Configure an IP address whitelist for an ApsaraDB RDS for MariaDB instance - ApsaraDB RDS

This topic describes how to configure an IP address whitelist for an ApsaraDB RDS for MariaDB instance. Only the devices whose IP addresses are added to an IP address whitelist of your RDS instance can access your RDS instance.

Background information

The following information describes the IP address whitelist of the RDS instance:

The IP address or CIDR block that is allowed to connect to the RDS instance. The IP address whitelist labeled default contains only the 127.0.0.1 IP address. This IP address indicates that no devices can access the RDS instance.
The IP address whitelist supports the standard whitelist mode. A standard IP address whitelist can contain the IP addresses from the classic network and virtual private clouds (VPCs). RDS instances that run MariaDB can be deployed only in VPCs.
IP address whitelists help provide high security and efficient protection for your RDS instance. We recommend that you update the configured IP address whitelists on a regular basis. If you configure IP address whitelists for your RDS instance, the workloads on the instance are not affected.

Precautions for configuring an IP address whitelist

You can modify or clear the IP address whitelist that is labeled default. However, you cannot delete this IP address whitelist.
A maximum of 50 IP address whitelists can be configured for an RDS instance.
You can add a maximum of 1,000 IP addresses and CIDR blocks in total for each RDS instance. If you want to add a large number of IP addresses, we recommend that you merge these IP addresses into CIDR blocks, such as 10.10.10.0/24, in which 24 indicates that the prefix of each IP address is 24-bit long. You can replace 24 with a value within the range of 1 to 32. For more information, see CIDR block FAQ.
When you access an Alibaba Cloud service, the service automatically creates an IP address whitelist. The created IP address whitelist contains the IP address of the server that runs the service. For example, Data Management (DMS) creates an IP address whitelist named ali_dms_group, and Database Autonomy Service (DAS) creates an IP address whitelist named hdm_security_ips. To ensure that the services can be used as normal, do not modify or delete these IP whitelists.
Important
- Do not add your service IP addresses to these IP whitelists. Otherwise, your service IP addresses may be overwritten when the related services are updated. Consequently, service interruption may occur.
- If an RDS instance is created after December 2020, the IP address whitelist that is labeled hdm_security_ips is invisible to users. This prevents the IP address whitelist from being unintentionally modified or deleted.

Configure a standard IP address whitelist

Access RDS Instances, select a region at the top, and then click the ID of the target RDS instance.
In the left-side navigation pane, click Whitelist and SecGroup.
On the Whitelist Settings tab, click Modify on the right side of the whitelist that is labeled default.
Note You can also click Create Whitelist to create an IP address whitelist.
In the Edit Whitelist dialog box, enter the IP addresses or CIDR blocks that are allowed to access your RDS instance and click OK.
Note
- After you add IP addresses or CIDR blocks to the IP address whitelist that is labeled default, the default IP address 127.0.0.1 is automatically deleted from this IP address whitelist.
- If you enter more than one IP address or CIDR block, you must separate them with commas (,). Do not add spaces preceding or following the commas. Example: 192.168.0.1,172.16.213.9.
- If you click Add Internal IP Addresses of ECS Instances, the IP addresses of all the Elastic Compute Service (ECS) instances that are created within the current Alibaba Cloud account appear. Then, you can select the IP addresses and add them to an IP address whitelist.

Common errors

Your RDS instance has only one IP address whitelist that contains only the default IP address 127.0.0.1 on the Whitelist Settings tab of the Whitelist and SecGroup page.
The IP address 127.0.0.1 indicates that no devices are allowed to access the RDS instance. You must add the IP addresses of the devices that require access to your RDS instance to an IP address whitelist.
An IP address whitelist contains only one entry, 0.0.0.0.
If you want to grant access from all devices to your RDS instance, enter the 0.0.0.0/0 entry in an IP address whitelist.
Important If you want to allow all devices to access the RDS instance, you must add the 0.0.0.0/0 entry to an IP address whitelist of the RDS instance. Proceed with caution.
The public IP addresses that you add to an IP address whitelist are not the actual egress IP addresses of the devices that you want to connect.
Possible causes:
- The public IP address dynamically changes.
- The tool or website that is used to query public IP addresses returns inaccurate results.
For more information, see Why am I unable to connect to my ApsaraDB RDS for MySQL or ApsaraDB RDS for MariaDB instance from a local server over the Internet?

FAQ

After I configure an IP address whitelist, does the IP address whitelist immediately take effect?
No, after you configure an IP address whitelist, the IP address whitelist requires approximately 1 minute to take effect.
Why do I find IP address whitelists that I did not create?
If these IP address whitelists contain private IP addresses, they are probably created by other Alibaba Cloud services, such as DMS and DAS. In this case, these IP address whitelists do not affect your business data, and no further actions are required.
If I disable Internet access and enable only internal network access, is my RDS instance exposed to security risks?
Yes, if you disable Internet access and enable only internal network access, your RDS instance is exposed to security risks. We recommend that you change the network type of your RDS instance to VPC. In this case, only an ECS instance in the same VPC can access your RDS instance after the required IP address is added to an IP address whitelist.