All Products
Search

This Product

    Tair (Redis® OSS-Compatible):Configure an IP address whitelist

    Document Center

    Tair (Redis® OSS-Compatible):Configure an IP address whitelist

    Last Updated:Nov 24, 2025

    To ensure the security and stability of your Tair (Redis OSS-compatible) instance, access from all IP addresses to Tair (and Redis Open-Source Edition) instances is denied by default. Before you can use a Tair (or Redis Open-Source Edition) instance, you must add the IP address or IP address range of the client to the instance's whitelist. A properly configured whitelist enhances the security of your instance. We recommend that you perform regular maintenance on your whitelists.

    Whitelist configuration methods

    Method

    Description

    Scenarios

    Add a whitelist

    Manually add the IP address of a client to the instance's whitelist to grant access to the client.

    Add a security group

    A security group is a virtual firewall that controls the inbound and outbound traffic of ECS instances in the security group.

    To grant access to multiple ECS instances, you can bind their security group to the Tair instance. After the security group is bound, all ECS instances in the group can access the Tair instance without you having to manually enter their IP addresses.

    Add the private and public IP addresses of multiple ECS instances using a security group

    Note

    You can configure whitelist groups and ECS security groups at the same time. In this case, the IP addresses in the whitelist groups and the ECS instances in the security groups can access the instance.

    Add the private IP address of an ECS instance to a whitelist

    If your ECS instance and Tair instance are in the same virtual private cloud (VPC), you can use the VPC for access.

    Note

    If your ECS instance and Tair instance are not in the same VPC, you can change the VPC of the ECS instance. For more information, see Change the VPC of an ECS instance.

    1. Log on to the console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.

    2. In the left-side navigation pane, click Whitelist Settings.

    3. Find the default whitelist and click Modify in the Actions column.

      Note

      You can also click Add Whitelist to create a whitelist. The name of a whitelist must be 2 to 32 characters in length and can contain lowercase letters, digits, and underscores (_). It must start with a lowercase letter and end with a lowercase letter or digit.

    4. Set Add Method to Import ECS Internal IP Address. The private IP addresses of the ECS instances that are in the same region as the Tair instance are displayed.

      You can hover your mouse pointer over an IP address to view the ID and name of the ECS instance to which the IP address belongs.

    5. Select the required IP addresses and move them to the right pane.

    6. Click OK.

    7. Optional: To remove all IP addresses from a whitelist group, click Delete on the right of the target whitelist group.

      System-generated whitelist groups, such as default and hdm_security_ips, cannot be deleted.

    Add a public IP address to a whitelist

    If you want to remotely access an instance from an on-premises device, or if your ECS instance and Tair instance are not in the same VPC, you can follow these steps to add a public IP address to a whitelist.

    1. Log on to the console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.

    2. In the navigation pane on the left, click Whitelist Settings.

    3. In the default security group, click Modify.

      Note

      You can also click Add Whitelist to create a new group. The group name must be 2 to 32 characters in length and can contain lowercase letters, digits, and underscores (_). It must start with a lowercase letter and end with a lowercase letter or a digit.

    4. Set Add Method to Add Manually.

    5. In the Whitelist text box, enter an IP address or a CIDR block.

      How to query the public IP addresses of on-premises devices and ECS instances

      Category

      Method to query the public IP address

      ECS instance

      Query the IP address of an ECS instance?

      On-premises

      The method to query the public IP address of an on-premises device may vary based on your network environment or operations. The following commands show how to obtain the public IP address of an on-premises device on different operating systems:

      • Linux operating system: Open the terminal and run the curl ifconfig.me command.

      • Windows operating system: Open the command prompt and run the curl ip.me command.

      • macOS operating system: Open the terminal and run the curl ifconfig.me command.

      Separate multiple IP addresses with commas (,). The IP addresses cannot be the same. You can add up to 1,000 IP addresses. The following formats are supported:

      • A specific IP address, such as 10.23.12.24.

      • Classless Inter-Domain Routing (CIDR) block. For example, /24 indicates that the prefix is 24 bits in length. The prefix can be 1 to 32 bits in length. 10.23.12.0/24 indicates the IP address range from 10.23.12.0 to 10.23.12.255.

      Warning

      Adding 0.0.0.0/0 to the whitelist allows access from all IP addresses. This poses high security risks. Configure this setting with caution.

    6. Click OK.

    7. Optional: To remove all IP addresses from a whitelist group, click Delete on the right of the target whitelist group.

      System-generated whitelist groups, such as default and hdm_security_ips, cannot be deleted.

    Add the private and public IP addresses of ECS instances in batches using a security group

    If multiple ECS instances need to access a Tair instance, you can add a security group to the Tair whitelist. After you add the security group, the Tair instance allows all associated instances in the security group, such as ECS instances and Elastic Container Instances, to access it using their private and public IP addresses.

    Note

    • The IP access control takes effect only for instances, such as ECS instances, that are associated with the security group. It is not related to the custom CIDR blocks or IP addresses that are configured in the security group.

