All Products
Search

This Product

    Tair (Redis® OSS-Compatible):Configure whitelists

    Document Center

    Tair (Redis® OSS-Compatible):Configure whitelists

    Last Updated:Mar 17, 2025

    By default, Tair (Redis OSS-compatible) blocks access from all IP addresses to Tair and Redis Open-Source Edition instances to ensure the security and stability of the instances. Before you use a Tair or Redis Open-Source Edition instance, you must add the IP addresses or CIDR blocks that you plan to use to access the instance to the whitelists of the instance. A properly configured whitelist can enhance the security of your instance. We recommend that you perform regular maintenance on your whitelists.

    Methods of configuring a whitelist

    Method

    Description

    Scenario

    Add IP addresses or CIDR blocks to a whitelist

    Manually add the IP address of a client to a whitelist of the instance to allow the client to access the instance.

    Add a security group

    A security group is used as a virtual firewall to control the inbound and outbound traffic for specific ECS instances.

    To authorize multiple Elastic Compute Service (ECS) instances to access a Tair or Redis Open-Source Edition instance, you can add the security groups to which the ECS instances belong as whitelists for the Tair or Redis Open-Source Edition instance. In this case, you do not need to manually add the IP addresses of the ECS instances to the whitelists of the Tair or Redis Open-Source Edition instance.

    Batch add the public and private IP addresses of ECS instances by using security groups

    Note

    You can configure IP address whitelists and add ECS security groups as whitelists for a Tair or Redis Open-Source Edition instance. The IP addresses in the IP address whitelists and the ECS instances that belong to the security groups are allowed to access the Tair or Redis Open-Source Edition instance.

    Add private IP addresses of ECS instances to a whitelist

    If your ECS instance belongs to the same virtual private cloud (VPC) as a Tair or Redis Open-Source Edition instance, we recommend that you connect the ECS instance to the Tair or Redis Open-Source Edition instance over the VPC.

    Note

    If your ECS instance and the Tair or Redis Open-Source Edition instance do not belong to the same VPC, you can change the VPC to which the ECS instance belongs. For more information, see Change the VPC of an ECS instance.

    1. Log on to the console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.

    2. In the left-side navigation pane, click Whitelist Settings.

    3. Find the default whitelist and click Modify in the Actions column.

      Note

      You can also click Add Whitelist to create a whitelist. The name of a whitelist must be 2 to 32 characters in length and can contain lowercase letters, digits, and underscores (_). It must start with a lowercase letter and end with a lowercase letter or digit.

    4. If you set Method to Add IP Address to Import ECS Internal IP Address, the panel displays the private IP addresses of ECS instances that are deployed in the same region as the Tair or Redis Open-Source Edition instance.

      Move the pointer over an IP address to view the ID and name of the ECS instance to which the IP address is assigned.

    5. Select the required IP addresses and move them to the section on the right.

    6. Click OK.

    7. (Optional) To remove all IP addresses from a whitelist and delete the whitelist, click Delete in the Actions column corresponding to the whitelist.

      Default whitelists generated by the system cannot be deleted, such as default and hdm_security_ips.

    Add public IP addresses to a whitelist

    If you want to access a Tair or Redis Open-Source Edition instance from an on-premises device or if your ECS instance is not in the same VPC as the Tair or Redis Open-Source Edition instance, perform the following steps to create a whitelist:

    1. Log on to the console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.

    2. In the left-side navigation pane, click Whitelist Settings.

    3. Find the default whitelist and click Modify in the Actions column.

      Note

      You can also click Add Whitelist to create a whitelist. The name of a whitelist must be 2 to 32 characters in length and can contain lowercase letters, digits, and underscores (_). It must start with a lowercase letter and end with a lowercase letter or digit.

    4. Set Method to Add IP Address to Add Manually.

    5. In the Whitelist field, enter IP addresses or CIDR blocks.

      Methods for querying the public IP addresses of on-premises devices and ECS instances

      Category

      Method for querying public IP addresses

      ECS instance

      Method for querying the IP address of an ECS instance

      On-premises device

      The method for querying the public IP address of an on-premises device may vary based on your network environment or operation. The following list provides reference methods for obtaining the public IP address of an on-premises device by using commands in different operating systems:

      • Linux: Open the CLI, enter the curl ifconfig.me command, and then press Enter.

      • Windows: Open Command Prompt, enter the curl ip.me command, and then press Enter.

      • macOS: Start Terminal, enter the curl ifconfig.me command, and then press Enter.

      Separate multiple IP addresses with commas (,). A maximum of 1,000 unique IP addresses can be added. You can enter IP addresses and CIDR blocks in the following formats:

      • Specific IP addresses such as 10.23.12.24.

      • CIDR blocks such as 10.23.12.0/24. /24 indicates the length of the IP address prefix. An IP address prefix can be 1 to 32 bits in length. 10.23.12.0/24 indicates an IP address range from 10.23.12.0 to 10.23.12.255. For more information about CIDR blocks, see FAQ about CIDR blocks.

      Warning

      If you add 0.0.0.0/0 to a whitelist of an instance, all IP addresses can connect to the instance. This operation poses security risks. Proceed with caution.

    6. Click OK.

    7. (Optional) To remove all IP addresses from a whitelist and delete the whitelist, click Delete in the Actions column corresponding to the whitelist.

      Default whitelists generated by the system cannot be deleted, such as default and hdm_security_ips.

