By default, Redis instances block access from all IP addresses to ensure the security and stability of Redis databases. Before you use a Redis instance, you must add IP addresses or CIDR blocks that you plan to use to access the Redis instance to the whitelists of the instance. A properly configured whitelist can enhance the security of your Redis instance. We recommend that you perform regular maintenance on your whitelists.
Methods of configuring a whitelist
Method | Description | Scenario |
Add IP addresses or CIDR blocks to a whitelist | Manually add the IP address of a client to a whitelist of a Redis instance to allow the client to access the Redis instance. | |
Add a security group | A security group is a virtual firewall that is used to control the inbound and outbound traffic of Elastic Compute Service (ECS) instances in the security group. For more information, see Overview. To authorize multiple ECS instances to access a Redis instance, you can add the security groups to which the ECS instances belong as whitelists for the Redis instance. In this case, you do not need to manually add the IP addresses of the ECS instances to the whitelists of the Redis instance. | Access a Redis instance from multiple ECS instances in the same region |
You can configure IP address whitelists and add ECS security groups as whitelists for a Redis instance. Both IP addresses in the IP address whitelists and ECS instances in the security groups are allowed to access the instance.
Add private IP addresses of ECS instances to a whitelist
If your ECS instance belongs to the same virtual private cloud (VPC) as a Redis instance, we recommend that you connect the ECS instance to the Redis instance over the VPC.
If your ECS instance and the Redis instance do not belong to the same VPC, you can change the VPC to which the ECS instance belongs. For more information, see Change the VPC of an ECS instance.
Log on to the ApsaraDB for Redis console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.
In the left-side navigation pane, click Whitelist Settings.
Find the default whitelist and click Modify in the Actions column.
NoteYou can also click Add Whitelist to create a whitelist. The name of a whitelist must be 2 to 32 characters in length and can contain lowercase letters, digits, and underscores (_). It must start with a lowercase letter and end with a lowercase letter or digit.
If you set Method to Add IP Address to Import ECS Internal IP Address, the panel displays the private IP addresses of ECS instances that are deployed in the same region as the Tair instance.
Move the pointer over an IP address to view the ID and name of the ECS instance to which the IP address is assigned.
Select the required IP addresses and move them to the section on the right.
Click OK.
(Optional) To remove all IP addresses from a whitelist and delete the whitelist, click Delete in the Actions column corresponding to the whitelist.
Default whitelists generated by the system cannot be deleted, such as default and hdm_security_ips.
Add public IP addresses to a whitelist
If you want to access a Redis instance from an on-premises device or if your ECS instance is not in the same VPC as the Redis instance, perform the following steps to create a whitelist:
Log on to the ApsaraDB for Redis console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.
In the left-side navigation pane, click Whitelist Settings.
Find the default whitelist and click Modify in the Actions column.
NoteYou can also click Add Whitelist to create a whitelist. The name of a whitelist must be 2 to 32 characters in length and can contain lowercase letters, digits, and underscores (_). It must start with a lowercase letter and end with a lowercase letter or digit.
Set Method to Add IP Address to Add Manually.
In the Whitelist field, enter IP addresses or CIDR blocks.
Separate multiple IP addresses with commas (,). A maximum of 1,000 unique IP addresses can be added. You can enter IP addresses and CIDR blocks in the following formats:
Specific IP addresses such as 10.23.12.24.
CIDR blocks such as 10.23.12.0/24. /24 indicates the length of the IP address prefix. An IP address prefix can be 1 to 32 bits in length. 10.23.12.0/24 indicates an IP address range from 10.23.12.0 to 10.23.12.255. For more information about CIDR blocks, see FAQ about CIDR blocks.
WarningIf you add 0.0.0.0/0 to a whitelist of a Redis instance, all IP addresses can connect to the instance. This operation poses security risks. Proceed with caution.
Click OK.
(Optional) To remove all IP addresses from a whitelist and delete the whitelist, click Delete in the Actions column corresponding to the whitelist.
Default whitelists generated by the system cannot be deleted, such as default and hdm_security_ips.
Batch add public and private IP addresses of ECS instances by using security groups
If you want to connect multiple ECS instances to a Redis instance, you can add a security group as a whitelist for the Redis instance. After you add an ECS security group as a whitelist for a Redis instance, all ECS instances in the security group can access the instance over an internal network or the Internet.
The instance version must be the latest minor version of Redis 4.0 or later. For more information, see Upgrade the major version.
ECS security groups are not supported in the China (Heyuan) region.
You cannot add ECS security groups as whitelists for cloud-native instances that use the cluster or read/write splitting architecture.
Log on to the ApsaraDB for Redis console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.
In the left-side navigation pane, click Whitelist Settings.
Click the Security Groups tab.
On the Security Groups tab, click Create Security Group.
In the dialog box that appears, select the security groups that you want to add as whitelists.
You can use a security group name or security group ID to perform fuzzy search.
NoteYou can add up to 10 security groups as whitelists for each Redis instance.
Click OK.
(Optional) To remove all security groups, click Delete.
Related API operations
API operation | Description |
Queries the IP address whitelists configured for a Redis instance. | |
Modifies the IP address whitelists of a Redis instance. | |
Queries the security groups that are added as whitelists for a Redis instance. | |
Modifies the security groups that are added as whitelists for a Redis instance. |