All Products
Search

This Product

    ApsaraDB RDS:Authorize an account to access its authorized databases from specified IP addresses

    Document Center

    ApsaraDB RDS:Authorize an account to access its authorized databases from specified IP addresses

    Last Updated:Mar 28, 2026

    IP address whitelists on an RDS instance apply to all accounts on that instance. There is no built-in mechanism to restrict individual accounts to specific source IPs, which increases the attack surface. To address this, bind a MySQL account to a specific IP address by running SQL statements directly on the RDS instance. The bound account can then only connect from that address.

    Prerequisites

    Before you begin, ensure that you have:

    Usage notes

    Console and API management

    After binding an account to an IP address, managing the account through the ApsaraDB RDS console or API operations may cause issues. Use Data Management (DMS) or SQL statements to manage the account instead.

    Account name conflicts

    MySQL identifies each account by both username and host address. If two accounts share the same username with overlapping host patterns — for example, user@192.168.% and user@192.168.%.% — the authentication order is not guaranteed, which may cause access exceptions. If the passwords or permissions of the two accounts are different, the logon may fail or the permissions are different after you log on to the database. Use distinct usernames to avoid this ambiguity.

    Bind an account to an IP address

    1. Connect to the RDS instance. For more information, see Use a client or the CLI to connect to an ApsaraDB RDS for MySQL instance.

    2. Run the following SQL statements to create an account and bind it to a specific IP address.

      The example below creates user test001, grants it access to the rds001 database, and restricts connections to the IP address 42.120.XX.XX.

      -- Create the user and bind it to the specified IP address
CREATE USER `test001`@`42.120.XX.XX` IDENTIFIED BY 'passwd';

-- Grant global privileges required for replication monitoring
GRANT PROCESS, REPLICATION SLAVE, REPLICATION CLIENT ON *.* TO 'test001'@'42.120.XX.XX';

-- Grant full access to the target database
GRANT ALL PRIVILEGES ON `rds001`.* TO 'test001'@'42.120.XX.XX';

-- Grant read access to MySQL system tables
GRANT SELECT ON mysql.* TO 'test001'@'42.120.XX.XX';

      The host value in the account name (42.120.XX.XX) supports the following formats:

      FormatExampleDescription
      Exact IP address42.120.1.1Restricts connections to a single IP
      Wildcard pattern192.168.%Allows connections from any IP in the 192.168.x.x range
      No restriction%Allows connections from any IP address
      The ApsaraDB RDS console only displays an account's authorized databases when the host is set to the wildcard %. If you bind the account to a specific IP address, its authorized databases will not be visible in the console.

    3. (Optional) To change the bound IP address, run RENAME USER:

      RENAME USER `test001`@`42.120.XX.XX` TO `test001`@`42.121.XX.XX`;