All Products
Search
Document Center

ApsaraDB for Redis:Configure whitelists

Last Updated:Sep 03, 2024

By default, Redis instances block access from all IP addresses to ensure the security and stability of Redis databases. Before you use a Redis instance, you must add IP addresses or CIDR blocks that you plan to use to access the Redis instance to the whitelists of the instance. A properly configured whitelist can enhance the security of your Redis instance. We recommend that you perform regular maintenance on your whitelists.

Methods of configuring a whitelist

Method

Description

Scenario

Add IP addresses or CIDR blocks to a whitelist

Manually add the IP address of a client to a whitelist of a Redis instance to allow the client to access the Redis instance.

Add a security group

A security group is a virtual firewall that is used to control the inbound and outbound traffic of Elastic Compute Service (ECS) instances in the security group. For more information, see Overview.

To authorize multiple ECS instances to access a Redis instance, you can add the security groups to which the ECS instances belong as whitelists for the Redis instance. In this case, you do not need to manually add the IP addresses of the ECS instances to the whitelists of the Redis instance.

Access a Redis instance from multiple ECS instances in the same region

Note

You can configure IP address whitelists and add ECS security groups as whitelists for a Redis instance. Both IP addresses in the IP address whitelists and ECS instances in the security groups are allowed to access the instance.

Add private IP addresses of ECS instances to a whitelist

If your ECS instance belongs to the same virtual private cloud (VPC) as a Redis instance, we recommend that you connect the ECS instance to the Redis instance over the VPC.

Note

If your ECS instance and the Redis instance do not belong to the same VPC, you can change the VPC to which the ECS instance belongs. For more information, see Change the VPC of an ECS instance.

  1. Log on to the ApsaraDB for Redis console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.

  2. In the left-side navigation pane, click Whitelist Settings.

  3. Find the default whitelist and click Modify in the Actions column.

    Note

    You can also click Add Whitelist to create a whitelist. The name of a whitelist must be 2 to 32 characters in length and can contain lowercase letters, digits, and underscores (_). It must start with a lowercase letter and end with a lowercase letter or digit.

  4. If you set Method to Add IP Address to Import ECS Internal IP Address, the panel displays the private IP addresses of ECS instances that are deployed in the same region as the Tair instance.

    Move the pointer over an IP address to view the ID and name of the ECS instance to which the IP address is assigned.

  5. Select the required IP addresses and move them to the section on the right.

  6. Click OK.

  7. (Optional) To remove all IP addresses from a whitelist and delete the whitelist, click Delete in the Actions column corresponding to the whitelist.

    Default whitelists generated by the system cannot be deleted, such as default and hdm_security_ips.

Add public IP addresses to a whitelist

If you want to access a Redis instance from an on-premises device or if your ECS instance is not in the same VPC as the Redis instance, perform the following steps to create a whitelist:

  1. Log on to the ApsaraDB for Redis console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.

  2. In the left-side navigation pane, click Whitelist Settings.

  3. Find the default whitelist and click Modify in the Actions column.

    Note

    You can also click Add Whitelist to create a whitelist. The name of a whitelist must be 2 to 32 characters in length and can contain lowercase letters, digits, and underscores (_). It must start with a lowercase letter and end with a lowercase letter or digit.

  4. Set Method to Add IP Address to Add Manually.

  5. In the Whitelist field, enter IP addresses or CIDR blocks.

    Methods for querying the public IP addresses of on-premises devices and ECS instances

    Category

    Method for querying public IP addresses

    ECS instance

    How do I query the IP addresses of ECS instances?

    On-premises device

    The method for querying the public IP address of an on-premises device may vary based on your network environment or operation. The following list provides reference methods for obtaining the public IP address of an on-premises device by using commands in different operating systems:

    • Linux: Open the CLI, enter the curl ifconfig.me command, and then press Enter.

    • Windows: Open Command Prompt, enter the curl ip.me command, and then press Enter.

    • macOS: Start Terminal, enter the curl ifconfig.me command, and then press Enter.

    Separate multiple IP addresses with commas (,). A maximum of 1,000 unique IP addresses can be added. You can enter IP addresses and CIDR blocks in the following formats:

    • Specific IP addresses such as 10.23.12.24.

    • CIDR blocks such as 10.23.12.0/24. /24 indicates the length of the IP address prefix. An IP address prefix can be 1 to 32 bits in length. 10.23.12.0/24 indicates an IP address range from 10.23.12.0 to 10.23.12.255. For more information about CIDR blocks, see FAQ about CIDR blocks.

    Warning

    If you add 0.0.0.0/0 to a whitelist of a Redis instance, all IP addresses can connect to the instance. This operation poses security risks. Proceed with caution.

  6. Click OK.

  7. (Optional) To remove all IP addresses from a whitelist and delete the whitelist, click Delete in the Actions column corresponding to the whitelist.

