All Products
Search
Document Center

ApsaraDB for MongoDB:Configure a whitelist

Last Updated:Jun 05, 2025

To ensure the security and stability of databases, no devices can access ApsaraDB for MongoDB instances by default. The default IP address of these instances is 127.0.0.1. Before using an ApsaraDB for MongoDB instance, you must configure a whitelist to allow access from external devices. Proper whitelist configurations enhance the access security of ApsaraDB for MongoDB instances. We recommend that you maintain your whitelists regularly.

Prerequisites

  • You have successfully created an instance by following steps mentioned in Getting Started.

  • The instance status is Running.

Procedure

The following steps describe how to modify the default whitelist group of an instance. For more information about how to create another whitelist group or configure a security group, see Configure an IP addresswhitelist or an ECS security group for an instance.

  1. Go to the Replica Set Instances or Sharded Cluster Instances page. In the top navigation bar, select the resource group and region to which the desired instance belongs. Then, find the instance and click the instance ID.

  2. In the left-side navigation pane of the instance details page, choose Data Security > Whitelist Settings.

  3. In the Whitelist Settings section, select one of the following methods to modify the whitelist for the instance:

    Manually modify a whitelist

    1. Find the whitelist that you want to manage and click Modify in the Actions column.

    2. In the IP Whitelist field of the Manually Modify panel, enter an IP address or a CIDR block.

      • An IP address or a CIDR block can be specified in one of the following formats:

        • A single IP address. Example: 10.23.12.24.

        • 0.0.0.0/0

          Warning

          If you specify only 0.0.0.0/0 in a whitelist, the instance can be accessed by all IP addresses. This exposes instance databases to high security risks. Exercise caution when you specify only this IP address in a whitelist.

        • A CIDR block. For more information about CIDR blocks, see FAQ. Example: 10.23.12.24/24. 24 indicates that the prefix of the CIDR block is 24 bits in length. You can replace 24 with a value within the range of 1 to 32.

      • Separate multiple IP addresses with commas (,).

    3. Click OK.

    Load the internal IP addresses of ECS instances

    1. Find the whitelist that you want to manage and click Add Internal IP Addresses of ECS Instances in the Actions column.

    2. In IP Whitelist of the Import ECS Intranet IP panel, select the ECS internal IP address to be added.

    3. Click 添加.

    4. Click OK.

Next steps

Connect to the instance

FAQ

What IP addresses must I add to a whitelist before connecting to my instance?

You can determine which IP addresses to be added based on your network environment and connection method:

  • Connect to your instance from your local client (connection over a public network)

    You must first obtain the public IP address of your local client and add this IP address to an instance whitelist.

  • Connect to your ApsaraDB for MongoDB instance from your ECS client

    • If your ECS instance and ApsaraDB for MongoDB instance are in the same VPC: You can connect to your ApsaraDB for MongoDB instance over a private network. To add the private IP address of your ECS instance to a whitelist of your ApsaraDB for MongoDB instance, you can directly select Import ECS Internal IP.

    • If the ECS instance and ApsaraDB for MongoDB instance are not in the same VPC: You can connect to your ApsaraDB for MongoDB instance over a public network. You can view the public IP address of the ECS instance in the ECS console and add this public IP address to a whitelist of your ApsaraDB for MongoDB instance.

  • Connect to your ApsaraDB for MongoDB instance through DMS

    By default, when you connect to your ApsaraDB for MongoDB instance through DMS, the instance automatically adds the IP address of DMS to an instance whitelist. This way, manual configuration is not required. If the instance does not automatically add the IP address of DMS to the whitelist, you can manually add DMS IP addresses and CIDR blocks.