After you create an ApsaraDB RDS for MySQL instance, you must add IP addresses to a whitelist. A device can access the RDS instance only after you add the IP address of the device to a whitelist.
Prerequisites
An ApsaraDB RDS for MySQL instance is created.
Procedure
A system whitelist is configured for your RDS instance by default. The system whitelist is invisible and is used to allow system accounts to perform maintenance operations on the databases. For more information, see System accounts.
Visit the RDS instance list, select a region at the top, and then click the target instance ID.
In the navigation pane on the left, click Whitelist And SecGroup.
Confirm the IP whitelist mode.
NoteInstances running MySQL 5.5, 5.6, or 5.7 with Premium Local SSDs storage type can be switched to enhanced whitelist mode. Instances with other versions or storage types use standard whitelist mode.
Click Modify to the right of the default group, and add IP addresses to the whitelist in the dialog box that appears.
NoteIf needed, you can also click Create Whitelist and specify a custom group name.
Groups are only used for IP address management and do not affect actual access permissions. All IP addresses across all groups have the same access permissions to the RDS instance.
Method 1: Add the IP address of the application server to the IP Addresses field. To view the application server IP, see Appendix: Methods to obtain IP addresses. You can also click Load Local Public IP Address (If There Is A Network Proxy On Your PC, Please Turn It Off First) to directly add your local public IP.
NoteIf you add multiple IP addresses and CIDR blocks to an IP address whitelist, you must separate these IP addresses or CIDR blocks with commas (,). Do not add spaces preceding or following the commas.
You can add a maximum of 1,000 IP addresses and CIDR blocks in total for each RDS instance. If you want to add many IP addresses, we recommend that you merge the IP addresses into CIDR blocks, such as 10.10.10.0/24.
If the whitelist mode is enhanced whitelist mode, note the following:
Add public IP addresses to the classic network group.
Add private IP addresses of VPC-type ECS instances to the VPC group.
Method 2: Click Add Internal IP Address Of ECS Instance to display the IP addresses of all ECS instances under your current Alibaba Cloud account and in the current region, and quickly add ECS internal IP addresses to the whitelist.
The application server can access the RDS instance only after you add its IP address to the whitelist.
Click OK.
What to do next
Use a client or the CLI to connect to an ApsaraDB RDS for MySQL instance
References
API: ModifySecurityIps
For other engines, see:
FAQ
Q: Why can an IP address access my RDS instance when it is not added to the whitelist?
A: You can troubleshoot using the following methods:
Check all whitelist groups to confirm whether they contain 0.0.0.0/0. This entry allows all IP addresses to access the RDS instance, which poses a security risk. We recommend that you delete it and only add trusted IP addresses.
Check all security groups to confirm whether they contain the IP address. If a security group includes the IP address, it can access the RDS instance.
Q: What do I do if I want to connect an on-premises host to my RDS instance without a public endpoint?
A: You need to establish an internal network connection. For more information, see Connect a VPC to an on-premises data center/office terminal/other cloud.
Q: How do I view the operator who added the IP address of a device to an IP address whitelist of my RDS instance?
A: In the navigation pane on the left of the instance details page, click Operation Audit, enter ModifySecurityIps in the Event field to view the operator who added the IP address and the operation details.
Q: If no fixed IP address is allocated to my application, how do I add the IP address of the application to an IP address whitelist of my RDS instance?
A: If you do not have a fixed IP address and cannot set
0.0.0.0/0(which allows access from all IP addresses and is not recommended for security reasons), we recommend that you use identity authentication instead of IP-based access control. For example, you can use the following methods:Use dynamic Domain Name System (DNS) resolution: You can use dynamic DNS resolution to obtain the domain name that corresponds to the dynamic IP address and add the domain name or its resolved IP address to the IP address whitelist.
Configure a reverse proxy or load balancer: All user application requests are forwarded to the database through a reverse proxy server or load balancer. Only the fixed IP address of the proxy server needs to be added to the database whitelist.
Update the IP address whitelist at regular intervals: For IP addresses that change within a specific range (such as home broadband IP addresses assigned by ISPs), regularly obtain these IP addresses and update them in the whitelist.
Appendix: Check whether your application can connect to the RDS instance over an internal network
View the region and network type of the ECS instance on which your application is deployed. For more information, see Get ready to use ApsaraDB RDS.
View the region and network type of the RDS instance.
Log on to the ApsaraDB RDS console and go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance. On the page that appears, you can view the region, network type, and VPC ID of the RDS instance.
Check whether the ECS instance and the RDS instance meet the following conditions for communication over an internal network:
The ECS instance and the RDS instance reside in the same region.
The ECS instance and the RDS instance reside in the same type of network. If the ECS instance and the RDS instance both reside in VPCs, these instances reside in the same VPC.
NoteIf one of the preceding conditions is not met, the ECS instance cannot communicate with the RDS instance over an internal network.
Appendix: Methods to obtain IP addresses
Table 1. Methods to obtain IP addresses
Connection scenario | IP address to be obtained | Method to obtain the IP address |
Prerequisites for Private Network Access | IP address of the container in an ACK cluster |
You can view the Pod IP and node IP on the pod page of the target ACK cluster. |
Private IP address of the ECS instance | Click here to open the ECS instance list, select a region, and view the private IP and public IP addresses in the instance list. | |
The requirements for internal network access are not satisfied. | Public IP address of the ECS instance | |
You want to connect to the RDS instance from an on-premises device. | Public IP address of the on-premises device | Run the Note The IP address may change when the database is upgraded or modified. If you have added the local IP address to the whitelist but still cannot connect, see Why am I unable to connect to my ApsaraDB RDS for MySQL instance or ApsaraDB RDS for MariaDB instance from a local server over the Internet? |
Appendix: System whitelists
When Data Management (DMS), Data Transmission Service (DTS), and Database Autonomy Service (DAS) interact with an ApsaraDB RDS for MySQL instance, the system automatically adds the following whitelist groups to ensure normal access.
Group Name | Note |
dms | Used for DMS to log on to the ApsaraDB RDS for MySQL instance. |
dts | Used for DTS to transmit data. |
hdm_security_ips | Used for DAS service to obtain data, perform optimization, maintenance, and security management. Important For instances created after December 2020, the hdm_security_ips whitelist group is invisible to users to prevent accidental modification or deletion of the group, which would affect the use of related services. |