Step 2: Configure whitelists - ApsaraDB for Redis - Alibaba Cloud Documentation Center

By default, ApsaraDB for Redis blocks access from all IP addresses to ensure the security and stability of databases. Before you use an ApsaraDB for Redis instance, you must add IP addresses or CIDR blocks that are used to access the ApsaraDB for Redis instance to the whitelists of the instance. Whitelists can be used to improve the access security of ApsaraDB for Redis instances. We recommend that you maintain whitelists on a regular basis.

Preparations

Before you configure a whitelist for an ApsaraDB for Redis instance, you must obtain the IP addresses of clients based on the client installation locations.

Client installation location	Network type	How to obtain IP addresses
ECS instance (recommended)	VPC	Query the IP address of an ECS instance Note Make sure that the ECS instance and the ApsaraDB for Redis instance are deployed in the same VPC. The basic information sections of the instances must display the same VPC ID. If the instances are deployed in different VPCs, you can change the VPC to which the ECS instance belongs. For more information, see Change the VPC of an ECS instance. The network types of the ECS instance and the ApsaraDB for Redis instance may be different. For example, the ECS instance belongs to the classic network and the ApsaraDB for Redis instance belongs to a VPC. For information about how to connect to an ApsaraDB for Redis instance from an ECS instance when the instances are deployed in different types of networks, see Connect an ECS instance to an ApsaraDB for Redis instance in different types of networks.
On-premises device or third-party cloud	Internet	The method used to obtain the public IP address of an on-premises device may vary based on your network environment or operation. The following list provides reference methods for obtaining the public IP address of an on-premises device by using commands in different operating systems: Linux: Open the CLI, enter the `curl ifconfig.me` command, and then press Enter. Windows: Open Command Prompt, enter the `curl ip.me` command, and then press Enter. macOS: Open the CLI, enter the `curl ifconfig.me` command, and then press Enter.

Methods of configuring a whitelist

Method	Description
Method 1: Manually add a whitelist	You can manually add the IP address of a client to a whitelist of the ApsaraDB for Redis instance to allow the client to access the instance.
Method 2: Add ECS security groups as whitelists	A security group is a virtual firewall that is used to control the inbound and outbound traffic of ECS instances in the security group. To authorize multiple ECS instances to access an ApsaraDB for Redis instance, you can associate the security groups of these ECS instances with the ApsaraDB for Redis instance. This method is more convenient than manually adding the IP addresses of these ECS instances to an instance whitelist. Note The engine version of the ApsaraDB for Redis instance must be Redis 4.0 or later. For more information about how to upgrade the engine version, see Upgrade the major version.

Note

You can both configure IP address whitelists and add ECS security groups as whitelists for an ApsaraDB for Redis instance. Both IP addresses in the IP address whitelists and ECS instances in the security groups are allowed to access the instance.

Method 1: Manually add a whitelist

Log on to the ApsaraDB for Redis console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.
In the left-side navigation pane, click Whitelist Settings.
Find the default whitelist and click Modify.
Note
You can also click Add Whitelist to create a whitelist. The name of a whitelist must be 2 to 32 characters in length and can contain lowercase letters, digits, and underscores (_). It must start with a lowercase letter and end with a lowercase letter or digit.
In the dialog box that appears, perform one of the following operations:
- Manually add IP addresses or CIDR blocks to the whitelist.
  In the Whitelist text box, enter IP addresses or CIDR blocks.
  Separate multiple IP addresses with commas (,). A maximum of 1,000 unique IP addresses can be added. You can enter specific IP addresses and CIDR blocks described in the following section:
  - Specific IP addresses. Example: 10.23.12.24.
  - CIDR blocks. Example: 10.23.12.0/24. /24 indicates the length of the IP address prefix. An IP address prefix can be 1 to 32 bits in length. 10.23.12.0/24 indicates an IP address range from 10.23.12.0 to 10.23.12.255. For more information about CIDR blocks, see FAQ about CIDR blocks.
  Warning
  If you add 0.0.0.0/0 to a whitelist of a Tair instance, all IP addresses can connect to the instance. This operation poses security risks. Proceed with caution.
  Figure 1. Manually modify the whitelist
- Add private IP addresses of ECS instances to the whitelist.
  1. Click Load ECS Internal Network IP.
    The private IP addresses of ECS instances that are deployed in the same region as the Tair instance are displayed.
  2. Select IP addresses based on your business requirements.
    Figure 2. Select private IP addresses of ECS instances
    Note
    To view the ECS instance that is assigned a specific IP address, you can move the pointer over the IP address. Then, the system displays the ID and name of the ECS instance to which the IP address is assigned.
Click OK.
(Optional) To remove all IP addresses from a whitelist and delete the whitelist, click Delete in the Actions column corresponding to the whitelist.
Default whitelists generated by the system cannot be deleted, such as default and hdm_security_ips.

