When an ApsaraMQ for Kafka instance is accessible over the Internet or shared across multiple vSwitches, you may need to control which clients can connect. Whitelists restrict access to specific IP addresses and CIDR blocks per endpoint. After you configure a whitelist, only the listed addresses can connect through that endpoint.
How whitelists work
Each ApsaraMQ for Kafka endpoint has its own whitelist. The default whitelist depends on the network type of your instance:
| Network type | Default whitelist | Default access behavior |
|---|---|---|
| Internet and VPC | 0.0.0.0/0 | All IP addresses can connect through the SSL endpoint. Configure a whitelist to restrict access to specific addresses. |
| VPC only | vSwitch CIDR block | Only devices in the same vSwitch CIDR block can connect through the default endpoint. Set the whitelist to 0.0.0.0/0 to allow connections from the entire VPC. |
If you remove the last entry from a whitelist, all access through the ports in that entry is blocked.
Limits
| Item | Limit |
|---|---|
| Maximum entries per whitelist | 200 |
| Entry format | IP addresses or CIDR blocks, separated by commas (,) |
Security group behavior
The whitelist feature is implemented based on security groups:
If you specify a security group during instance deployment, all instances that use that security group share the same whitelist. A change to one instance's whitelist affects all instances in that group.
If you do not specify a security group, the system creates a dedicated security group. The whitelist applies only to that instance.
To avoid unintended changes across multiple instances, do not specify a security group during deployment.
Prerequisites
An ApsaraMQ for Kafka instance is purchased, deployed, and in the Running state.
Add IP addresses or CIDR blocks to a whitelist
Log on to the ApsaraMQ for Kafka console.
In the Resource Distribution section of the Overview page, select the region where your instance resides.
On the Instances page, click the name of the instance.
In the Endpoint Information section of the Instance Details page, find the target endpoint and click Manage Whitelist in the Actions column.
On the Whitelist Management page, click Create Whitelist.
Configure Name and IP Addresses, and then click OK.
Remove an IP address or CIDR block from a whitelist
In the left-side navigation pane of the Instance Details page, click Whitelist Management.
Find the target whitelist and click Modify in the Actions column.
In the Modify Whitelist panel, find the entry to remove, click Delete, and then click Modify at the bottom of the panel.
Related operations
To configure a whitelist programmatically, call the UpdateAllowedIp API operation.
To connect devices across different VPCs, use Express Connect, VPN Gateway, or Cloud Enterprise Network (CEN). For details, see Select a private network service.