ApsaraDB RDS:Configure an IP address whitelist

Procedure

1. Go to the RDS Instances page, select a region in the top navigation bar, and then click the ID of the target instance.

2. In the left-side navigation pane, click Whitelist and SecGroup.

3. Confirm the IP address whitelist mode.

   Note

   Instances that run MySQL 5.5, 5.6, or 5.7 and use local SSDs can be switched to enhanced security mode. Other instances use standard mode.

4. Click Modify to the right of the default group. In the dialog box that appears, add IP addresses to the whitelist.

   Note

   • If necessary, you can also click Create Whitelist to create a custom whitelist group.

   • Whitelist groups are used only to manage IP addresses and do not affect access permissions. All IP addresses in all whitelist groups have the same permissions to access the RDS instance.

   • Method 1: Add the IP address of the application server to the IP Addresses box. To find the IP address of your application server, see Appendix: Finding the IP address of an application server. You can also click Load Local Public IP Address (If there is a network proxy on your PC, please turn it off first) to directly add the public IP address of your computer.

     Note

     • Separate multiple IP addresses with commas (,). Do not add spaces before or after the commas.

     • You can add a maximum of 1,000 IP addresses or CIDR blocks to a single instance. If you have many individual IP addresses, we recommend that you consolidate them into CIDR blocks, such as 10.10.10.0/24.

     • If you use enhanced security mode, take note of the following:

       • Add public IP addresses to the Classic Network group.

       • Add the private IP addresses of ECS instances that are in a VPC to the VPC group.

   • Method 2: Click Add Internal IP Address of ECS Instance to display the IP addresses of all ECS instances that belong to your Alibaba Cloud account in the current region. This allows you to quickly add the private IP addresses of the ECS instances to the whitelist. In the IP addresses transfer box, move the target IP addresses to the Settings list on the right, and then click OK.

   Note

   The IP address to add to the whitelist varies depending on the compute resource type. Select the method that matches your scenario:

   • Simple Application Server — Obtain the internal IP address of the Simple Application Server and add it to the RDS whitelist.

   • ACK Serverless cluster — Pods access the public network through a NAT gateway by default. Add the egress public IP address of the NAT gateway (viewable in the SNAT entries of the NAT Gateway console) to the RDS whitelist, instead of the cluster's private network CIDR block.

   • EMR and other dynamic IP clusters — Because source IP addresses change dynamically, we recommend that you configure the whitelist by CIDR block (such as 10.0.0.0/16) to cover the possible IP range and prevent access failures caused by IP changes.

   • Cross-account ECS or VPC interconnection — Regardless of whether the accounts are the same, as long as internal network interconnection is established (such as through Cloud Enterprise Network (CEN) or VPC peering), you must add the internal IP address of the application-side ECS instance to the RDS whitelist.

   After you add the IP addresses, the application server can access the RDS instance.

5. Click OK.

Best practices and security recommendations

• Public network access security — Enabling a public endpoint poses security risks. We recommend that you strictly restrict the whitelist to allow only necessary business public IP addresses. Avoid using 0.0.0.0/0 to allow all IP addresses. If you detect connections from unknown IP addresses, check whether they belong to legitimate business hosts or result from unreleased long-running transactions. If they are not business hosts, immediately modify the whitelist policy.

• Brute-force attack prevention — We recommend that you use IP whitelists to restrict access to trusted IP addresses, which fundamentally reduces unauthorized connection attempts. You can also combine SSL encryption and password complexity policies to further enhance security.

• VPC CIDR block configuration — If you have added a large VPC CIDR block (such as 172.16.0.0/12) to the whitelist, all IP addresses within this range can access RDS. You do not need to separately add vSwitch subnets. To follow the principle of least privilege, you can remove the large CIDR block and specify the private IP addresses of specific ECS instances.

• Separate internal and external network configuration — To allow unrestricted internal network access while permitting only specific external IP addresses, add the VPC CIDR block to an internal network whitelist group and add the specified external IP addresses to a separate external network whitelist group.

