Why are clients still able to access an instance even when an instance whitelist does not include the client IP addresses? -

The clients are able to access the instance because the #no_loose_check-whitelist-always parameter of the instance is set to no and the instance has password-free access over a virtual private cloud (VPC) enabled.

By default, the #no_loose_check-whitelist-always parameter of an instance is set to no. This way, after password-free access over a VPC is enabled for the instance, clients within the same VPC can directly connect to the instance without adding their IP addresses to an instance whitelist. For more information about password-free access, see Enable password-free access.

If you do not want to allow clients to access an instance when their IP addresses are not included in an instance whitelist, set the #no_loose_check-whitelist-always parameter to yes on the Parameter Settings page. For more information, see Modify parameters of an instance.