This topic describes the common errors and provides answers to some commonly asked questions about the IP address whitelist settings of an ApsaraDB RDS for PostgreSQL instance.
Common errors
Error | Description | Solution |
No IP address whitelists are configured. Your RDS instance has only one default IP address whitelist. The default IP address whitelist contains only the 127.0.0.1 IP address, | which indicates that no devices can access your RDS instance. | Add the IP addresses of the specified devices to an IP address whitelist. |
The 0.0.0.0 entry is added to an IP address whitelist during a connectivity test. | The format of the entry is invalid. | Change the 0.0.0.0 entry to the 0.0.0.0/0 Classless Inter-Domain Routing (CIDR) block. Warning The 0.0.0.0/0 CIDR block indicates that all IP addresses are granted access to your RDS instance. We recommend that you add this CIDR block only for a connectivity test. When you run online workloads, do not add this CIDR block to an IP address whitelist. |
The public IP addresses in a configured IP address whitelist are inaccessible. |
| For more information, see How to view the local IP address of an RDS PostgreSQL instance. |
The IP addresses of the specified devices are added to an enhanced IP address whitelist, and the network type of this whitelist differs from the network types of these devices. | In enhanced whitelist mode, ApsaraDB RDS distinguishes between the classic network and virtual private networks (VPCs). | Add the IP addresses to an IP address whitelist whose network type is the same as the network types of the devices. For example, if an IP address is added to an IP address whitelist of the VPC network type, you can connect to your RDS instance from the IP address only over a VPC. |
FAQ
Can I configure both IP address whitelists and security groups for my RDS instance?
Yes, you can configure both IP address whitelists and security groups for your RDS instance. All IP addresses in the configured IP address whitelists and all ECS instances in the configured security groups are granted access to your RDS instance.
After I configure an IP address whitelist for my RDS instance, does the IP address whitelist immediately take effect?
After you configure an IP address whitelist for your RDS instance, the IP address whitelist requires about 1 minute to take effect.
What are the IP address whitelists labeled ali_dms_group and hdm_security_ips?
When you connect to your RDS instance from Data Management (DMS) and Database Autonomy Service (DAS), the system generates IP address whitelists for DMS and DAS upon your authorization. The IP address whitelist labeled ali_dms_group is generated for DMS. The IP address whitelist labeled hdm_security_ips is generated for DAS. Do not modify or delete the IP address whitelists. If you modify or delete the IP address whitelists, these services cannot access your RDS instance. These services do not perform operations on your business data.
ImportantIf an RDS instance is created after December 2020, the IP address whitelist that is labeled hdm_security_ips is invisible to users. This prevents the IP address whitelist from being unintentionally modified or deleted.
If no fixed IP address is allocated to the server of a user or the IP address of the server dynamically changes, how do I add the IP address of the server to an IP address whitelist of my RDS instance?
We recommend that you use identity authentication instead of IP address whitelists to implement access control.
Use the dynamic DNS service: You can use the dynamic DNS service to obtain the domain name that corresponds to the dynamic IP address and add the domain name or its resolved IP address to the IP address whitelist.
Configure a reverse proxy or load balancer: All application requests of a user are forwarded to the RDS instance by using the reverse proxy or load balancer. You need to add only the fixed IP address of the reverse proxy to the IP address whitelist.
Update the IP address whitelist regularly or use CIDR blocks: If IP addresses change within a certain range, such as IP addresses for home broadband allocated Internet service providers (ISPs), you can obtain and add the IP addresses to the IP address whitelist on a regular basis. You can also add the CIDR blocks that cover these IP addresses to the IP address whitelist. For example, the CIDR block 192.168.0.0/16 indicates that all IP addresses that start with 192.168 (192.168.XXX.XXX) are allowed to access your RDS instance.