Next steps

Connect to an ApsaraDB RDS for MySQL instance

Related documents

• API operation: ModifySecurityIps

• API operation: DescribeDBInstanceIPArrayList

• For information about other database engines, see the following topics:

  • Configure an IP address whitelist for an ApsaraDB RDS for SQL Server instance

  • Configure an IP address whitelist for an ApsaraDB RDS for PostgreSQL instance

  • Configure an IP address whitelist for an ApsaraDB RDS for MariaDB instance

FAQ

• Q: Why can an IP address that is not on the whitelist access my RDS instance?

  A: Perform the following checks:

  • Check all whitelist groups to see if they contain 0.0.0.0/0. The 0.0.0.0/0 entry allows access from all IP addresses, which poses a security risk. We recommend that you remove this entry and add only trusted IP addresses.

  • Check all security groups associated with the instance. If a security group allows access from the IP address, the connection is permitted.

• Q: How can my on-premises machine access an RDS instance if public access is not enabled for the instance?

  A: You need to establish a private network connection. For more information, see Connecting a VPC to an on-premises data center or other clouds.

• Q: The IP address of my application changes dynamically and is not fixed. How should I configure the IP address whitelist for my RDS instance?

  A: If you do not have a static IP address, do not set 0.0.0.0/0. This configuration allows all IP addresses to access RDS and is not recommended for security reasons. We recommend that you use access control based on authentication instead of IP addresses. For example:

  • Use a Dynamic DNS (DDNS) service: Use a DDNS service to assign a domain name to your dynamic IP address, and then add the domain name or its resolved IP address to the database whitelist.

  • Use a reverse proxy or a Server Load Balancer (SLB) instance: Route requests through a reverse proxy or an SLB instance, and add only the static IP address of that server to the database whitelist.

  • Update the whitelist regularly: If the IP address changes within a predictable range, such as IP addresses assigned by an Internet Service Provider (ISP) for home broadband services, you can periodically obtain the current IP address and update the whitelist.

• Q: An error is reported when I add IP addresses to a whitelist in the RDS console: InvalidSecurityIPListLength.Malformed?

  Problem description

  When you add IP addresses to a whitelist in the ApsaraDB RDS console, you may receive the following error message:

  Error code: InvalidSecurityIPListLength.Malformed
  Error message (Chinese): The security IP address is not in the available range or is already occupied.
  Error message (English): The security ip address is not in the available range or occupied.

  Solution

  • Cause 1: The number of entries exceeds the limit. A single whitelist group can contain a maximum of 1,000 IP addresses or CIDR blocks.

    Solution: Ensure that the number of IP addresses or IP address ranges in a single whitelist group does not exceed 1,000. We recommend that you merge scattered IP addresses into CIDR blocks (such as 192.168.1.0/24) to reduce the number of entries.

  • Cause 2: The IP address whitelist contains invalid IP addresses.

    Solution: Ensure that the entered IP address is valid and in standard CIDR format, such as 10.23.12.0/24, with a prefix length from 1 to 32. To add multiple IP addresses, separate them with commas (,).

  • Reason 3: There is a conflict with an existing whitelist. For example, in ApsaraDB RDS for MySQL, 192.168.1.8 conflicts with 192.168.1.1/8.

    Solution: Plan and add whitelist entries based on your business requirements to prevent overlaps or conflicts with existing rules.

  Note

  Do not delete the default group default (which contains 127.0.0.1) or modify system groups such as ali_dms_group or hdm_security_ips to avoid affecting system functionality or connection security.

Appendix: Check whether your application can connect to the RDS instance over an internal network

1. View the region and network type of the ECS instance on which your application is deployed. For more information, see Get ready to use ApsaraDB RDS.

2. View the region and network type of the RDS instance.

   Log on to the ApsaraDB RDS console and go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance. On the page that appears, you can view the region, network type, and VPC ID of the RDS instance.

3. Check whether the ECS instance and the RDS instance meet the following conditions for communication over an internal network:

   1. The ECS instance and the RDS instance reside in the same region.

   2. The ECS instance and the RDS instance reside in the same type of network. If the ECS instance and the RDS instance both reside in VPCs, these instances reside in the same VPC.

   Note

   If one of the preceding conditions is not met, the ECS instance cannot communicate with the RDS instance over an internal network.

Appendix: Finding application server IP addresses

Appendix: System-generated whitelists

When you use services such as DMS, DTS, and DAS with ApsaraDB RDS for MySQL, the system automatically adds the following whitelist groups to ensure proper access.