    • The Tair instance must be compatible with Redis 4.0 (latest minor version) or later. For more information about how to upgrade the major version, see Major version upgrade.

    1. Log on to the console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.

    2. In the navigation pane on the left, click Whitelist Settings.

    3. Click the Security Groups tab.

    4. On the Security Groups tab, click Add Security Group.

    5. In the dialog box that appears, select the security group that you want to add.

      You can perform a fuzzy search by Security Group Name or Security Group ID.

      Figure 3. Add a security group添加安全组

      Note

      You can add up to 10 security groups for each instance.

    6. Click OK.

    7. Optional: To remove all security groups, click Delete.

    Related API operations

    API operation

    Description

    DescribeSecurityIps

    Queries the IP address whitelist of an instance.

    ModifySecurityIps

    Configures the IP address whitelist of an instance.

    DescribeSecurityGroupConfiguration

    Queries the security groups that are configured in the whitelist of an instance.

    ModifySecurityGroupConfiguration

    Resets the security groups in the whitelist of an instance.

    FAQ

    Why do I receive the (error) ERR illegal address message after I connect to an instance using redis-cli?

    This error occurs because the IP address of the device where redis-cli is located is not added to the whitelist. You can check your whitelist configuration.

    Why can't I find the security group settings for my instance?

    Instances that meet the following conditions do not support adding whitelists using security groups.

    • The major version of the instance must be Redis 4.0 (latest minor version) or later. For more information, see Upgrade the major version.

    • You cannot add ECS security groups as whitelists for cloud-native cluster instances or cloud-native read/write splitting instances.

    I configured access rules for a security group. Why don't they take effect for my instance?

    Symptom: You configure an access rule for a security group to allow access from an IP address such as 118.31.XX.XX, but other IP addresses can still access the instance.

    Cause: The inbound and outbound traffic rules that you configure for the security group do not apply to Tair (or Redis Open-Source Edition) instances. Adding a security group to a Tair (or Redis Open-Source Edition) instance only indicates that the ECS instances within the security group can access the instance over a VPC or the Internet.

    Why does the Connection closed by foreign host error occur when I test a port using telnet commands?

    The following error message appears.

    Escape character is '^]'.
Connection closed by foreign host.

    This error occurs because the IP address of the current device is not added to the whitelist of the target instance. You can add the IP address to the whitelist as described in this topic and then retry the connection.

    What are the sources of the automatically generated whitelist groups in an instance? Can I delete them?

    Initially, an instance has only the default whitelist group. As you perform operations on the instance, more whitelist groups are added. For more information, see the following table.

    Whitelist group name

    Source description

    default

    The default whitelist group of the system. It cannot be deleted.

    ali_dms_group

    When you log on to an instance using DMS, DMS automatically creates this whitelist group. For more information, see Connect to an instance using DMS. Do not delete or modify this whitelist group. Otherwise, you may fail to log on to the instance using DMS.

    hdm_security_ips

    When you use DAS-related features (such as Offline Full Key Analysis), DAS automatically creates this whitelist group. Do not delete or modify this whitelist group. Otherwise, DAS features may become abnormal.

    If a whitelist group contains 127.0.0.1, can clients with other IP addresses in the whitelist connect to the instance?

    Yes, they can. When you add any client IP address or a security group to the whitelist, 127.0.0.1 automatically becomes invalid, and clients can connect to the instance as expected. If only 127.0.0.1 is left in all whitelist groups, access from all IP addresses is denied.

    The public IP address of my on-premises device changes every time. Do I need to add the new IP address every time? What is the solution?

    If your on-premises device has a dynamic public IP address that changes frequently, you can add the relevant CIDR block to the instance's IP address whitelist. For example, if the IP address is always in the 10.10.10.* CIDR block (such as 10.10.10.15 or 10.10.10.155), you can add 10.10.10.0/24 to the whitelist. This adds all IP addresses in the range of 10.10.10.0 to 10.10.10.255 to the whitelist.

    Warning

    This solution reduces the security of the instance. Use it with caution.

    After I enable Internet access, why can a device that is not in the whitelist connect to the public endpoint using the ping or telnet command?

    Tair (Redis OSS-compatible) uses a whitelist mode that is based on access authentication. It authenticates logon requests. Connecting to an instance using the ping and telnet commands only indicates that the network is connected. It does not mean that you can access the instance.

    After I delete an IP address from the whitelist, why can a client with this IP address still connect to the instance?

    • Persistent connections: The whitelist policy applies only to new connections. Established persistent connections, such as connection pools and persistent sessions, can continue to communicate until they are actively disconnected. If you want to deny access from a client to an instance, you must delete the IP address from the whitelist and then restart the client service.

    • Password-free access within a VPC: If password-free access is enabled for the instance, clients within the same VPC may be able to access the instance without being added to the whitelist. You can enforce whitelist checks by setting the parameter #no_loose_check-whitelist-always to yes.

    • Security group policy conflict: If security group rules are configured, you must check whether the security group still allows the IP address to access the instance.