All Products
Search

This Product

    ApsaraDB RDS:Configure an IP address whitelist

    Document Center

    ApsaraDB RDS:Configure an IP address whitelist

    Last Updated:Mar 28, 2026

    By default, new ApsaraDB RDS for SQL Server instances block all external connections. Configure an IP address whitelist to allow only trusted IP addresses to access your instance. The instance continues running normally while you make changes.

    For other database engines, see:

    Which IP address to add

    The IP address to add depends on where your application is running.

    SourceNetwork requirementIP to add
    Elastic Compute Service (ECS) instance in the same virtual private cloud (VPC)Recommended setupPrivate IP address of the ECS instance
    ECS instance in a different VPCInstances in different VPCs cannot communicate over internal networks. Move the ECS instance to the same VPC first.Private IP address of the ECS instance
    Container Service for Kubernetes (ACK) cluster in the same VPC (Flannel plugin)Recommended setupNode IP address of the application
    ACK cluster in the same VPC (Terway plugin)Recommended setupPod IP address of the application
    ACK cluster in a different VPCMove the ACK cluster to the same VPC first.Node IP (Flannel) or Pod IP (Terway) of the application
    On-premises device or self-managed hostN/APublic IP address of the host
    Note

    Applications on on-premises hosts connect to the public endpoint of your RDS instance.

    To find the Pod IP address and node IP address of an ACK cluster, go to the pod details page of the target cluster.

    How to find your IP address

    If you are not sure which IP address to add, use the following methods.

    Private IP address of an ECS instance

    1. Log in to the ECS console.

    2. In the top navigation bar, select the region of the ECS instance.

    3. Copy the private IP address from the instance list.image

    Public IP address of an on-premises device

    On the device, search for "my IP address" in a browser.

    The IP address returned by a browser search may differ from what the device itself reports if network address translation (NAT) is in effect. NAT is common in corporate networks and home routers — the address visible to the internet (and to your RDS instance) is your router's external IP, not the device's local IP. For more reliable methods, see how SQL Server determines the public IP address of an external server or client.

    Usage notes

    • Each RDS instance supports a maximum of 50 IP address whitelists. Each whitelist supports a maximum of 1,000 IP addresses and CIDR blocks.

    • The default whitelist contains only 127.0.0.1, which means no external addresses are allowed. You can modify its entries but cannot delete the whitelist itself.

    • Do not modify or delete whitelists automatically created for other Alibaba Cloud services. Deleting them breaks those integrations:DAS

      • ali_dms_group — created for Data Management (DMS)

      • hdm_security_ips — created for Database Autonomy Service (DAS)

    Important

    The hdm_security_ips whitelist is hidden on instances created after December 2020 to prevent accidental changes.

    Add IP addresses to a whitelist

    Prerequisites

    Before you begin, ensure that you have:

    Steps

    1. Go to the Instances page. In the top navigation bar, select the region of your RDS instance, then click the instance ID.

    2. In the left-side navigation pane, click Whitelist and SecGroup. On the Whitelist Settings tab, check the whitelist mode for the instance.

      Note

      Existing instances may run in enhanced whitelist mode. All new instances use standard whitelist mode.

    3. Click Create Whitelist. In the dialog box, set Whitelist Name, add the IP address, then click OK.

      Follow these formatting rules:

      • You must separate multiple IP addresses and CIDR blocks with commas (,). Do not add spaces before and after each comma. Example: 192.XXX.XXX.1,172.XXX.XXX.9.

      • A maximum of 1,000 IP addresses and CIDR blocks can be configured for each RDS instance. If you want to add many IP addresses, we recommend that you merge the IP addresses into CIDR blocks, such as 10.10.10.0/24.

      Alternatively, click Modify to the right of the default group to update that group directly.

      If the instance uses enhanced whitelist mode, keep network types separate:

      • Classic network ECS: add the public IP address or private IP address of the classic network-type ECS instance to the classic network whitelist.

      • VPC-type ECS: add the private IP address of the VPC-type ECS instance to the VPC whitelist.

    4. (Optional) In the Create Whitelist dialog box, click Add Internal IP Address of ECS Instance to view and select from the private IP addresses of all ECS instances under your account.添加白名单分组

    What's next

    Connect to an ApsaraDB RDS for SQL Server instance

    FAQ

    Error InvalidSecurityIPListLength.Malformed when adding a whitelist entry. What does this mean?

    Issue description

    This error has three common causes:

    Solution

    • Too many entries in the group: A single whitelist group supports a maximum of 1,000 IP addresses and CIDR blocks. Merge scattered addresses into CIDR format (for example, 192.168.1.0/24) to reduce the count.

    • Invalid IP address format: Check that all addresses are valid. Use standard CIDR notation with a mask between 1 and 32, and separate multiple addresses with commas only — no spaces.

    • Conflict with an existing entry: Some formats overlap — for example, 192.168.1.8 conflicts with 192.168.1.1/8 in RDS MySQL. Review existing whitelist entries and resolve any overlaps.

    API reference