This topic describes how to switch the network isolation mode of an ApsaraDB RDS for MySQL instance from the standard whitelist mode to the enhanced whitelist mode. An enhanced IP address whitelist can contain only the IP addresses from the classic network or virtual private clouds (VPCs).

Prerequisites

Your RDS instance is equipped with local SSDs.
Note The enhanced whitelist mode is no longer supported by new RDS instances. New RDS instances support only the standard whitelist mode.

Background information

RDS instances support the following two network isolation modes:

  • Standard whitelist mode

    A standard IP address whitelist can contain IP addresses from both the classic network and VPCs.

  • Enhanced whitelist mode

    An enhanced IP address whitelist can contain only the IP addresses from the classic network or VPCs. When you create an enhanced IP address whitelist, you must specify its network type.

Changes incurred

  • If your RDS instance resides in a VPC, an IP address whitelist of the VPC network type is automatically created. The new IP address whitelist contains all IP addresses that are replicated from the original IP address whitelists.
  • If your RDS instance resides in the classic network, an IP address whitelist of the classic network type is automatically created. The new IP address whitelist contains all IP addresses that are replicated from the original IP address whitelists.
  • If your RDS instance runs in hybrid access mode, two identical IP address whitelists are created: an IP address whitelist of the VPC network type and an IP address whitelist of the classic network type. Both the new IP address whitelists contain all IP addresses that are replicated from the original IP address whitelists. For more information, see Configure the hybrid access solution for an ApsaraDB RDS for MySQL instance.
Note After you switch the network isolation mode of your RDS instance to the enhanced whitelist mode, the Elastic Compute Service (ECS) instance groups that you configured remain unchanged. For more information, see Configure an IP address whitelist for an ApsaraDB RDS for MySQL instance.

Precautions

  • After you switch the network isolation mode of your RDS instance to the enhanced whitelist mode, you cannot roll the instance back to the standard whitelist mode.
  • In enhanced whitelist mode, an IP address whitelist of the classic network type can also be used to allow access over the Internet. If you want to access your RDS instance from an on-premises host over the Internet, you must add the public IP address of the host to an IP address whitelist of the classic network type.

Procedure

  1. Visit the RDS instance list, select a region above, and click the target instance ID.
  2. In the left-side navigation pane, click Data Security.
  3. On the Whitelist Settings tab, click Switch to Enhanced Whitelist (Recommended).
    Switch the network isolation mode to the enhanced whitelist mode
  4. In the dialog box that appears, click Confirm.

FAQ

  • My RDS instance runs in enhanced whitelist mode. If I want to access my RDS instance from an on-premises host over the Internet, how do I identify the IP address whitelist to which I need to add the public IP address of the host?

    If you want to access your RDS instance from an on-premises host over the Internet, you must add the public IP address of the host to an IP address whitelist of the classic network type.

  • What are the benefits of the enhanced whitelist mode compared with the standard whitelist mode?

    The enhanced whitelist mode allows you to distinguish IP addresses from the classic network and those from VPCs. If you add an IP address to an IP address whitelist of the VPC network type, the IP address is granted access to your RDS instance only within the specified VPC. However, the IP address is not granted access to your RDS instance over the Internet. This increases the security of your RDS instance.