All Products
Search

This Product

    Tair (Redis® OSS-Compatible):Configure whitelists

    Document Center

    Tair (Redis® OSS-Compatible):Configure whitelists

    Last Updated:Oct 24, 2024

    By default, Tair instances block access from all IP addresses to ensure the security and stability of Tair databases. Before you use a Tair instance, you must add IP addresses or CIDR blocks that you plan to use to access the Tair instance to the whitelists of the instance. A properly configured whitelist can enhance the security of your Tair instance. We recommend that you perform regular maintenance on your whitelists.

    Methods of configuring a whitelist

    Method

    Description

    Scenario

    Add IP addresses or CIDR blocks to a whitelist

    Manually add the IP address of a client to a whitelist of a Tair instance to allow the client to access the Tair instance.

    Add a security group

    A security group is a virtual firewall that is used to control the inbound and outbound traffic of Elastic Compute Service (ECS) instances in the security group. For more information, see Overview.

    To authorize multiple ECS instances to access a Tair instance, you can add the security groups to which the ECS instances belong as whitelists for the Tair instance. In this case, you do not need to manually add the IP addresses of the ECS instances to the whitelists of the Redis instance.

    Access a Redis instance from multiple ECS instances in the same region

    Note

    You can configure IP address whitelists and add ECS security groups as whitelists for a Tair instance. Both IP addresses in the IP address whitelists and ECS instances in the security groups are allowed to access the instance.

    Add private IP addresses of ECS instances to a whitelist

    If your ECS instance belongs to the same virtual private cloud (VPC) as a Tair instance, we recommend that you connect the ECS instance to the Redis instance over the VPC.

    Note

    If your ECS instance and the Tair instance do not belong to the same VPC, you can change the VPC to which the ECS instance belongs. For more information, see Change the VPC of an ECS instance.

    1. Log on to the ApsaraDB for Redis console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.

    2. In the left-side navigation pane, click Whitelist Settings.

    3. Find the default whitelist and click Modify in the Actions column.

      Note

      You can also click Add Whitelist to create a whitelist. The name of a whitelist must be 2 to 32 characters in length and can contain lowercase letters, digits, and underscores (_). It must start with a lowercase letter and end with a lowercase letter or digit.

    4. If you set Method to Add IP Address to Import ECS Internal IP Address, the panel displays the private IP addresses of ECS instances that are deployed in the same region as the Tair instance.

      Move the pointer over an IP address to view the ID and name of the ECS instance to which the IP address is assigned.

    5. Select the required IP addresses and move them to the section on the right.

    6. Click OK.

    7. (Optional) To remove all IP addresses from a whitelist and delete the whitelist, click Delete in the Actions column corresponding to the whitelist.

      Default whitelists generated by the system cannot be deleted, such as default and hdm_security_ips.

    Add public IP addresses to a whitelist

    If you want to access a Tair instance from an on-premises device or if your ECS instance is not in the same VPC as the Tair instance, perform the following steps to create a whitelist:

    1. Log on to the ApsaraDB for Redis console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.

    2. In the left-side navigation pane, click Whitelist Settings.

    3. Find the default whitelist and click Modify in the Actions column.

      Note

      You can also click Add Whitelist to create a whitelist. The name of a whitelist must be 2 to 32 characters in length and can contain lowercase letters, digits, and underscores (_). It must start with a lowercase letter and end with a lowercase letter or digit.

    4. Set Method to Add IP Address to Add Manually.

    5. In the Whitelist field, enter IP addresses or CIDR blocks.

      Methods for querying the public IP addresses of on-premises devices and ECS instances

      Category

      Method for querying public IP addresses

      ECS instance

      How do I query the IP addresses of ECS instances?

      On-premises device

      The method for querying the public IP address of an on-premises device may vary based on your network environment or operation. The following list provides reference methods for obtaining the public IP address of an on-premises device by using commands in different operating systems:

      • Linux: Open the CLI, enter the curl ifconfig.me command, and then press Enter.

      • Windows: Open Command Prompt, enter the curl ip.me command, and then press Enter.

      • macOS: Start Terminal, enter the curl ifconfig.me command, and then press Enter.

      Separate multiple IP addresses with commas (,). A maximum of 1,000 unique IP addresses can be added. You can enter IP addresses and CIDR blocks in the following formats:

      • Specific IP addresses such as 10.23.12.24.