    Default whitelists generated by the system cannot be deleted, such as default and hdm_security_ips.

Batch add public and private IP addresses of ECS instances by using security groups

If you want to connect multiple ECS instances to a Redis instance, you can add a security group as a whitelist for the Redis instance. After you add an ECS security group as a whitelist for a Redis instance, all ECS instances in the security group can access the instance over an internal network or the Internet.

Note
  • The instance version must be the latest minor version of Redis 4.0 or later. For more information, see Upgrade the major version.

  • ECS security groups are not supported in the China (Heyuan) region.

  • You cannot add ECS security groups as whitelists for cloud-native instances that use the cluster or read/write splitting architecture.

  1. Log on to the ApsaraDB for Redis console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.

  2. In the left-side navigation pane, click Whitelist Settings.

  3. Click the Security Groups tab.

  4. On the Security Groups tab, click Create Security Group.

  5. In the dialog box that appears, select the security groups that you want to add as whitelists.

    You can use a security group name or security group ID to perform fuzzy search.

    Figure 3. Add security groups添加安全组

    Note

    You can add up to 10 security groups as whitelists for each Redis instance.

  6. Click OK.

  7. (Optional) To remove all security groups, click Delete.

Related API operations

API operation

Description

DescribeSecurityIps

Queries the IP address whitelists configured for a Redis instance.

ModifySecurityIps

Modifies the IP address whitelists of a Redis instance.

DescribeSecurityGroupConfiguration

Queries the security groups that are added as whitelists for a Redis instance.

ModifySecurityGroupConfiguration

Modifies the security groups that are added as whitelists for a Redis instance.

FAQ

Why is the (error) ERR illegal address message returned after I use the redis-cli tool to connect to a Redis instance?

The IP address of the client on which the redis-cli tool is deployed is not added to a whitelist of the Redis instance. You must check the whitelists of the Redis instance.

Why am I unable to configure security groups for my Redis instance?

Limits are imposed on instances for which security groups can be added as whitelists.

  • The major version of the instance must be Redis 4.0 (latest minor version) or later. For more information, see Upgrade the major version.

  • You cannot add ECS security groups as whitelists for cloud disk-based cluster instances or cloud disk-based read/write splitting instances.

I have configured access rules in a security group for a Redis instance, but they do not take effect on the instance. Why?

Problem description: Access rules are configured for a security group to allow access only from an IP address such as 118.31.XX.XX to a Redis instance. However, other IP addresses can still access the instance.

Cause: The inbound and outbound traffic rules that you configured for the security group do not apply to the Redis instance. If you add a security group as a whitelist for a Redis instance, the ECS instances in the security group can access the Redis instance over a VPC or the Internet.

Why is the Connection closed by foreign host error message returned when I check port connectivity by running the telnet command?

The following error message is reported:

Escape character is '^]'.
Connection closed by foreign host.

The IP address of the client is not added to a whitelist of the Redis instance. Refer to the preceding method to add the IP address to a whitelist of the instance and try again.

Why are whitelists automatically created for a Redis instance? Can I delete these whitelists?

After you create a Redis instance, a default whitelist is automatically created. After you perform specific operations on the instance, more whitelists are automatically created, as described in the following table.

Whitelist

Source

default

This whitelist is automatically created. You cannot delete this whitelist.

ali_dms_group

This whitelist is automatically created by Data Management (DMS) when you log on to a Redis instance from DMS. For more information, see Use DMS to connect to a Tair instance. Do not delete or modify this whitelist. Otherwise, you may be unable to log on to the Redis instance from DMS.

hdm_security_ips

This whitelist is automatically created by Database Autonomy Service (DAS) when you use CloudDBA features such as offline key analysis. For more information, see Use the offline key analysis feature. Do not delete or modify this whitelist. Otherwise, CloudDBA features may become unavailable.

A whitelist contains the IP address 127.0.0.1 in addition to client IP addresses. In this case, can these clients connect to the Redis instance?

Yes, these clients can connect to the Redis instance. If the whitelist contains only the IP address 127.0.0.1, no IP addresses are allowed to connect to the instance.

The public IP address of my on-premises device is different each time I connect to a Redis instance. As a result, I need to add the new IP address to a whitelist of the Redis instance each time I connect to the instance. What do I do?

If the public IP address of your on-premises device is dynamic and changes frequently, you can add the relevant CIDR block to an IP address whitelist of the Redis instance. For example, if the IP address is always in the 10.10.10.* CIDR block, such as 10.10.10.15 or 10.10.10.155, you can add 10.10.10.0/24 to the whitelist. This indicates that all IP addresses from 10.10.10.0 to 10.10.10.255 are added to the whitelist.

Warning

This solution reduces the security of the instance. Exercise caution when you use this solution.