To connect to an ApsaraDB RDS for MySQL or ApsaraDB RDS for MariaDB instance from a local server over the Internet, the public IP address of the local server must be in the IP address whitelist of the instance. If you have already added the IP address but still cannot connect, the most common causes are:
-
Invalid IP address: The IP address you added is not the actual egress IP of your local server.
-
Dynamic IP address: Your local server uses a dynamic public IP address that changed after you added it to the whitelist.
This topic does not apply if you are connecting from an Alibaba Cloud Elastic Compute Service (ECS) instance. For ECS-to-RDS connections, get the public and private IP addresses of the ECS instance from the ECS console.
Production environment recommendations
If your local server uses a dynamic public IP address and the connection is used in a production environment, use one of the following approaches to keep the connection stable:
-
Connect to the RDS instance over an internal network.
-
Add an appropriate public CIDR block of the local server to the IP address whitelist instead of a single IP address.
Diagnose and fix the connection failure
Use the following steps to verify that the correct IP address is in the whitelist and update it if needed.
Step 1: Temporarily open access
Add your company's public CIDR block or the entry 0.0.0.0/0 to the IP address whitelist of the RDS instance.
The entry 0.0.0.0/0 allows all devices to access the RDS instance, which introduces security risks. Delete this entry as soon as it is no longer needed.
Step 2: Get the actual public IP address
Use one of the following methods to get the actual egress IP address of the local server.
Method 1 (recommended): Run a curl command
curl ipinfo.io/ipIf this command fails, run:
curl ifconfig.meMethod 2: Query via SQL
-
Connect to the RDS instance from the local server using the database client or CLI:
mysql -h<Endpoint> -u<Username> -p<Password> -P3306
-
Run the following statement:
SHOW PROCESSLISTThe Host value in the row where
SHOW PROCESSLISTappears is the actual egress IP address of the local server.
Step 3: Update the IP address whitelist
-
Delete the
0.0.0.0/0entry from the IP address whitelist. -
Add the IP address obtained in Step 2 to the IP address whitelist.
The whitelist update takes effect in about 1 minute. After it takes effect, retry the connection.
FAQ
How do I confirm that my connection failure is caused by a dynamic IP address?
Add 0.0.0.0/0 to the IP address whitelist and wait about 1 minute. Then attempt to connect from the local server.
-
If the connection succeeds: delete
0.0.0.0/0from the IP address whitelist, add the actual public IP address of your local server to the whitelist, and then attempt to connect again.-
If the connection succeeds after adding the specific IP: the IP address in your whitelist was outdated but is now correct.
-
If the connection still fails after adding the specific IP: the public IP address that you added is not the current public IP address of the local server. This indicates that the public IP address of the local server dynamically changes. Get the current egress IP using Step 2 and update the whitelist.
-
-
If the connection still fails with
0.0.0.0/0: the issue is not related to the IP address whitelist. See Troubleshoot failures in connecting to an ApsaraDB RDS for MySQL instance for other possible causes.
I added the correct IP address, but the connection still fails. What else should I check?
If the public IP address of the local server dynamically changes, add the current public IP address of the local server to the IP address whitelist. The whitelist takes about 1 minute to take effect — wait and retry. If the connection still fails after the whitelist updates, see Troubleshoot failures in connecting to an ApsaraDB RDS for MySQL instance for other possible causes.