PolarDB for MySQL protects your data across five layers: access control, data transmission encryption, data encryption at rest, data masking, and security audit. Each layer addresses a distinct attack surface — from who can reach the cluster, to how data is stored and observed.
Access control
PolarDB for MySQL uses IP whitelists and security groups to restrict cluster access. Only IP addresses or Elastic Compute Service (ECS) instances that you explicitly allow can connect to the cluster.
IP whitelists
An IP whitelist specifies the IP addresses or CIDR blocks allowed to connect to a cluster. We recommend that you update the IP whitelist on a regular basis.
| Scenario | Action |
|---|---|
| ECS instance in the same region as the cluster | Add the private IP address of the ECS instance. Find it in the Configuration Information section on the Instance Details page. |
| ECS instance in a different region | Add the public IP address of the ECS instance, or migrate the instance to the cluster's region and use its private IP address. |
| On-premises servers or other cloud instances | Add the relevant IP addresses to the whitelist. |
For setup instructions, see Configure an IP whitelist.
Security groups
A security group grants all ECS instances it contains access to a cluster. Associate the ECS instances with a security group, then add that security group to the cluster's whitelist.
For setup instructions, see Configure a security group.
Data transmission encryption
PolarDB for MySQL supports SSL encryption to protect data in transit. SSL encrypts network connections at the transport layer, protecting the confidentiality and integrity of transmitted data.
To enable SSL encryption, install SSL certificates issued by a certificate authority (CA) on applications that require encrypted connections. For instructions, see Configure SSL encryption.
Data encryption at rest
PolarDB for MySQL uses Transparent Data Encryption (TDE) to encrypt and decrypt data files in real time. Data is encrypted before being written to disk and decrypted when read from disk into memory.
For instructions, see Configure TDE for a PolarDB for MySQL cluster.
Data masking
PolarDB for MySQL provides dynamic data masking to protect sensitive data when shared with third parties for reporting, analysis, or development and testing.
PolarProxy intercepts query results and masks sensitive fields before returning data to the application. To enable masking, specify the database account, database name, and the table or column to protect.
For instructions, see Dynamic data masking.
Security audit
SQL Explorer and Audit collects and analyzes raw SQL logs to detect security risks and performance issues in your database.