All Products
Search
Document Center

ApsaraDB RDS:Configure an IP address whitelist

Last Updated:Apr 14, 2026

By default, newly created ApsaraDB RDS for SQL Server instances block all external access. To ensure security, you must configure an IP address whitelist to allow access only from trusted IP addresses. We recommend configuring and regularly maintaining the whitelist immediately after you create an instance to enhance access security. Configuring the IP address whitelist does not affect the normal operation of the RDS instance.

For information about how to configure an IP address whitelist for other database engines, see the following topics:

Use cases

Common scenarios for configuring an IP address whitelist include:

  • After you create an RDS instance, you must add the IP addresses of external devices to the whitelist to allow these devices to access the instance.

  • When a database connection fails, check whether the IP address whitelist is correctly configured.

The following table describes which IP addresses to add to the whitelist for different connection scenarios.

Connection scenario

Network type

Whitelist settings

Connecting from an Elastic Compute Service (ECS) instance to an RDS instance

In the same Virtual Private Cloud (VPC) (Recommended)

Add the private IP address of the ECS instance.

In different VPCs

Instances in different VPCs cannot communicate with each other over the internal network. To resolve this, move one of the instances to the same VPC as the other, and then add the private IP address of the ECS instance to the IP address whitelist.

Connecting from a pod in a Container Service for Kubernetes (ACK) cluster to an RDS instance

In the same Virtual Private Cloud (VPC) (Recommended)

  • If the ACK cluster uses the Flannel container network plugin, add the node IP of the node that runs your application.

  • If the ACK cluster uses the Terway container network plugin, add the pod IP of the pod that runs your application.

You can find the pod IP and node IP on the Pods page of the target ACK cluster.

In different VPCs

Instances in different VPCs cannot communicate with each other over the internal network. To resolve this, move one of the instances to the same VPC as the other. Then, add the required IP address from the ACK cluster to the IP address whitelist.

  • If the ACK cluster uses the Flannel container network plugin, add the node IP of the node that runs your application.

  • If the ACK cluster uses the Terway container network plugin, add the pod IP of the pod that runs your application.

Connecting from an on-premises host to an RDS instance

N/A

Add the public IP address of the on-premises host to the IP address whitelist.

Note

Applications on an on-premises host must use the public endpoint of the RDS instance to connect.

Precautions

  • An instance can have a maximum of 50 IP address whitelist groups.

  • The default IP address whitelist group cannot be deleted, but you can clear its entries. By default, this group contains only 127.0.0.1, which prevents access from any external IP address.

  • Do not modify or delete whitelist groups that are automatically generated by the system. Doing so may affect the functionality of related services such as Data Management (DMS) and . Examples of system-generated groups include ali_dms_group and hdm_security_ips.

    Important

    To prevent accidental modification or deletion, the hdm_security_ips whitelist group is hidden for instances created after December 2020.

Procedure

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

  2. In the left-side navigation pane, click Whitelist and SecGroup.

    The Whitelist Settings tab shows the instance's current IP address whitelist mode.

    Note

    Instances created before a specific date may use the enhanced whitelist mode. Newly created instances use the standard whitelist mode.

  3. Click Create Whitelist. In the dialog box that appears, enter a Group Name, add the IP addresses of your application servers, and then click OK.

    Note
    • You can also click Modify to the right of the default group to change its whitelist entries.

    • Separate multiple IP addresses with a comma (,), with no spaces around the comma. For example: 192.XXX.XXX.1,172.XXX.XXX.9.

    • You can add a maximum of 1,000 IP addresses or IP address ranges to a whitelist group. If you need to add many IP addresses, consolidate them into CIDR blocks, such as 10.10.10.0/24.

    • If the instance uses the standard whitelist mode, no extra steps are required. If it uses the enhanced whitelist mode, note the following:

      • Add the public IP address or the private IP address of an ECS instance in the classic network to a classic network whitelist group.

      • Add the private IP address of an ECS instance in a VPC to a VPC whitelist group.

  4. (Optional) In the Create Whitelist dialog box, click Add Internal IP Address of ECS Instance. This quickly adds the private IP addresses of all ECS instances under your Alibaba Cloud account to the whitelist.添加白名单分组

Next step

Connect to an ApsaraDB RDS for SQL Server instance

Appendix: Finding the application server IP

Identify your scenario to find the correct IP address to add to the whitelist.

Scenario

Required IP address

Method

Connecting over the internal network

IP address of the pod in an ACK cluster

  • If the ACK cluster uses the Flannel container network plugin, add the node IP of the node that hosts your application.

  • If the ACK cluster uses the Terway container network plugin, add the pod IP of the pod that runs your application.

You can find the pod IP and node IP on the Pods page of your cluster.

Private IP address of an ECS instance

  1. Go to the ECS console.

  2. In the top navigation bar, select the region where the instance is located.

  3. You can find the private and public IP addresses in the instance list.

    image

Connecting from an ECS instance over the public network

Public IP address of an ECS instance

Connecting from a local device.

Public IP address of the local device

On your local device, search for "what is my IP" in a search engine.

Note

If the IP address returned by the search engine is not accurate, use other methods to find your public IP address.

FAQ

Error adding to a whitelist in the RDS console: InvalidSecurityIPListLength.Malformed?

Problem description

Solution

  • Solution: Ensure that the number of IP addresses or IP ranges in a single whitelist group does not exceed 1,000. Consolidate individual IP addresses into CIDR blocks, such as 192.168.1.0/24, to reduce the count.

  • Solution: Ensure that the entered IP address is valid and in standard CIDR format (such as 10.23.12.0/24), with a mask range of 1 to 32. If you need to add multiple IP addresses, use a comma (,) to separate them.

  • Reason 3: A conflict exists with an existing allowlist. For example, in RDS for MySQL, 192.168.1.8 conflicts with 192.168.1.1/8.

Note

Do not delete the default group default, which contains 127.0.0.1, and do not modify system groups such as ali_dms_group or hdm_security_ips, to avoid affecting system functionality or connection security.

Related APIs