Method 2: Add ECS security groups as whitelists

You can add ECS security groups as whitelists for the ApsaraDB for Redis instance. Then, the ECS instances in the security groups can access the ApsaraDB for Redis instance over an internal network or the Internet. If you want to access the ApsaraDB for Redis instance over the Internet, you must apply for a public endpoint for the instance. For more information, see Use a public endpoint to connect to an ApsaraDB for Redis instance.

Note

Before you add a security group as a whitelist, make sure that the ECS instances in the security group are deployed in the same VPC as the ApsaraDB for Redis instance.
You cannot add ECS security groups as whitelists for Tair instances deployed in the following regions: China (Heyuan), China (Guangzhou), China (Nanjing), and China (Ulanqab).
You cannot add ECS security groups as whitelists for cloud-native (cloud disk-based) instances that use the cluster or read/write splitting architecture.

Log on to the ApsaraDB for Redis console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.
In the left-side navigation pane, click Whitelist Settings.
Click Security Groups.
On the Security Groups tab, click Add Security Group.
In the dialog box that appears, select the security groups that you want to add as whitelists.
You can use a security group name or security group ID to perform fuzzy search.
Figure 3. Add security groups
Note
You can add up to 10 security groups as whitelists for each Tair instance.
Click OK.
(Optional) To remove all security groups, click Delete.

References

Related API operations

API	Description
DescribeSecurityIps	Queries the IP address whitelists of an ApsaraDB for Redis instance.
ModifySecurityIps	Modifies the IP address whitelists of an ApsaraDB for Redis instance.
DescribeSecurityGroupConfiguration	Queries the security groups that are added as whitelists for an ApsaraDB for Redis instance.
ModifySecurityGroupConfiguration	Modifies the security groups that are added as whitelists for an ApsaraDB for Redis instance.

FAQ

Why are whitelists automatically created for an ApsaraDB for Redis instance? Can I delete these whitelists?

After you create an ApsaraDB for Redis instance, a default whitelist is automatically created. After you perform specific operations on the instance, more whitelists are automatically created, as described in the following table.

Whitelist name	Source
default	The default whitelist that cannot be deleted.
ali_dms_group	This whitelist is automatically created by Data Management (DMS) when you log on to an ApsaraDB for Redis instance from DMS. For more information, see Log on to an ApsaraDB for Redis instance by using DMS. Do not delete or modify this whitelist. Otherwise, you may be unable to log on to the ApsaraDB for Redis instance from DMS.
hdm_security_ips	This whitelist is automatically created by Database Autonomy Service (DAS) when you use CloudDBA-related features such as cache analysis. For more information, see Use the offline key analysis feature. Do not delete or modify this whitelist. Otherwise, the CloudDBA-related features may become unavailable.

A whitelist contains IP address 127.0.0.1 in addition to client IP addresses. In this case, can these clients connect to the ApsaraDB for Redis instance?
Yes, these clients can connect to the ApsaraDB for Redis instance. If the whitelist contains only IP address 127.0.0.1, no IP addresses are allowed to connect to the instance.
Why is the (error) ERR illegal address message returned after I use the redis-cli tool to connect to an ApsaraDB for Redis instance?
The IP address of the client where the redis-cli tool is deployed is not added to a whitelist of the ApsaraDB for Redis instance. You must check the whitelists of the ApsaraDB for Redis instance.
If the IP address of my client is not added to a whitelist of an ApsaraDB for Redis instance, can I check port connectivity by running the TELNET command?
Yes, you can run the TELNET command to check port connectivity. The following output is returned after you run the TELNET command:
```
Escape character is '^]'.
Connection closed by foreign host.
```