By default, newly created ApsaraDB RDS for SQL Server instances block all external access. To ensure security, you must configure an IP address whitelist to allow access only from trusted IP addresses. We recommend configuring and regularly maintaining the whitelist immediately after you create an instance to enhance access security. Configuring the IP address whitelist does not affect the normal operation of the RDS instance.
For information about how to configure an IP address whitelist for other database engines, see the following topics:
Use cases
Common scenarios for configuring an IP address whitelist include:
After you create an RDS instance, you must add the IP addresses of external devices to the whitelist to allow these devices to access the instance.
When a database connection fails, check whether the IP address whitelist is correctly configured.
The following table describes which IP addresses to add to the whitelist for different connection scenarios.
Connection scenario | Network type | Whitelist settings |
Connecting from an Elastic Compute Service (ECS) instance to an RDS instance | In the same Virtual Private Cloud (VPC) (Recommended) | Add the private IP address of the ECS instance. |
In different VPCs | Instances in different VPCs cannot communicate with each other over the internal network. To resolve this, move one of the instances to the same VPC as the other, and then add the private IP address of the ECS instance to the IP address whitelist. | |
Connecting from a pod in a Container Service for Kubernetes (ACK) cluster to an RDS instance | In the same Virtual Private Cloud (VPC) (Recommended) |
You can find the pod IP and node IP on the Pods page of the target ACK cluster. |
In different VPCs | Instances in different VPCs cannot communicate with each other over the internal network. To resolve this, move one of the instances to the same VPC as the other. Then, add the required IP address from the ACK cluster to the IP address whitelist.
| |
Connecting from an on-premises host to an RDS instance | N/A | Add the public IP address of the on-premises host to the IP address whitelist. Note Applications on an on-premises host must use the public endpoint of the RDS instance to connect. |
Precautions
An instance can have a maximum of 50 IP address whitelist groups.
The
defaultIP address whitelist group cannot be deleted, but you can clear its entries. By default, this group contains only127.0.0.1, which prevents access from any external IP address.Do not modify or delete whitelist groups that are automatically generated by the system. Doing so may affect the functionality of related services such as Data Management (DMS) and . Examples of system-generated groups include ali_dms_group and hdm_security_ips.
ImportantTo prevent accidental modification or deletion, the hdm_security_ips whitelist group is hidden for instances created after December 2020.
Procedure
Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane, click Whitelist and SecGroup.
The Whitelist Settings tab shows the instance's current IP address whitelist mode.
NoteInstances created before a specific date may use the enhanced whitelist mode. Newly created instances use the standard whitelist mode.
Click Create Whitelist. In the dialog box that appears, enter a Group Name, add the IP addresses of your application servers, and then click OK.
NoteYou can also click Modify to the right of the default group to change its whitelist entries.
Separate multiple IP addresses with a comma (,), with no spaces around the comma. For example:
192.XXX.XXX.1,172.XXX.XXX.9.You can add a maximum of 1,000 IP addresses or IP address ranges to a whitelist group. If you need to add many IP addresses, consolidate them into CIDR blocks, such as 10.10.10.0/24.
If the instance uses the standard whitelist mode, no extra steps are required. If it uses the enhanced whitelist mode, note the following:
Add the public IP address or the private IP address of an ECS instance in the classic network to a classic network whitelist group.
Add the private IP address of an ECS instance in a VPC to a VPC whitelist group.
(Optional) In the Create Whitelist dialog box, click Add Internal IP Address of ECS Instance. This quickly adds the private IP addresses of all ECS instances under your Alibaba Cloud account to the whitelist.

Next step
Appendix: Finding the application server IP
Identify your scenario to find the correct IP address to add to the whitelist.
Scenario | Required IP address | Method |
Connecting over the internal network | IP address of the pod in an ACK cluster |
You can find the pod IP and node IP on the Pods page of your cluster. |
Private IP address of an ECS instance |
| |
Connecting from an ECS instance over the public network | Public IP address of an ECS instance | |
Connecting from a local device. | Public IP address of the local device | On your local device, search for "what is my IP" in a search engine. Note If the IP address returned by the search engine is not accurate, use other methods to find your public IP address. |
