PolarDB:FAQ about data security and encryption

How do I restrict access to a specific node in a cluster?

Use a custom cluster endpoint. Connections through this endpoint reach only the specified node.

How many IP addresses can I add to IP whitelists?

Up to 1,000 IP addresses or CIDR blocks across all IP whitelists. Security groups do not have this limit.

Why can't my ECS instance connect to the cluster?

Check these items in order:

1. Region. The ECS instance and the PolarDB for MySQL cluster must be in the same region.

2. IP whitelist entry type. If connecting through the internal endpoint, add the private IP address of the Elastic Compute Service (ECS) instance. If connecting through the public endpoint, add the public IP address. For more information, see Configure an IP whitelist.

3. Network type. The ECS instance and the PolarDB for MySQL cluster must use the same network type. If the ECS instance runs in a classic network, migrate it to the virtual private cloud (VPC) where the PolarDB cluster is deployed. For more information, see Overview of migration solutions. > Note: Migrating the ECS instance to a VPC disconnects it from classic network resources. To maintain connectivity to both networks, use the ClassicLink feature instead.

4. VPC match. The ECS instance and PolarDB cluster must be in the same VPC. If they are in different VPCs, either create a new PolarDB cluster in the same VPC as the ECS instance or connect the two VPCs through Cloud Enterprise Network (CEN).

Why can't I connect to the public endpoint?

Two common causes:

1. Wrong IP type in the whitelist. Add the public IP address of the ECS instance, not the private IP address.

2. Incorrect endpoint. Set the whitelist to 0.0.0.0/0 temporarily. If the connection succeeds, the endpoint you used before is incorrect. Verify the correct public endpoint under Manage the endpoints of a cluster.

How do I restrict a database account to a specific IP address?

Create a privileged account and use it to grant IP-specific access to standard accounts. Run the following commands:

Why can't I access the database after configuring an IP whitelist?

First, verify that the whitelist uses 0.0.0.0/0 (not 0.0.0.0) to allow access from all sources.

If a whitelist is already configured but access still fails:

1. Check the format. A single IP address does not need a subnet mask -- enter 1.1.1.1, not 1.1.1.1/2. A CIDR block must follow the x.x.x.x/x format.

2. Check for multiple egress IPs. Refresh your public IP lookup several times. If the egress IP changes, add all public IP addresses to the whitelist.

3. Find your actual IP. Temporarily set the whitelist to 0.0.0.0/0, connect, and run: Add the returned IP address to the whitelist, then remove 0.0.0.0/0.

      SELECT user(), current_user();

What should I do if my database is attacked?

Check whether the whitelist is set to 0.0.0.0/0. This setting allows connections from any IP address and is a common cause of unauthorized access. Replace it with the specific IP addresses or CIDR blocks that need access.

What is SSL encryption?

SSL encrypts connections at the transport layer between clients and the database, protecting the security and integrity of data in transit. To use SSL, enable SSL encryption for the cluster and install the SSL certificate issued by a certificate authority (CA) in your application.

SSL encryption increases network round-trip time. Evaluate the performance impact for latency-sensitive applications.

For more information, see Configure SSL encryption.

What happens if my SSL certificate expires?

The cluster continues to run and data security is not affected. However, applications that use encrypted connections are disconnected until you renew the certificate.

What is TDE?

TDE performs real-time I/O encryption and decryption on data files. Data is encrypted before it is written to disk and decrypted when it is read into memory. PolarDB for MySQL uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key length. Keys are generated and managed by Key Management Service (KMS) -- PolarDB does not provide keys or certificates.

For more information, see Configure TDE for a PolarDB cluster.

What is the difference between TDE and SSL?

Can I still use database tools like Navicat after enabling TDE?

Yes. TDE is transparent to applications. Database tools, drivers, and client applications work without modification.

Why is data displayed in plaintext after TDE is enabled?

TDE encrypts data on disk, not in memory. When a query reads encrypted data from disk, TDE decrypts it and loads it into memory. Query results are returned in plaintext. The data remains encrypted at rest on storage media.

Do I need to encrypt existing tables after enabling TDE?

It depends. When TDE is enabled on an empty cluster, all newly created tables are automatically encrypted. For existing tables, run DDL statements to encrypt or decrypt them. The specific DDL syntax varies by MySQL version. For details, see Configure TDE for a PolarDB cluster.

Can I use a custom key for TDE?

Yes. Two options:

• Create a new key. Create a customer master key (CMK) in the KMS console and import your own key material. For more information, see Create a CMK.

• Use an existing key. Keep these risks in mind:

  • Disabling the key, scheduling its deletion, or deleting its key material makes the key unavailable.

  • Revoking the PolarDB cluster's authorization makes the cluster unavailable after a restart.

  • The account must be an Alibaba Cloud account or have the AliyunSTSAssumeRoleAccess permission.

How are TDE keys managed?

By default, KMS generates and manages encryption keys automatically. If you use a custom key, it is also managed through KMS. For more information, see Configure TDE for a PolarDB cluster.

How do I configure a SQL firewall?

PolarDB PolarProxy provides the SQL firewall feature. Define blacklist and whitelist rules to block or allow specific SQL statements. For more information, see Configure a blacklist rule.