Configure an IP address whitelist for an ApsaraDB RDS for PostgreSQL instance - ApsaraDB RDS

This topic describes how to configure an IP address whitelist for an ApsaraDB RDS for PostgreSQL instance. After you create an RDS instance, you must configure IP address whitelists or security groups for the RDS instance. Otherwise, the RDS instance is inaccessible.

Scenarios

An IP address whitelist consists of IP addresses and CIDR blocks that are granted access to the RDS instance. You can configure IP address whitelists for an RDS instance to provide high-level access control and security protection for the RDS instance. We recommend that you update the configured IP address whitelists regularly.

You need to configure an IP address whitelist in the following scenarios:

Scenario 1: After you create an RDS instance, you must add external IP addresses to an IP address whitelist. Otherwise, external devices cannot access the RDS instance.
Scenario 2: When a database connection exception occurs, you can check whether the IP address whitelist is correctly configured.

The following table provides the IP address whitelist configurations in various connection scenarios.

Connection scenario	Network type	IP address whitelist configuration
Connect an Elastic Compute Service (ECS) instance to an RDS instance	The ECS instance and the RDS instance reside in the same virtual private cloud (VPC) (recommended)	Add the private IP address of the ECS instance to an IP address whitelist of the RDS instance.
	The ECS instance and the RDS instance reside in different VPCs	Instances in different VPCs cannot communicate with each other over internal networks. In this case, perform the following operations: Migrate the RDS instance to the VPC in which the ECS instance resides. Note This operation is supported only when the ECS instance and the RDS instance reside in the same region. If the ECS instance and the RDS instance reside in different regions, we recommend that you use DTS to migrate the RDS instance to the region in which the ECS instance resides. This way, you can ensure the stability of your database service. For more information, see Migrate data between ApsaraDB RDS for PostgreSQL instances. Add the private IP address of the ECS instance to an IP address whitelist of your RDS instance.
Connect a container in an ACK cluster to an RDS instance	The ACK cluster and the RDS instance reside in the same VPC (recommended)	If the container network plugin of the ACK cluster is Flannel, add the IP address of the node on which the application runs. If the container network plugin of the ACK cluster is Terway, add the IP address of the pod in which the application runs. You can view the pod IP address and node IP address on the pod page of the ACK cluster.
Connect a container in an ACK cluster to an RDS instance	The ACK cluster and the RDS instance reside in different VPCs	Instances in different VPCs cannot communicate with each other over internal networks. In this case, perform the following operations: Migrate the RDS instance to the VPC in which the ACK cluster resides. Note This operation is supported only when the ACK cluster and the RDS instance reside in the same region. If the ACK cluster and the RDS instance reside in different regions, we recommend that you use DTS to migrate the RDS instance to the region in which the ACK cluster resides. This way, you can ensure the stability of your database service. For more information, see Migrate data between ApsaraDB RDS for PostgreSQL instances. Add the IP address of the ACK cluster on which the application runs. If the container network plugin of the ACK cluster is Flannel, add the IP address of the node on which the application runs. If the container network plugin of the ACK cluster is Terway, add the IP address of the pod in which the application runs.
Connect a self-managed host outside the cloud to an RDS instance	None	Add the public IP address of the self-managed host to an IP address whitelist of the RDS instance. The applications that run on the self-managed host connect to the public endpoint of the RDS instance. You can run the `curl ipinfo.io/ip` command to query the public IP address of the self-managed host. Note If the self-managed host does not have a fixed IP address or the IP address frequently changes, see FAQ for solutions.

Limits

A maximum of 50 IP address whitelists can be configured for an RDS instance.
If you configure IP address whitelists for your RDS instance, the workloads on the instance are not affected.
IP address whitelist groups are used only for IP address management. They do not affect the actual access permissions. All IP addresses in all IP address whitelist groups have the same access permissions to the RDS instance.
The whitelist labeled default can be cleared, but cannot be deleted.
Do not modify or delete the IP address whitelists that are generated for other Alibaba Cloud services. If you delete these IP address whitelists, the related Alibaba Cloud services cannot connect to your ApsaraDB RDS instance. For example, do not modify or delete ali_dms_group (the IP address whitelist group for DMS) or hdm_security_ips (the IP address whitelist group for DAS).
Important
To prevent accidental modifications or deletions of IP address whitelist groups, the hdm_security_ips IP address whitelist group is invisible to users for instances that are created after December 2020.
The default IP address whitelist contains only 127.0.0.1, which indicates that no IP addresses except the local IP address 127.0.0.1 can access the RDS instance.

