In standard whitelist mode, an IP address whitelist can contain IP addresses from both the classic network and VPCs, with no network-type distinction. Enhanced whitelist mode binds each IP address whitelist to a specific network type (classic network or VPC). When creating an IP address whitelist in enhanced mode, specify the network type. This separates access control by network type.
Prerequisites
Before you begin, ensure that you have:
An ApsaraDB RDS for PostgreSQL instance that runs one of the following:
PostgreSQL 10 on RDS High-availability Edition with Premium Local SSDs
PostgreSQL 9.4 on RDS High-availability Edition with Premium Local SSDs
Usage notes
This operation is irreversible. After switching to enhanced whitelist mode, the instance cannot revert to standard whitelist mode.
In enhanced whitelist mode, a classic-network-type IP address whitelist also controls Internet access. To access the RDS instance from the Internet, add the host's public IP address to a classic-network-type whitelist.
The switch takes approximately 3 minutes. The application stays connected to the RDS instance during this period.
After you switch to the enhanced whitelist mode, the Elastic Compute Service (ECS) security group configuration remains unchanged. For more information, see Configure an IP address whitelist for an ApsaraDB RDS for PostgreSQL instance.
What changes after switching
The switch automatically creates network-type-specific whitelists based on the instance's current network configuration:
| Network configuration | Result |
|---|---|
| VPC | A VPC-type IP address whitelist is created. All IP addresses and CIDR blocks from the original whitelists are copied to it. |
| Classic network | A classic-network-type IP address whitelist is created. All IP addresses and CIDR blocks from the original whitelists are copied to it. |
| Hybrid access mode | Two IP address whitelists are created: one VPC-type and one classic-network-type. Both contain all IP addresses and CIDR blocks from the original whitelists. For more information, see Configure the hybrid access solution for an ApsaraDB RDS for PostgreSQL instance. |
Procedure
Go to the Instances page. In the top navigation bar, select the region where the RDS instance resides. Find the instance and click its ID.
In the left-side navigation pane, click Whitelist and SecGroup.
On the Whitelist Settings tab, click Switch to Enhanced Whitelist (Recommended).
In the confirmation message, click Confirm.
FAQ
How do I allow Internet access to my RDS instance in enhanced whitelist mode?
Add the host's public IP address to a classic-network-type IP address whitelist. In enhanced whitelist mode, the classic-network-type whitelist controls both classic network access and Internet access.
What is the advantage of enhanced whitelist mode over standard whitelist mode?
In standard mode, a single whitelist applies to all connections regardless of network type. In enhanced mode, each whitelist is scoped to a specific network type. For example, an IP address in a VPC-type whitelist grants access only over that VPC, not over the Internet.