By default, ApsaraDB for Redis instances block access from all IP addresses to ensure the security and stability of databases. Before you use an ApsaraDB for Redis instance, you must add IP addresses or CIDR blocks that are used to access the ApsaraDB for Redis instance to a whitelist of the instance. Whitelists can be used to improve the access security of ApsaraDB for Redis instances. We recommend that you maintain whitelists on a regular basis.
Prerequisites
Preparations
Before you configure a whitelist for an ApsaraDB for Redis instance, you must obtain the IP addresses of clients based on the client installation locations.
Client installation location | Network type | How to obtain the IP address of a client |
---|---|---|
ECS instance (recommended) | VPC | How do I query the IP addresses of ECS instances? Note
|
On-premises device or third-party cloud | Internet | Select one of the following methods based on the operating system of the on-premises
device:
|
Methods of configuring a whitelist
Method | Description |
---|---|
Method 1: Manually add a whitelist | Manually add the IP address of a client to a whitelist of the ApsaraDB for Redis instance to allow the client to access the instance. |
Method 2: Add ECS security groups as whitelists | A security group is a virtual firewall that is used to control the inbound and outbound
traffic of ECS instances in the security group. For more information, see Overview. To authorize multiple ECS instances to access an ApsaraDB for Redis instance, you
can associate the ApsaraDB for Redis instance with the security group of these ECS
instances. This method is more convenient than manually adding the IP addresses of
these ECS instances to an instance whitelist.
Note The engine version of the ApsaraDB for Redis instance must be Redis 4.0 or later.
For more information about how to upgrade the engine version, see Upgrade the major version.
|
Method 1: Manually add a whitelist
Method 2: Add ECS security groups as whitelists
You can add ECS security groups as whitelists for the ApsaraDB for Redis instance. Then, the ECS instances in the security groups can access the ApsaraDB for Redis instance over an internal network or the Internet. The ApsaraDB for Redis instance must have a public endpoint if you want to access the instance over the Internet. For more information, see Use a public endpoint to connect to an ApsaraDB for Redis instance.
- Before you add a security group as a whitelist, make sure that the network types of the ApsaraDB for Redis instance and the ECS instances in the security group are the same. If the network types of the ApsaraDB for Redis instance and ECS instances are VPC, make sure that they are deployed in the same VPC.
- You cannot add ECS security groups as whitelists for ApsaraDB for Redis instances deployed in the following regions: China (Heyuan), China (Guangzhou), China (Nanjing), and China (Ulanqab).
References
Related API operations
API | Description |
---|---|
DescribeSecurityIps | Queries the IP address whitelists of an ApsaraDB for Redis instance. |
ModifySecurityIps | Modifies the IP address whitelists of an ApsaraDB for Redis instance. |
DescribeSecurityGroupConfiguration | Queries the security groups that are added as whitelists to an ApsaraDB for Redis instance. |
ModifySecurityGroupConfiguration | Modifies the security groups that are added as whitelists to an ApsaraDB for Redis instance. |
FAQ
- Q: Why are whitelists automatically created for an ApsaraDB for Redis instance? Can
I delete these whitelists?
A: After you create an ApsaraDB for Redis instance, a default whitelist is automatically created. After you perform specific operations on the instance, more whitelists are automatically created, as described in the following table.
Whitelist name Source default The default whitelist that cannot be deleted. ali_dms_group This whitelist is automatically created by Data Management (DMS) when you log on to an ApsaraDB for Redis instance from DMS. For more information, see Log on to an ApsaraDB for Redis instance by using DMS. Do not delete or modify this whitelist. Otherwise, you may be unable to log on to the ApsaraDB for Redis instance from DMS. hdm_security_ips This whitelist is automatically created by Database Autonomy Service (DAS) when you use CloudDBA-related features such as cache analysis. For more information, see Offline key analysis. Do not delete or modify this whitelist. Otherwise, the CloudDBA-related features may become unavailable. - Q: A whitelist contains IP address 127.0.0.1 in addition to client IP addresses. In
this case, can these clients connect to the ApsaraDB for Redis instance?
A: Yes, these clients can connect to the ApsaraDB for Redis instance. If only 127.0.0.1 exists in the whitelist, all IP addresses are not allowed to connect to the ApsaraDB for Redis instance.
- Q: Why does the
(error) ERR illegal address
message appear after I use the redis-cli tool to connect to an ApsaraDB for Redis instance?A: The IP address of the client where you use the redis-cli tool is not added to a whitelist of the ApsaraDB for Redis instance. You must check the whitelists of the ApsaraDB for Redis instance.
- Q: If the IP address of my client is not added to a whitelist of an ApsaraDB for Redis
instance, can I check port connectivity by running the telnet command?
A: Yes, you can run the telnet command to check port connectivity. The following output is returned after you run the telnet command:
Escape character is '^]'. Connection closed by foreign host.