All Products
Search

This Product

    ApsaraDB for SelectDB:Configure a whitelist

    Document Center

    ApsaraDB for SelectDB:Configure a whitelist

    Last Updated:Mar 28, 2026

    ApsaraDB for SelectDB blocks all incoming connections by default. To allow your application servers, workstations, or other clients to connect, add their IP addresses or Classless Inter-Domain Routing (CIDR) blocks to an instance whitelist.

    Before you begin

    Collect all IP addresses that need access before you start. Consider:

    • Application servers and backend services

    • Developer workstations

    • VPN exit nodes and remote access points

    • On-call or rotating access locations

    If a client is behind a corporate NAT gateway, its outbound IP may differ from its local address. Use an IP lookup service such as whatsmyip to find the actual originating IP.

    Usage notes

    • The default whitelist group (default) cannot be deleted. It initially contains only 127.0.0.1. You can modify or remove IP addresses within it, but the group itself is permanent.

    • An instance supports up to 200 IP addresses and CIDR blocks across all whitelist groups combined.

    • A single whitelist group supports up to 50 IP addresses and CIDR blocks.

    • Changes take about one minute to propagate. If a connection attempt fails immediately after an update, wait one minute and retry before further troubleshooting.

    • Configuring a whitelist does not affect the normal operation of an ApsaraDB for SelectDB instance.

    • After you configure a whitelist, IP addresses in the whitelist can also access related APIs for the instance. For more information, see Open API Overview.OPENAPI OVERVIEW

    Important

    Do not add 0.0.0.0/0 unless absolutely necessary. Adding this entry allows all IP addresses to access the instance, which creates a high security risk and can lead to unauthorized access. Use this setting with caution and remove it as soon as it is no longer needed.

    Add IP addresses to the whitelist

    1. Log on to the ApsaraDB for SelectDB console.

    2. In the upper-left corner, select the region where the instance is located.

    3. On the Instance List page, click the instance ID in the Instance ID column.

    4. On the Instance Details page, click Data Security in the left navigation pane.

    5. On the whitelist group page, click Modify in the Actions column for the default group.

      To create a separate group instead, click Create Whitelist Group and set the Group Name and Whitelist fields. Use separate groups to organize access by team or environment.

    6. In the Modify Whitelist Group panel, enter the IP addresses or CIDR blocks to allow.

    7. Click OK.

    The updated addresses appear on the whitelist group page. Allow about one minute for the changes to take effect before testing connectivity.

    What's next