Configure a standard IP address whitelist

Visit the RDS Instances page, select a region at the top of the page, and then click the ID of the target instance.
In the navigation pane on the left, click Whitelists and Security Groups.
Click Create Whitelist, enter a Group Name, or click Modify for an existing IP address whitelist group.
Enter the IP addresses or CIDR blocks that need to access the RDS instance, and then click OK.
Important
- Separate multiple IP addresses or CIDR blocks with commas (,). Do not add spaces before or after the commas. Example: 192.168.0.1,172.16.213.9.
- A maximum of 1,000 IP addresses and CIDR blocks can be configured for each RDS instance. To specify many IP addresses, we recommend that you combine the IP addresses into CIDR blocks, such as 10.10.10.0/24.
(Optional) If the current instance has read-only instances, you can configure the Synchronize Whitelist to Read-only Instances parameter to synchronize the IP address whitelist of the primary instance to the specified read-only instances. If multiple read-only RDS instances are attached to the RDS instance, you can select more than one read-only RDS instance for synchronization.
(Optional) Click Load ECS Internal IP Addresses to display the IP addresses of all ECS instances that belong to your Alibaba Cloud account. You can quickly add the private IP addresses of the ECS instances to the IP address whitelist.

Configure an enhanced IP address whitelist

Note

Cloud disk instances do not support the enhanced whitelist mode. High-performance local disk storage is no longer available for purchase.

The enhanced whitelist mode distinguishes between the classic network and VPCs. You must specify a network isolation mode for each IP address whitelist group. For example, IP addresses in an IP address whitelist for the classic network cannot be used to access the RDS instance over VPCs, and vice versa.

If your high-performance local disk instance is already in enhanced whitelist mode, follow the instructions in this section. To switch to enhanced whitelist mode, see Switch to enhanced whitelist mode.

Visit the RDS Instances page, select a region at the top of the page, and then click the ID of the target instance.
In the navigation pane on the left, click Whitelists and Security Groups.
Click Create Whitelist and select a Network Isolation Mode.
Enter a Group Name.
In the IP Addresses field, enter the IP addresses or CIDR blocks that need to access the RDS instance, and then click OK.
Important
- Separate multiple IP addresses or CIDR blocks with commas (,). Do not add spaces before or after the commas. Example: 192.168.0.1,172.16.213.9.
- A maximum of 1,000 IP addresses and CIDR blocks can be configured for each RDS instance. To specify many IP addresses, we recommend that you combine the IP addresses into CIDR blocks, such as 10.10.10.0/24.

(Optional) If the current instance has read-only instances, you can configure the Synchronize Whitelist to Read-only Instances parameter to synchronize the IP address whitelist of the primary instance to the specified read-only instances. If multiple read-only RDS instances are attached to the RDS instance, you can select more than one read-only RDS instance for synchronization.
(Optional) Click Load ECS Internal IP Addresses to display the IP addresses of all ECS instances that belong to your Alibaba Cloud account. You can quickly add the private IP addresses of the ECS instances to the IP address whitelist.
Note
If the enhanced whitelist mode is enabled for the RDS instance, you must select a network isolation mode.

What to do next

Create an account and a database

FAQ

Why do I receive the error InvalidSecurityIPListLength.Malformed when I add an IP address whitelist in the RDS console?

Problem description

You may receive the following error when you add an IP address whitelist in the RDS console:

Error code: InvalidSecurityIPListLength.Malformed Error message: The security IP address is not in the available range or is occupied.

Solution

Cause 1: A maximum of 1,000 IP addresses or CIDR blocks can be added to a single IP address whitelist group. The number of IP addresses that you want to add exceeds this limit.
Solution: Make sure that the number of IP addresses or CIDR blocks in a single IP address whitelist group does not exceed 1,000. We recommend that you combine individual IP addresses into CIDR blocks (such as 192.168.1.0/24) to reduce the number of entries.
Cause 2: The IP address whitelist that you want to add contains invalid IP addresses.
Solution: Make sure that the IP addresses you enter are valid. We recommend that you use the standard CIDR format (such as 10.23.12.0/24). The mask range must be 1 to 32. To add multiple IP addresses, separate them with commas (,).
Cause 3: The IP address whitelist conflicts with an existing IP address whitelist. For example, in RDS MySQL, 192.168.1.8 conflicts with 192.168.1.1/8.
Solution: Plan and add IP address whitelists based on your actual requirements to avoid overlaps or conflicts with existing rules.

Note

Do not delete the default group default (which contains 127.0.0.1), and do not modify system groups (such as ali_dms_group or hdm_security_ips) to avoid affecting system functions or connection security.

Related API operations

You can call the API operation DescribeDBInstanceIPArrayList to view the IP address whitelists of an RDS instance.
You can call the API operation ModifySecurityIps to modify the IP address whitelists of an RDS instance.