All Products
Search

This Product

    ApsaraDB RDS:Find your public IP for ApsaraDB RDS connections

    Document Center

    ApsaraDB RDS:Find your public IP for ApsaraDB RDS connections

    Last Updated:Jun 11, 2026

    Before you connect to an ApsaraDB RDS for MySQL or ApsaraDB RDS for MariaDB instance from the internet, you must add the public IP address of your client to the instance's ip address whitelist. This topic describes how to find the correct public IP address.

    Problem description

    You have added your client's IP address to the ip address whitelist, but you still cannot connect to the instance.

    This issue often occurs because the public IP address you added is incorrect, or your client's public IP address has changed.

    Note

    This topic applies only when you connect to an ApsaraDB RDS instance from a non-ECS client. If you connect from an ECS instance, you can find its public and private IP addresses on the instance details page in the ECS console.

    Prerequisites

    Before connecting to an RDS instance over the internet, ensure the following:

    1. Public endpoint enabled: Your RDS instance must have a public endpoint enabled (for example, rm-bp1xxxxx.mysql.rds.aliyuncs.com). You cannot use a private endpoint for internet connections. If you do not have a public endpoint, you can request one on the Database Connection page in the ApsaraDB RDS console.

    2. Correct IP for the whitelist: The ip address whitelist must contain the public egress IP address of your client, not the endpoint or IP address of the RDS instance.

    Recommendations

    If your client's public IP address changes dynamically, for production environments, use an internal connection or add a range of IP addresses to the ip address whitelist to prevent disconnections.

    Find your client's public IP address

    1. Temporarily add a permissive whitelist entry.

      Add your company's public CIDR block or 0.0.0.0/0 to your instance's ip address whitelist.

      Warning

      The entry 0.0.0.0/0 allows any device to access the RDS instance, which poses a security risk. Use this entry with caution and remove it immediately after testing.

    2. Get the public IP address. (Choose one method)

      • Method 1 (Recommended): Use a curl command. Run the curl ipinfo.io/ip command to get your client's public IP address.

        Note

        If the issue persists, alternatively, run the curl ifconfig.me command.

      • Method 2: Use a web browser. This method is ideal for GUI-based operating systems like Windows.

        In a web browser, visit one of the following websites. They will display your client's public egress IP address:

        Add the displayed IP address to the ip address whitelist of your RDS instance.

      • Method 3: Use a SQL query. This is the most reliable method for finding the egress IP address as seen by the database server.

        Follow these steps:

        1. Temporarily set the ip address whitelist to 0.0.0.0/0, and wait for about 1 minute for the setting to take effect.

        2. Use a MySQL client to connect to the RDS instance from your local device:

          mysql -h<endpoint> -u<username> -p<password> -P3306

        3. After you connect, run the following command:

          SHOW FULL PROCESSLIST;

        4. In the results, find the current connection session (the row where the Info column shows show full processlist or the row that corresponds to the User). The value in the Host column is the client's real public IP address, in the format IP:Port, such as 120.xx.xx.xx:52861.

        5. Extract the IP address, add it to the IP address whitelist of the RDS instance, and remove the 0.0.0.0/0 entry.

        6. Disconnect and then reconnect to verify that the ip address whitelist is correctly configured.

    3. Finalize the ip address whitelist.

      1. Remove the temporary 0.0.0.0/0 entry.

      2. Add and verify the correct public IP address you obtained.

    FAQ

    • How can I determine if a connection failure is caused by a change in my client's public IP address?

      Add 0.0.0.0/0 to the ip address whitelist of your ApsaraDB RDS for MySQL or ApsaraDB RDS for MariaDB instance and wait for about one minute for the setting to take effect. This allows any device to access the instance. If you can now connect to the database, the issue is likely the ip address whitelist. To confirm, remove the 0.0.0.0/0 entry, add what you believe is your current IP address, and test again. If the connection fails, it confirms that your client's public IP address is different from the one you added.

    • Why does the connection still fail after I configured the ip address whitelist?

      After updating the whitelist, remember that changes take about one minute to apply. Wait before you retry the connection.

      Many factors other than the ip address whitelist can cause connection failures. For more information, see Troubleshoot connection failures to an instance.

    • I can ping the RDS endpoint and telnet to the port successfully, but my database client (like Navicat) still cannot connect. Why?

      • A successful ping does not mean database authorization. ApsaraDB RDS does not block ping requests by default. A successful ping only indicates network-level reachability, not that the database has authorized your IP address.

      • A successful telnet only indicates TCP port connectivity. Connecting to port 3306 successfully only confirms that the network path and port are open. The database-level verification of the ip address whitelist is a separate, required step.

      • Root cause: The client's IP address is not in the ip address whitelist, or the IP address in the whitelist is not the client's actual public egress IP address.

      • Solution:

        1. Run SHOW PROCESSLIST to retrieve the actual connection IP address that the database sees (see "Method 3" above).

        2. Add this IP address to the ip address whitelist.

        3. Verify that the connection parameters in your database client (such as Navicat) are correct, including the public endpoint, port (default is 3306), username, and password.

    • The IP address shown in the ApsaraDB RDS connection logs or PROCESSLIST is different from the one I see when I check my local IP. Why?

      Reason: If your local network traffic goes through a corporate gateway (NAT), the database server sees the public IP address of the gateway, not your individual machine's IP address.

      Solution: Always use the Host IP address shown in the output of the SHOW PROCESSLIST command in your ip address whitelist. Do not rely on the IP address from a query on your local machine.

    Cross-border and cross-region access

    • You can connect to an ApsaraDB RDS instance from anywhere in the world by using its public endpoint and a correctly configured ip address whitelist.

    • For low-latency, high-security connections, or for sharing data across regions, use the following solutions:

    • Public internet access is subject to cross-border network fluctuations. For production environments, use an internal network solution.