An IP address whitelist controls which clients can connect to an ApsaraDB RDS for MariaDB instance. Only IP addresses and CIDR blocks listed in a whitelist are allowed to establish connections.
Prerequisites
Before you begin, make sure you have:
An ApsaraDB RDS for MariaDB instance
Access to the RDS console
How whitelists work
Each RDS instance has a default whitelist labeled default. Initially, it contains only 127.0.0.1, which means no external client can connect. To allow access, add the IP addresses or CIDR blocks of your clients to a whitelist.
Whitelists use standard mode, which accepts both classic network and Virtual Private Cloud (VPC) addresses. MariaDB instances run exclusively in VPCs.
Two whitelists are auto-generated by Alibaba Cloud services and must not be modified or deleted:
| Whitelist | Managed by |
|---|---|
ali_dms_group | Data Management (DMS) |
hdm_security_ips | Database Autonomy Service (DAS) |
Do not add your application IP addresses to ali_dms_group or hdm_security_ips. Service updates may overwrite these lists and cause connection failures.
The hdm_security_ips whitelist is hidden for instances created after December 2020.
Limits
Each RDS instance supports up to 50 IP address whitelists.
Each whitelist supports up to 1,000 entries (IP addresses or CIDR blocks). Merge discrete IPs into CIDR blocks (for example,
10.10.10.0/24) to stay within this limit. See CIDR mode for details.You can modify or delete entries in the
defaultwhitelist, but you cannot delete thedefaultwhitelist itself.
Add IP addresses to a whitelist
Go to the Instances page. In the top navigation bar, select the region where your RDS instance resides, then click the instance ID.
In the left navigation pane, click Whitelist and SecGroup.
On the Whitelist Settings tab, click Modify next to the
defaultwhitelist.To use a separate whitelist, click Create Whitelist instead and configure it there.
In the Edit Whitelist dialog box, enter the IP addresses or CIDR blocks to allow, then click OK. Use the following formats: If your application runs in an ECS instance: Click Add Internal IP Address of ECS Instance to load the private IP addresses of ECS instances in your account and select from the list. Before adding a public IP address: Verify that the IP matches the actual egress IP your client uses to reach the internet. IP lookup tools and websites may return a different address than the one your client actually uses. To confirm your real egress IP, search for "what is my IP" from the same network your application uses. If the IP changes dynamically, use a CIDR block that covers the assigned range, or switch to a static IP. If your application runs in an ACK cluster: The IP to add depends on the container network plugin: Find both addresses on the pod management page of your ACK cluster.
Flannel: Add the IP address of the node where your pod runs.
Terway: Add the IP address of the pod itself.
After you save, the system removes the original
127.0.0.1entry from thedefaultwhitelist automatically.ImportantAdding
0.0.0.0/0allows any client to connect. Use this only in controlled environments.Scenario Format Example Single IP address Standard IPv4 192.168.0.1Multiple IP addresses Comma-separated, no spaces 192.168.0.1,172.16.213.9IP range CIDR notation (subnet mask 1–32) 10.10.10.0/24Allow all connections CIDR for all IPs 0.0.0.0/0
A whitelist change takes about 1 minute to take effect.
Troubleshooting
Still can't connect after adding my IP
Check the following in order:
Wait for propagation. Whitelist changes take up to 1 minute to apply. Retry after waiting.
Verify the IP address. The IP visible to a lookup tool may not be the actual egress IP your client uses. This is common with dynamic IP assignments or NAT. To confirm your real egress IP, search for "what is my IP" from the same network your application uses.
Confirm the format is correct. A single entry
0.0.0.0(without a mask) has no effect. The correct entry to allow all connections is0.0.0.0/0.
Error: InvalidSecurityIPListLength.Malformed
This error has three causes:
Exceeds the 1,000-entry limit. Merge discrete IP addresses into CIDR blocks to reduce the count. For example, replace individual
/32entries with a/24block like192.168.1.0/24.Invalid IP address format. Check that all entries use valid IPv4 CIDR notation with a subnet mask in the range 1–32. Separate multiple entries with commas and no spaces.
Conflicting entries. An individual IP that falls within an existing CIDR block in the same whitelist causes a conflict. For example,
192.168.1.8conflicts with192.168.1.1/8. Plan your ranges to avoid overlaps.
Do not delete thedefaultwhitelist or modifyali_dms_groupandhdm_security_ips. Doing so may break RDS console features or DMS/DAS connectivity.
Whitelists I didn't create
If an unfamiliar whitelist contains only private IP addresses, it was created automatically by an Alibaba Cloud service such as DMS or Database Autonomy Service (DAS). These lists do not affect your data and require no action.
Connection fails even with internal network access only
Restricting access to the internal network reduces exposure but does not eliminate risk. For stronger isolation, change your instance's network type to VPC. With VPC, only ECS instances in the same VPC can connect.