Configure an IP address whitelist - Tair (Redis® OSS-Compatible)

Access from all IP addresses to Tair (Redis OSS-compatible) instances is denied by default. Add client IP addresses to the instance whitelist before you connect. Review whitelists regularly to keep instances secure.

Choose a method

Method	Best for	How it works
IP whitelist	Fine-grained control per IP or CIDR block	Manually add individual IP addresses or CIDR blocks to a whitelist group. Supports both private and public IP addresses.
Security group	Batch access for multiple ECS instances	Bind an ECS security group to the Tair instance. All instances in the group can access Tair without manual IP entry. Adds both private and public IP addresses automatically.

You can use both methods at the same time. IP addresses in whitelist groups and ECS instances in security groups can all access the instance.

Prerequisites

Before you begin, make sure that you have:

A Tair (Redis OSS-compatible) instance
The IP address or CIDR block of the client that needs access
(Security group method) An ECS security group in the same region, and an instance running Redis 4.0 (latest minor version) or later

Add the private IP address of an ECS instance to a whitelist

Use this method when your ECS instance and Tair instance are in the same virtual private cloud (VPC).

If your ECS and Tair instances are not in the same VPC, you can change the VPC of the ECS instance.

Log on to the console and go to the Instances page. In the top navigation bar, select the region of your instance. Find the instance and click the instance ID.
In the left-side navigation pane, click Whitelist Settings.
Find the default whitelist and click Modify in the Actions column.
You can also click Add Whitelist to create a whitelist. The name must be 2 to 32 characters in length and can contain lowercase letters, digits, and underscores (_). It must start with a lowercase letter and end with a lowercase letter or digit.
Set Add Method to Import ECS Internal IP Address. The private IP addresses of all ECS instances in the same region are displayed. You can hover over an IP address to view the ECS instance ID and name.
Select the IP addresses you need and move them to the right pane.
Click OK.
(Optional) To remove all IP addresses from a whitelist group, click Delete on the right of the target whitelist group. System-generated whitelist groups, such as default and hdm_security_ips, cannot be deleted.

Add a public IP address to a whitelist

Use this method when you connect from an on-premises device or when your ECS and Tair instances are not in the same VPC.

Log on to the console and go to the Instances page. In the top navigation bar, select the region of your instance. Find the instance and click the instance ID.
In the left-side navigation pane, click Whitelist Settings.
Find the default whitelist group and click Modify.
You can also click Add Whitelist to create a new group. The group name must be 2 to 32 characters in length and can contain lowercase letters, digits, and underscores (_). It must start with a lowercase letter and end with a lowercase letter or digit.
Set Add Method to Add Manually.

In the Whitelist text box, enter an IP address or a CIDR block. Separate multiple IP addresses with commas (,). Duplicates are not allowed. You can add up to 1,000 IP addresses. The following formats are supported:

A specific IP address, such as 10.23.12.24.
A CIDR block. For example, 10.23.12.0/24 covers IP addresses from 10.23.12.0 to 10.23.12.255. The prefix length can be 1 to 32 bits.

Warning

Adding 0.0.0.0/0 allows access from all IP addresses. This poses a high security risk. Use with caution.

Find your public IP address

Source	Method
ECS instance	Query the IP address of an ECS instance
On-premises (Linux)	Run `curl ifconfig.me` in the terminal
On-premises (Windows)	Run `curl ip.me` in the command prompt
On-premises (macOS)	Run `curl ifconfig.me` in the terminal

Click OK.
(Optional) To remove all IP addresses from a whitelist group, click Delete on the right of the target whitelist group. System-generated whitelist groups, such as default and hdm_security_ips, cannot be deleted.

Add ECS instances in batch through a security group

Bind a security group to a Tair instance whitelist to grant access for multiple ECS instances at once. All associated instances in the group -- including ECS instances and Elastic Container Instances -- can access the Tair instance using their private and public IP addresses.

IP access control applies only to instances associated with the security group, not to custom CIDR blocks or IP addresses configured in the security group rules.
The Tair instance must run Redis 4.0 (latest minor version) or later. To upgrade, see Major engine version upgrade.

