By default, no external devices can connect to an ApsaraDB RDS for MariaDB instance. Configure an IP address whitelist to specify which IP addresses or CIDR blocks are allowed to connect.
Prerequisites
Before you begin, ensure that you have:
A running ApsaraDB RDS for MariaDB instance
The IP addresses or CIDR blocks of the clients that need database access
How it works
Every RDS for MariaDB instance has a default whitelist labeled default, pre-populated with 127.0.0.1. This entry blocks all external connections. Add your client IP addresses to a whitelist to open access.
RDS for MariaDB instances run in virtual private clouds (VPCs) only. The standard whitelist mode accepts IP addresses from both VPCs and classic networks.
We recommend that you update the configured IP address whitelists on a regular basis.
Limits
| Limit | Details |
|---|---|
| Maximum whitelists per instance | 50 |
| Maximum IP addresses and CIDR blocks per instance | 1,000 |
| CIDR block prefix range | 1–32 (for example, 10.10.10.0/24) |
If you need to add many addresses, consolidate them into CIDR blocks. For details, see CIDR block FAQ.
System-managed whitelists
When you use an Alibaba Cloud service to connect to your instance, that service automatically creates its own whitelist:
Data Management (DMS) creates ali_dms_group
Database Autonomy Service (DAS) creates hdm_security_ips
Do not modify or delete these system-managed whitelists.
Do not add your own service IP addresses to system-managed whitelists. Those entries can be overwritten when the service updates, which may interrupt your connection. For instances created after December 2020, hdm_security_ips is hidden from the console to prevent accidental changes.
Default whitelist behavior
The default whitelist can be modified or cleared, but not deleted.
Add IP addresses to a whitelist
Go to the Instances page. In the top navigation bar, select the region where your instance resides, then click the instance ID.
In the left-side navigation pane, click Whitelist and SecGroup.
On the Whitelist Settings tab, click Modify next to the default whitelist.
To create a separate whitelist instead of modifying the default one, click Create Whitelist.
In the Edit Whitelist dialog box, enter the IP addresses or CIDR blocks to allow, then click OK.
Separate multiple entries with commas and no spaces. Example:
192.168.0.1,172.16.213.9After you save, the placeholder
127.0.0.1is automatically removed from the default whitelist.To add ECS instance IP addresses, click Add Internal IP Addresses of ECS Instances to browse and select them from your account.
Changes take approximately 1 minute to take effect.
Troubleshooting
The Whitelist Settings tab shows only 127.0.0.1
The instance is not accepting any connections. Add the IP addresses of your client machines to the default whitelist or create a new whitelist.
A whitelist contains only 0.0.0.0
The entry 0.0.0.0 (without /0) does not grant access to all devices. To open the instance to all IP addresses, add 0.0.0.0/0.
If you want to allow all devices to access the RDS instance, you must add the 0.0.0.0/0 entry to an IP address whitelist of the RDS instance. Proceed with caution.
Connection still fails after adding the correct IP address
The IP address you added may not match your actual egress IP. Two common causes:
Your ISP assigns a dynamic public IP that changes over time.
The tool or website you used to look up your IP returned an inaccurate result.
For more information, see Why am I unable to connect to my RDS instance from a local server over the Internet?
FAQ
Does the whitelist take effect immediately after I save it?
No. Changes take approximately 1 minute to propagate.
I see whitelists that I didn't create. Is that normal?
Yes. If those whitelists contain private IP addresses, they were created automatically by Alibaba Cloud services such as DMS and DAS. They don't affect your data and require no action.
Is my instance at risk if I disable Internet access and use only internal network access?
Yes. Internal network access alone does not fully isolate your instance. For stronger security, keep your instance in a VPC. Only Elastic Compute Service (ECS) instances in the same VPC can connect, and only if their IP addresses are included in a whitelist.