All Products
Search

This Product

    ApsaraDB RDS:Configure a whitelist

    Document Center

    ApsaraDB RDS:Configure a whitelist

    Last Updated:Dec 05, 2025

    This topic describes how to configure an IP address whitelist for an ApsaraDB RDS for MariaDB instance. Only devices with IP addresses included in an IP address whitelist can access your RDS instance.

    Background information

    IP address whitelists ensure the security of your RDS instance. The following information describes the IP address whitelist of the RDS instance:

    • An IP address whitelist contains the IP addresses allowed to access your RDS instance. The IP address whitelist labeled default contains only the 127.0.0.1 entry, indicating that no external IP addresses can access your RDS instance.

    • The IP address whitelist supports the standard whitelist mode. A standard IP address whitelist can contain IP addresses from both classic network and virtual private clouds (VPCs). RDS instances running MariaDB can only be deployed in VPCs.

    • IP address whitelists provide high security and efficient protection for your RDS instance. We recommend updating your configured IP address whitelists regularly.

    Limits

    • You can modify or delete the IP address whitelist labeled default. However, you cannot delete the IP address whitelist itself.

    • You can configure a maximum of 50 IP address whitelists for an RDS instance.

    • You can add a maximum of 1,000 IP addresses and CIDR blocks to an IP address whitelist of an RDS instance. We recommend merging discrete IP addresses into CIDR blocks, such as 10.10.10.0/24 (CIDR mode).

    • ali_dms_group (IP address whitelist for DMS) and hdm_security_ips (IP address whitelist for DAS) are automatically generated by the system. Do not modify or delete these IP address whitelists. Otherwise, the related services may be affected.

      Important

      • Do not add your service IP addresses to these IP address whitelists. Otherwise, your service IP addresses may be overwritten when the related services are updated, potentially causing service interruptions.

      • To prevent accidental modifications or deletions of IP address whitelists, the hdm_security_ips IP address whitelist is invisible to users for instances created after December 2020.

    Configure an IP whitelist

    1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

    2. In the navigation pane on the left, click Whitelist and SecGroup.

    3. On the Whitelist Settings tab, click Modify for the default IP address whitelist.

      Note

      You can also click Create Whitelist to create a custom IP address whitelist.

    4. In the Edit Whitelist dialog box, enter the IP addresses or CIDR blocks that require access to the instance, and then click OK.

      Note

      • After you add new IP addresses or CIDR blocks to the default IP address whitelist, the system automatically deletes the default entry 127.0.0.1.

      • If you want to add multiple IP addresses or CIDR blocks, separate them with commas (,) without spaces, such as 192.168.0.1,172.16.213.9.

      • After you click Add Internal IP Address of ECS Instance, the IP addresses of all ECS instances that belong to your Alibaba Cloud account are displayed. You can quickly add these IP addresses to the IP address whitelist.

      • When your application is deployed in a container of an ACK cluster, you need to add different IP addresses based on the container network plugin.

        • If the container network plugin of the ACK cluster is Flannel, add the IP address of the node where your application is deployed.

        • If the container network plugin of the ACK cluster is Terway, add the IP address of the pod where your application is deployed.

        You can view the pod IP address and node IP address on the pod page of the target ACK cluster.

    Common errors

    • The Whitelist and SecGroup > Whitelist Settings tab contains only the default entry 127.0.0.1.

      The IP address 127.0.0.1 indicates that no devices are allowed to access the RDS instance. You must add the IP addresses of devices that require access to your RDS instance to an IP address whitelist.

    • An IP address whitelist contains only one entry, 0.0.0.0.

      The correct format is 0.0.0.0/0.

      Important

      If you want to allow all devices to access the RDS instance, you must add the 0.0.0.0/0 entry to an IP address whitelist of the RDS instance. Proceed with caution when you add this entry.

    • The public IP addresses that you add to an IP address whitelist are not the actual egress IP addresses of the devices that you want to connect.

      Possible causes:

      • The public IP address dynamically changes.

      • The tool or website used to query public IP addresses returns inaccurate results.

      For more information, see Cannot connect to an ApsaraDB RDS for MySQL or MariaDB instance from an external network: How to correctly configure the public IP address of an on-premises device.

    FAQ

    • Q: Does an IP address whitelist take effect immediately after I configure it?

      A: No, after you configure an IP address whitelist, it requires approximately 1 minute to take effect.

    • Q: Why do I find IP address whitelists that I did not create?

      A: If the entries in the IP address whitelists are private IP addresses, the IP address whitelists are automatically created by other Alibaba Cloud services, such as DMS and DAS. In this case, the IP address whitelists do not affect your service data, and no further actions are required.

    • Q: If I disable Internet access and enable only internal network access, is my RDS instance exposed to security risks?

      A: Yes, if you disable Internet access and enable only internal network access, your RDS instance is still exposed to security risks. We recommend changing the network type of your RDS instance to VPC. In this case, only an ECS instance in the same VPC can access your RDS instance.

    • Q: Why do I receive the error message InvalidSecurityIPListLength.Malformed when I add an IP address whitelist in the RDS console?

      Issue description

      When you add an IP address whitelist in the RDS console, you may receive the following error message:

      Error code: InvalidSecurityIPListLength.Malformed
Error message (Chinese): The security IP address is not in the available range or is occupied.
Error message (English): The security IP address is not in the available range or is occupied.

      Solutions

      • Cause 1: A maximum of 1,000 IP addresses or CIDR blocks can be added to an IP address whitelist. The number of IP addresses or CIDR blocks that you want to add exceeds this limit.

        Solution: Make sure that the number of IP addresses or CIDR blocks in an IP address whitelist does not exceed 1,000. We recommend that you merge discrete IP addresses into CIDR blocks, such as 192.168.1.0/24, to reduce the number of entries.

      • Cause 2: The IP address whitelist contains invalid IP addresses.

        Solution: Make sure that the IP addresses that you enter are valid. We recommend that you use the standard CIDR format, such as 10.23.12.0/24. The subnet mask must be in the range of 1 to 32. If you want to add multiple IP addresses, separate them with commas (,).

      • Cause 3: The IP address whitelist conflicts with an existing IP address whitelist. For example, in an ApsaraDB RDS for MySQL instance, 192.168.1.8 conflicts with 192.168.1.1/8.

        Solution: Plan and add IP address whitelists as needed to avoid overlaps or conflicts with existing rules.

      Note

      Do not delete the default IP address whitelist default (which contains 127.0.0.1). Do not modify system IP address whitelists, such as ali_dms_group or hdm_security_ips. Otherwise, system features or connection security may be affected.