Switch an ApsaraDB RDS for MySQL instance from the standard whitelist mode to the enhanced whitelist mode to enforce network-type isolation. In enhanced whitelist mode, each IP address whitelist applies to only one network type — classic network or virtual private cloud (VPC) — so an IP address granted access over a VPC cannot be used to connect over the Internet.
This switch is permanent. After you switch to the enhanced whitelist mode, you cannot revert to the standard whitelist mode.
Prerequisites
Before you begin, make sure that:
Your RDS instance uses Premium Local SSDs
Your RDS instance runs MySQL 5.1, MySQL 5.5, MySQL 5.6, or MySQL 5.7
How the two modes differ
| Mode | Whitelist behavior |
|---|---|
| Standard whitelist mode | A whitelist can contain IP addresses from both the classic network and VPCs. No network-type isolation is enforced. |
| Enhanced whitelist mode | A whitelist can contain IP addresses from only the classic network or only a VPC, not both. You specify the network type when you create the whitelist. |
What changes after you switch
The switch takes approximately 3 minutes. Your application stays connected throughout.
Existing IP addresses are automatically migrated to new whitelists based on your instance's network configuration:
| Instance network type | Result |
|---|---|
| VPC | A VPC-type whitelist is created. All IP addresses from your original whitelists are copied into it. |
| Classic network | A classic network-type whitelist is created. All IP addresses and CIDR blocks from your original whitelists are copied into it. |
| Hybrid access mode | Both a VPC-type and a classic network-type whitelist are created. All IP addresses and CIDR blocks from your original whitelists are copied into each. For details, see Configure the hybrid access solution. |
The Elastic Compute Service (ECS) security group of your instance is not affected by the switch. For information about whitelist and security group configuration, see Configure an IP address whitelist for an ApsaraDB RDS for PostgreSQL instance.
Switch to the enhanced whitelist mode
Go to the Instances page. In the top navigation bar, select the region where your RDS instance resides. Find the instance and click its ID.
In the left-side navigation pane, click Whitelist and SecGroup.
On the Whitelist Settings tab, click Switch to Enhanced Whitelist (Recommended).
In the dialog that appears, click Confirm.
FAQ
How do I allow Internet access in enhanced whitelist mode?
In enhanced whitelist mode, the classic network-type whitelist handles both classic network connections and Internet connections. To allow a host to connect over the Internet, add its public IP address to a classic network-type whitelist.
Why switch to enhanced whitelist mode?
Enhanced whitelist mode lets you control access by network path. For example, adding an IP address to a VPC-type whitelist grants access only over that VPC — the same IP address cannot connect over the Internet. Standard whitelist mode applies no network-type isolation, so any whitelisted IP address can connect from any network path.