All Products
Search

This Product

    PolarDB:Set whitelists for a cluster

    Document Center

    PolarDB:Set whitelists for a cluster

    Last Updated:Mar 28, 2026

    Before connecting to a PolarDB for PostgreSQL (Compatible with Oracle) cluster, configure an IP address whitelist to specify which IP addresses can access the cluster. By default, only 127.0.0.1 is allowed, which blocks all external connections.

    Usage notes

    • The default whitelist default contains only 127.0.0.1 and blocks all external connections. Add your client or application IP addresses to grant access.

    • Setting a whitelist to % or 0.0.0.0/0 allows connections from any IP address on the internet, including those from other users. Avoid this setting unless absolutely necessary, as it exposes the cluster to unauthorized access.

    • PolarDB cannot automatically detect the internal IP addresses of Elastic Compute Service (ECS) instances in a Virtual Private Cloud (VPC). Add these addresses to a whitelist manually.

    • The following whitelists are created automatically by Alibaba Cloud services. Do not modify or delete them, or the associated services will lose access to the cluster: Do not add your own service IP addresses to these whitelists. If the associated services are updated, these whitelists may be overwritten, causing service interruptions.

      Whitelist nameCreated by
      ali_dms_groupData Management Service (DMS)
      hdm_security_ipsDatabase Autonomy Service (DAS)
      dtspolardbData Transmission Service (DTS)

    • Use IP whitelist templates to manage whitelist configurations across clusters. For more information, see .

    Prerequisites

    Before you begin, ensure that you have:

    • A PolarDB for PostgreSQL (Compatible with Oracle) cluster

    • Access to the PolarDB console

    Set IP address whitelists

    Each cluster supports up to 50 IP whitelists with a combined total of 1,000 IP addresses or CIDR blocks.

    1. Log on to the PolarDB console.

    2. In the upper-left corner, select the region where the cluster is deployed.

    3. Find the cluster and click its ID.

    4. In the left-side navigation pane, choose Settings and Management > Whitelists.

    5. On the Whitelists page, add or modify a whitelist:

      • Add a whitelist: Click Add IP Whitelist. In the Add IP Whitelist panel, enter a whitelist name and the IP addresses allowed to access the cluster. The whitelist name must meet the following requirements:

        • Contains only lowercase letters, digits, and underscores (_)

        • Starts with a letter and ends with a letter or digit

        • Is 2–120 characters long

      • Modify a whitelist: Click Modify next to the whitelist name. In the Modify Whitelist panel, update the IP addresses.

    6. Click OK.

    What's next

    After configuring whitelists, create a database account and then connect to the cluster:

    FAQ

    I added the ECS instance's IP address to the whitelist, but I still can't connect to the cluster.

    Check the following:

    1. Verify the correct IP address type. If connecting through an internal endpoint, add the internal IP address of the ECS instance. If connecting through a public endpoint, add the public IP address instead.

    2. Verify that both instances are on the same network type. If the ECS instance runs in a classic network, migrate it to the VPC where the cluster is located. See Overview of migration solutions

      Note

      If the ECS instance needs to stay connected to other resources in the classic network, do not migrate it. Instead, use the ClassicLink feature to connect the classic network to the VPC.

    3. Verify that both instances are in the same VPC. If they are in different VPCs, either purchase a new PolarDB cluster in the same VPC, or use Cloud Enterprise Network (CEN) to connect the VPCs.

    I can't connect to the cluster through a public endpoint.

    Check the following:

    1. If you connect to the cluster from an ECS instance through a public endpoint, make sure that you have added the public IP address of the ECS instance to an IP address whitelist of the cluster.

    2. If you're still unable to connect, temporarily set a whitelist to 0.0.0.0/0 and retry. If the connection succeeds, the IP address you originally added was incorrect. Check the public endpoint configuration. For more information, see View or apply for an endpoint.

    What are the requirements for connecting through an internal endpoint?

    To connect from an ECS instance through an internal endpoint, all three conditions must be met:

    • The ECS instance and the cluster are in the same region.

    • Both instances must run in the same type of network. If the network is a VPC, they must be in the same VPC.

    • The internal IP address of the ECS instance is added to a whitelist of the cluster.