This topic describes common errors and FAQs about configuring whitelists.
Common error cases
|
Error case |
Description |
Solution |
|
The whitelist is not configured and contains only |
This configuration prevents any external IP address from accessing the RDS instance. |
Add your clients' public IP addresses to the whitelist. |
|
The IP address |
The IP address format is invalid. |
Important
The |
|
An incorrect public IP address of a client is added to the whitelist. |
|
See How to find the correct public IP address of your client device. |
|
In high-security mode, an IP address is added to a whitelist group for the wrong network type. |
High-security mode distinguishes between the classic network and VPCs. |
Add the IP address to the whitelist group that corresponds to the correct network type. For example, if you add an IP address to a whitelist group for a VPC, only clients within that VPC can use the IP address to access the RDS instance. In the Modify Whitelist Group dialog box, under Network Isolation Mode, select VPC or Classic Network and Public Address based on your network type. |
FAQ
-
Q: Can I use a whitelist and a security group at the same time?
A: Yes. Both the IP addresses on the whitelist and the ECS instances in the security group can access the RDS instance.
-
Q: Do changes to a whitelist take effect immediately?
A: The changes take effect in about one minute.
-
Q: What are the ali_dms_group and hdm_security_ips whitelist groups?
A: When you add an RDS instance to Data Management Service (DMS) or , the system automatically creates the ali_dms_group and hdm_security_ips whitelist groups after you grant the required permissions. Do not modify or delete these groups, as this may disrupt the services. These services do not access any of your business data.
ImportantTo prevent accidental modification or deletion, the hdm_security_ips whitelist group is hidden from the user interface for instances created after December 2020.
Do I need to add CDN node IP addresses to the RDS whitelist after enabling CDN for my website?
The RDS whitelist controls which client IP addresses can directly connect to the database. Typically, your application server (such as an ECS instance) connects to RDS, so you should add the outbound IP address of your application server to the whitelist — not the CDN node IP addresses.
If you experience intermittent connection failures that resolve after adding 0.0.0.0/0, the issue may be caused by dynamic client IP changes or DNS resolution changes. We recommend the following troubleshooting steps:
-
Check the DNS configuration of your application server. We recommend using Alibaba Cloud public DNS (
223.5.5.5and223.6.6.6). -
Use
pingandtelnetto verify the actual IP address being used and compare it with the IP addresses in your whitelist.
What is the difference between the DMS whitelist and the RDS database whitelist?
The DMS whitelist controls which IP addresses can log on to the DMS console. It is completely independent from the RDS database whitelist — the two have no association. Enabling or disabling the DMS whitelist does not affect the RDS whitelist configuration, and vice versa.
Do login failure entries in the error log mean my database has been compromised?
Not necessarily. A successful database login requires multiple layers of authentication:
-
The client IP address must be allowed by the RDS whitelist.
-
The correct database username and password must be provided.
Login failure records alone do not indicate a successful intrusion. If your credentials have not been compromised and your whitelist is configured with strict restrictions, attackers cannot directly log on to your database.
Connection troubleshooting and system IP addresses
Telnet succeeds but database connection fails
Telnet only tests network-layer port connectivity. The whitelist controls application-layer access. If Telnet to the port succeeds but you still cannot connect to the database, check whether the whitelist includes your client IP address.
Unknown IP addresses in logs
If you see unknown IP addresses in your logs, check whether they belong to the Alibaba Cloud Database Autonomy Service (DAS). These IP addresses are in the hdm_security_ips group and are reserved by the system for data collection and security management. Do not delete them.
System-reserved IP addresses
RDS includes built-in system whitelists (not displayed in the console) for internal operations such as monitoring and backup. You do not need to manually add Alibaba Cloud internal IP addresses.
Verifying that whitelist changes have taken effect
In the console, check the whitelist settings page. If your restricted IP configuration has been saved, the configuration is already in effect. Whitelist changes typically take about 1 minute to propagate.
Does RDS support blacklists or excluding specific IP addresses?
The RDS whitelist uses a "deny by default, allow explicitly" model. RDS does not support blacklists or directly excluding specific IP addresses.
Cannot block a specific IP when 0.0.0.0/0 is configured
If your current whitelist contains 0.0.0.0/0 (allowing all IP addresses), you cannot directly block a specific IP address. You must remove 0.0.0.0/0 from the whitelist and reconfigure it to include only the specific IP addresses or CIDR blocks that require access.
How does the whitelist interact with other features?
Database proxy
The IP whitelist for the RDS database proxy is managed centrally in the primary instance. The proxy automatically inherits the whitelist configuration of the primary instance — no separate configuration is needed.
VPN
Adding entries to the database whitelist does not affect your existing VPN configuration. For private network connections, ensure that SAE and RDS are in the same VPC and add the SAE private IP address to the whitelist.
Product isolation
The whitelist configuration of an RDS instance applies only to that instance. It does not affect access rules for other products such as PolarDB.
Impact of whitelist modifications
Modifying the whitelist (by calling the ModifySecurityIps API) is an access control policy change. It does not trigger an instance switchover and has no direct relationship with secondary instance replication latency.
API development and vulnerability scanning
Managing whitelists via SDK
To manage whitelists programmatically in bulk, refer to the ModifySecurityIps API in the API documentation. You can use the PHP SDK or SDKs in other languages to call this API to modify whitelist groups.
Vulnerability scanning false positives
For MySQL version vulnerabilities (such as CNVD-2026-18428), because RDS is deployed in a VPC and protected by an IP whitelist, external access is blocked at the network level, effectively isolating the risk. Such vulnerabilities typically have no practical impact.
Expired instance restrictions
During the lock period after an instance expires, you cannot modify the whitelist to restrict public network access. To verify the business impact, we recommend that you first renew the instance to unlock it, modify the whitelist to restrict access, confirm that your applications are unaffected, and then evaluate whether to unsubscribe.
When do whitelist changes take effect? Are existing connections disconnected?
Scope of changes
Whitelist changes apply only to new connections.
Existing connections are not affected
Established database connections are not automatically disconnected when the whitelist is modified (whether IP addresses are added or removed). To enforce restrictions on all connections immediately, you must manually terminate existing database connections and re-establish them.
This explains the following common scenarios:
-
After removing an IP address from the whitelist, existing connections from that IP continue to work — this is expected behavior because existing connections are not affected by whitelist changes.
-
After deleting a whitelist configuration, existing connections remain active — similarly, you must manually disconnect old connections for the change to take full effect.