By default, a newly created PolarDB for PostgreSQL cluster cannot be accessed from ECS instances. Adding a security group to the cluster grants access to all ECS instances in that group, without requiring you to add their IP addresses individually.
When to use a security group
Use a security group when you manage multiple ECS instances that need access to the same cluster. When you add a security group, the cluster's whitelist is updated to include the IP addresses of all ECS instances in that group.
If you only need to allow a small, fixed set of IP addresses, configure an IP whitelist instead. Both methods can be active simultaneously: a cluster accepts connections from addresses in its IP whitelist and from ECS instances in its configured security groups.
Prerequisites
Before you begin, ensure that you have:
A PolarDB for PostgreSQL cluster
An ECS security group with the same network type as the cluster (for example, a virtual private cloud (VPC)-type security group for a VPC-deployed cluster)
For instructions on creating an ECS security group, see Create a security group.
Limitations
The security group must match the network type of the cluster. A cluster deployed in a VPC accepts only VPC-type security groups.
Each PolarDB for PostgreSQL cluster supports up to 10 security groups.
Adding a security group copies the IP addresses of its ECS instances to the cluster's whitelist. The cluster does not enforce the security group's own inbound or outbound rules.
Add a security group to a cluster
Log on to the PolarDB console.
In the left-side navigation pane, click Clusters.
In the upper-left corner, select the region where the cluster is deployed.
Find the cluster and click its ID.
In the left-side navigation pane, choose Settings and Management > Cluster Whitelists.
On the Cluster Whitelists page:
To add a security group, click Select Security Group.
To change an existing security group, click Configure in the Actions column.
In the Select Security Group panel, select one or more security groups and click OK.
The IP addresses of all ECS instances in the selected security groups are added to the cluster's whitelist.
Troubleshooting
ECS instances still cannot connect after configuration
Check the following:
Confirm the security group's network type matches the cluster's network type. If the cluster is in a VPC, only VPC-type security groups are accepted.
Verify the ECS instance is in the security group you added to the cluster.
Make sure you are connecting to the correct cluster endpoint and using valid database credentials. Security group configuration controls network access — authentication is still required.
API reference
| Operation | Description |
|---|---|
| DescribeDBClusterAccessWhitelist | Queries the IP addresses allowed to access a specified PolarDB cluster. |
| ModifyDBClusterAccessWhitelist | Modifies the IP addresses allowed to access a specified PolarDB cluster. |