    Batch add the public and private IP addresses of ECS instances by using security groups

    If you want to connect multiple ECS instances to a Tair or Redis Open-Source Edition instance, you can add an ECS security group as a whitelist for the Tair or Redis Open-Source Edition instance. After you add an ECS security group as a whitelist for a Tair or Redis Open-Source Edition instance, all ECS instances that belong to the security group can access the instance.

    Note

    The instance version must be the latest minor version of Redis 4.0 or later. For more information, see Upgrade the major version.

    1. Log on to the console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.

    2. In the left-side navigation pane, click Whitelist Settings.

    3. Click the Security Groups tab.

    4. On the Security Groups tab, click Create Security Group.

    5. In the dialog box that appears, select the security groups that you want to add as whitelists.

      You can use a security group name or security group ID to perform fuzzy search.

      Figure 3. Add security groups添加安全组

      Note

      You can add up to 10 security groups as whitelists for each instance.

    6. Click OK.

    7. (Optional) To remove all security groups, click Delete.

    Related API operations

    API operation

    Description

    DescribeSecurityIps

    Queries the IP address whitelists configured for an instance.

    ModifySecurityIps

    Modifies the IP address whitelists of an instance.

    DescribeSecurityGroupConfiguration

    Queries the security groups that are added as whitelists for an instance.

    ModifySecurityGroupConfiguration

    Modifies the security groups that are added as whitelists for an instance.

    FAQ

    Why is the (error) ERR illegal address message returned after I use the redis-cli tool to connect to an instance?

    The IP address of the client on which the redis-cli tool is deployed is not added to a whitelist of the instance. You must check the whitelists of the instance.

    Why am I unable to configure security groups for my instance?

    Limits are imposed on instances for which security groups can be added as whitelists.

    • The major version of the instance must be Redis 4.0 (latest minor version) or later. For more information, see Upgrade the major version.

    • You cannot add ECS security groups as whitelists for cloud-native cluster instances or cloud-native read/write splitting instances.

    I have configured access rules in a security group for an instance, but they do not take effect on the instance. Why?

    Problem description: Access rules are configured for a security group to allow access only from an IP address such as 118.31.XX.XX to an instance. However, other IP addresses can still access the instance.

    Cause: The inbound and outbound traffic rules that you configured for the security group do not apply to Tair or Redis Open-Source Edition instances. If you add an ECS security group as a whitelist for a Tair or Redis Open-Source Edition instance, the ECS instances that belong to the security group can access the instance over a VPC or the Internet.

    Why is the Connection closed by foreign host error message returned when I check port connectivity by running the telnet command?

    The following error message is reported: 

    Escape character is '^]'.
Connection closed by foreign host.

    The IP address of the client is not added to a whitelist of the instance. Refer to the preceding method to add the IP address to a whitelist of the instance and try again.

    Why are whitelists automatically created for an instance? Can I delete these whitelists?

    After you create an instance, a default whitelist is automatically created. After you perform specific operations on the instance, more whitelists are automatically created, as described in the following table.

    Whitelist

    Source

    default

    This whitelist is automatically created. You cannot delete this whitelist.

    ali_dms_group

    This whitelist is automatically created by Data Management (DMS) when you log on to an instance from DMS. For more information, see Use DMS to connect to an instance. Do not delete or modify this whitelist. Otherwise, you may be unable to log on to the instance from DMS.

    hdm_security_ips

    This whitelist is automatically created by Database Autonomy Service (DAS) when you use CloudDBA features such as offline key analysis. For more information, see Use the offline key analysis feature. Do not delete or modify this whitelist. Otherwise, CloudDBA features may become unavailable.

    A whitelist contains the IP address 127.0.0.1 in addition to client IP addresses. In this case, can these clients connect to the instance?

    Yes, these clients can connect to the instance. If the whitelist contains only IP address 127.0.0.1, no IP addresses are allowed to connect to the instance.

    The public IP address of my on-premises device is different each time I connect to an instance. As a result, I need to add the new IP address to a whitelist of the instance each time I connect to the instance. What do I do?

    If the public IP address of your on-premises device is dynamic and changes frequently, you can add the relevant CIDR block to an IP address whitelist of the instance. For example, if the IP address is always in the 10.10.10.* CIDR block, such as 10.10.10.15 or 10.10.10.155, you can add 10.10.10.0/24 to the whitelist. This indicates that all IP addresses from 10.10.10.0 to 10.10.10.255 are added to the whitelist.

    Warning

    This solution reduces the security of the instance. Exercise caution when you use this solution.

    After Internet access is enabled for an instance, why can devices that are not included in the instance whitelist still connect to the public endpoint of the instance by using the ping or telnet command?

    Tair (Redis OSS-compatible) uses whitelists for access authentication. Logon requests are validated against the whitelists. However, being able to connect to the instance by using the ping or telnet command only indicates that the network is reachable and does not mean that a connection to the instance is established.

    Why am I able to connect to an instance from a client whose IP address is removed from the instance whitelist?

    • Connection persistence mechanism: The whitelisting policy applies only to new connections. Established persistent connections (such as connection pools or persistent sessions) can continue to communicate until they are actively closed. If you want to prevent a client from accessing the instance, you can remove the IP address of the client from the whitelist and then restart the client.

    • Password-free access over Virtual Private Cloud (VPC): If the password-free access feature is enabled for the instance, clients in the same VPC as the instance may be able to access the instance without being included in the whitelist.

    • Conflicts with a security group rule: If a security group rule is configured, you must check whether the security group allows the IP address to access the instance.