This page covers common whitelist configuration errors and frequently asked questions for ApsaraDB RDS for PostgreSQL.
Whitelist changes take about 1 minute to take effect. If you updated your whitelist and the connection still fails, wait a moment and try again before investigating further.
Troubleshooting
Check the following common causes:
| Symptom | Cause | Fix |
|---|---|---|
| No devices can connect and the only whitelist is the default one | The default IP address whitelist contains only 127.0.0.1, which blocks all external access | Add the IP addresses of the devices that need access to an IP address whitelist |
You added 0.0.0.0 during a connectivity test, but the entry is rejected | 0.0.0.0 is an invalid format | Change it to the CIDR block 0.0.0.0/0Warning
|
| Public IP addresses in the whitelist are not reachable | Public IP addresses may change dynamically, or the tool you used to look up the IP returned an inaccurate result | See How to view the local IP address of an RDS PostgreSQL instance |
| IP addresses are in an enhanced whitelist but connections still fail | In enhanced whitelist mode, ApsaraDB RDS separates classic network and VPC (Virtual Private Cloud) whitelists. An IP added to a VPC-type whitelist can only connect over a VPC. | Add the IP address to the whitelist whose network type matches the network used by the connecting device  |
FAQ
Can I use both IP address whitelists and security groups at the same time?
Yes. All IP addresses in the configured whitelists and all ECS instances in the configured security groups are granted access. The two mechanisms work together.
How long does it take for a whitelist change to take effect?
About 1 minute.
What are the ali_dms_group and hdm_security_ips whitelists?
When you connect to your RDS instance from Data Management (DMS) or Database Autonomy Service (DAS), the system automatically creates IP address whitelists for these services upon your authorization. ali_dms_group is created for DMS and hdm_security_ips is created for DAS.
Do not modify or delete either whitelist — doing so prevents DMS or DAS from connecting to your instance. Neither service reads or modifies your business data.
For RDS instances created after December 2020, hdm_security_ips is hidden from the console to prevent accidental changes.
The server I need to allowlist has a dynamic IP address. What should I do?
For dynamic IP scenarios, use identity authentication instead of IP address whitelists where possible. If you must use whitelists, choose one of the following approaches:
Dynamic DNS: Use a dynamic DNS service to map your dynamic IP address to a domain name, then add the domain name or its resolved IP address to the whitelist.
Reverse proxy or load balancer: Route all application requests through a reverse proxy or load balancer with a fixed IP address, and add only that fixed IP to the whitelist.
CIDR blocks or scheduled updates: If IP addresses change within a known range — for example, home broadband addresses assigned by an Internet service provider (ISP) — add the CIDR block covering that range (for example,
192.168.0.0/16covers all addresses in the192.168.x.xrange). Alternatively, update the whitelist regularly as addresses change.