labeled default, the default IP address 127.0.0.1 is automatically deleted from this IP address whitelist.
    • If you enter more than one IP address or CIDR block, you must separate them with commas (,). Do not add spaces preceding or following the commas. Example: 192.168.0.1,172.16.213.9.
    • If you click Loading ECS Inner IP, the IP addresses of all the ECS instances that are created within your Alibaba Cloud account appear. Then, you can select the IP addresses that you want to add to the IP address whitelist.

Common errors

  • Your RDS instance has only one IP address whitelist that contains only the default IP address 127.0.0.1 on the Whitelist Settings tab of the Data Security page.

    The default IP address 127.0.0.1 indicates that no devices can access your RDS instance. You must add the IP addresses of the devices that require access to your RDS instance to an IP address whitelist.

  • An IP address whitelist contains only one entry, 0.0.0.0.

    If you want to grant access from all devices to your RDS instance, enter the 0.0.0.0/0 entry in an IP address whitelist.

    Note The 0.0.0.0/0 entry indicates that all devices can access your RDS instance. Exercise caution when you add this entry.
  • When you configure an enhanced IP address whitelist for your RDS instance, IP address errors are reported.

    Check that the enhanced whitelist mode is enabled. For more information, see Switch an ApsaraDB RDS for MariaDB TX instance to the enhanced whitelist mode.

    • If your RDS instance resides in a VPC and is connected by using the internal endpoint, make sure that the private IP address of your ECS instance is added to the IP address whitelist labeled default VPC.
    • If your RDS instance resides in the classic network and is connected by using the internal endpoint, make sure that the private IP address of your ECS instance is added to the IP address whitelist labeled default Classic Network.
    • If your RDS instance is connected over the Internet, make sure that the public IP address of your ECS instance is added to the IP address whitelist labeled default Classic Network. The IP address whitelist labeled default VPC cannot be used to control access over the Internet.
  • The public IP addresses that you add to an IP address whitelist are not the actual egress IP addresses of the devices that you want to connect.

    This problem may occur due to the following reasons:

    • Public IP addresses dynamically change.
    • The tool or website that is used to query public IP addresses returns inaccurate results.

    For more information, see Why am I unable to connect to my ApsaraDB RDS for MySQL or ApsaraDB RDS for MariaDB instance from a local server over the Internet?

Precautions for configuring a security group

  • You can configure both IP address whitelists and security groups for your RDS instance. All the IP addresses in the configured IP address whitelists and all the ECS instances in the configured security groups are granted access to your RDS instance.
  • A maximum of 10 security groups can be configured for each RDS instance.
  • After the ECS instances in a configured security group are updated, the updates are automatically synchronized to that security group.
  • You can configure only a security group that has the same network type as your RDS instance. The network types of your RDS instance and the security group that you want to configure must both be VPC or classic network.
    Note After you change the network type of your RDS instance, the security group that you have added becomes invalid. You must add the security group with the required network type again.

Configure a security group

  1. Visit the RDS instance list, select a region above, and click the target instance ID.
  2. In the left-side navigation pane, click Data Security.
  3. On the Security Group tab of the page that appears, click Add Security Group.
    Note Security groups whose names are followed by a VPC tag contain ECS instances that reside in VPCs.

FAQ

  • After I configure an IP address whitelist, does the IP address whitelist immediately take effect?

    No, after you configure an IP address whitelist, the IP address whitelist requires about 1 minute to take effect.

  • Why do I find IP address whitelists that I did not create?

    If these IP address whitelists contain private IP addresses, they are probably created by other Alibaba Cloud services, such as DMS and DAS. In this case, these IP address whitelists do not affect your business data, and no further actions are required.

  • If I disable Internet access and enable only internal network access, is my RDS instance exposed to security risks?

    Yes, if you disable Internet access and enable only internal network access, your RDS instance is exposed to security risks. We recommend that you change the network type of your RDS instance to VPC. In this case, only an ECS instance in the same VPC can access your RDS instance after the required IP address is added to an IP address whitelist.