Log on to the console and go to the Instances page. In the top navigation bar, select the region of your instance. Find the instance and click the instance ID.
In the left-side navigation pane, click Whitelist Settings.
Click the Security Groups tab.
On the Security Groups tab, click Add Security Group.
In the dialog box, select the security group you want to add. You can search by Security Group Name or Security Group ID.
You can add up to 10 security groups per instance.
Click OK.
(Optional) To remove a security group, click Delete.

Best practices

Avoid 0.0.0.0/0 in production. This entry allows all IP addresses and creates a significant security risk.
Use CIDR blocks for IP ranges. Instead of adding individual IPs, use CIDR notation such as 10.10.10.0/24 to cover a range.
Use security groups for dynamic environments. If your ECS instances change frequently, security groups automatically keep access up to date.
Audit whitelists regularly. Remove unused entries and review whitelist groups periodically.
Restart clients after removing IPs. Whitelist changes apply only to new connections. Existing persistent connections continue until the client disconnects.

Related API operations

API operation	Description
DescribeSecurityIps	Query the IP address whitelist of an instance.
ModifySecurityIps	Configure the IP address whitelist of an instance.
DescribeSecurityGroupConfiguration	Query the security groups configured in the whitelist of an instance.
ModifySecurityGroupConfiguration	Reset the security groups in the whitelist of an instance.

FAQ

Why do I get the `(error) ERR illegal address` message?

The IP address of your client is not in the whitelist. Add the correct IP address and try again.

Why can't I find the security group settings for my instance?

Two possible reasons:

The major engine version is earlier than Redis 4.0 (latest minor version). Upgrade the major engine version to Redis 4.0 or later.
The instance is a cloud-native cluster instance or a cloud-native read/write splitting instance. These instance types do not support security groups.

I added access rules to a security group. Why don't they apply to my Tair instance?

The inbound and outbound rules you configure in a security group do not apply to Tair (or Redis Open-Source Edition) instances. Binding a security group to a Tair instance only means the ECS instances within that group can access the Tair instance over VPC or the internet. It does not enforce the group's traffic rules on the Tair instance itself.

What are the auto-generated whitelist groups, and can I delete them?

A new instance has only the default whitelist group. Additional groups are created automatically as you use certain features:

Whitelist group	Source	Can I delete it?
default	System default.	No.
ali_dms_group	Created when you log on to the instance through Data Management (DMS).	Do not delete or modify. Doing so may prevent DMS login.
hdm_security_ips	Created when you use Database Autonomy Service (DAS) features such as offline full key analysis.	Do not delete or modify. Doing so may cause DAS features to fail.

If a whitelist group contains 127.0.0.1, can other clients still connect?

Yes. When you add any client IP address or a security group to the whitelist, 127.0.0.1 becomes invalid automatically. Clients whose IP addresses are in the whitelist can connect normally. However, if 127.0.0.1 is the only entry across all whitelist groups, access from all IP addresses is denied.

My public IP address changes frequently. Do I have to update the whitelist every time?

No. Add the relevant CIDR block instead. For example, if your IP is always in the 10.10.10.* range, add 10.10.10.0/24 to cover all addresses from 10.10.10.0 to 10.10.10.255.

Warning

Using a broad CIDR block reduces security. Use it with caution.

After I enable internet access, why can a device outside the whitelist ping or telnet my instance?

Tair uses access authentication, not network-level blocking. A successful ping or telnet only means the network is reachable. The device still cannot log on to the instance without being in the whitelist.

Why does the `Connection closed by foreign host` error appear when I test a port with telnet?

Escape character is '^]'.
Connection closed by foreign host.

The IP address of the device is not in the whitelist. Add the IP address as described in this topic and retry the connection.

I removed an IP address from the whitelist, but the client can still connect. Why?

Three things to check:

Persistent connections: Whitelist changes apply only to new connections. Existing persistent connections (such as connection pools) continue until the client disconnects. Remove the IP address from the whitelist and then restart the client service.
Password-free access within a VPC: If password-free access is enabled, clients in the same VPC may bypass the whitelist. Enforce whitelist checks by setting the parameter #no_loose_check-whitelist-always to yes. For details, see Modify instance parameters.
Security group conflict: If security groups are also configured, check whether a security group still allows the IP address to access the instance.