      • CIDR blocks such as 10.23.12.0/24. /24 indicates the length of the IP address prefix. An IP address prefix can be 1 to 32 bits in length. 10.23.12.0/24 indicates an IP address range from 10.23.12.0 to 10.23.12.255. For more information about CIDR blocks, see FAQ about CIDR blocks.

      Warning

      If you add 0.0.0.0/0 to a whitelist of a Redis instance, all IP addresses can connect to the instance. This operation poses security risks. Proceed with caution.

    6. Click OK.

    7. (Optional) To remove all IP addresses from a whitelist and delete the whitelist, click Delete in the Actions column corresponding to the whitelist.

      Default whitelists generated by the system cannot be deleted, such as default and hdm_security_ips.

    Batch add public and private IP addresses of ECS instances by using security groups

    If you want to connect multiple ECS instances to a Tair instance, you can add a security group as a whitelist for the Tair instance. After you add an ECS security group as a whitelist for a Tair instance, all ECS instances in the security group can access the instance over an internal network or the Internet.

    Note

    • The instance version must be the latest minor version of Redis 4.0 or later. For more information, see Upgrade the major version.

    • ECS security groups are not supported in the China (Heyuan) region.

    • You cannot add ECS security groups as whitelists for cloud-native instances that use the cluster or read/write splitting architecture.

    1. Log on to the ApsaraDB for Redis console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.

    2. In the left-side navigation pane, click Whitelist Settings.

    3. Click the Security Groups tab.

    4. On the Security Groups tab, click Create Security Group.

    5. In the dialog box that appears, select the security groups that you want to add as whitelists.

      You can use a security group name or security group ID to perform fuzzy search.

      Figure 3. Add security groups添加安全组

      Note

      You can add up to 10 security groups as whitelists for each Redis instance.

    6. Click OK.

    7. (Optional) To remove all security groups, click Delete.

    Related API operations

    API operation

    Description

    DescribeSecurityIps

    Queries the IP address whitelists configured for a Tair instance.

    ModifySecurityIps

    Modifies the IP address whitelists of a Tair instance.

    DescribeSecurityGroupConfiguration

    Queries the security groups that are added as whitelists for a Tair instance.

    ModifySecurityGroupConfiguration

    Modifies the security groups that are added as whitelists for a Tair instance.

    FAQ

    Why is the (error) ERR illegal address message returned after I use the redis-cli tool to connect to a Redis instance?

    The IP address of the client on which the redis-cli tool is deployed is not added to a whitelist of the Redis instance. You must check the whitelists of the Redis instance.

    Why am I unable to configure security groups for my Tair instance?

    Limits are imposed on instances for which security groups can be added as whitelists.

    • The major version of the instance must be Redis 4.0 (latest minor version) or later. For more information, see Upgrade the major version.

    • You cannot add ECS security groups as whitelists for cloud-native cluster instances or cloud-native read/write splitting instances.

    I have configured access rules in a security group for a Tair instance, but they do not take effect on the instance. Why?

    Problem description: Access rules are configured for a security group to allow access only from an IP address such as 118.31.XX.XX to a Tair instance. However, other IP addresses can still access the instance.

    Cause: The inbound and outbound traffic rules that you configured for the security group do not apply to the Tair instance. If you add a security group as a whitelist for a Tair instance, the ECS instances in the security group can access the Tair instance over a VPC or the Internet.

    Why is the Connection closed by foreign host error message returned when I check port connectivity by running the telnet command?

    The following error message is reported: 

    Escape character is '^]'.
Connection closed by foreign host.

    The IP address of the client is not added to a whitelist of the Redis instance. Refer to the preceding method to add the IP address to a whitelist of the instance and try again.

    Why are whitelists automatically created for a Tair instance? Can I delete these whitelists?

    After you create a Tair instance, a default whitelist is automatically created. After you perform specific operations on the instance, more whitelists are automatically created, as described in the following table.

    Whitelist

    Source

    default

    This whitelist is automatically created. You cannot delete this whitelist.

    ali_dms_group

    This whitelist is automatically created by Data Management (DMS) when you log on to a Tair instance from DMS. For more information, see Use DMS to connect to a Tair instance. Do not delete or modify this whitelist. Otherwise, you may be unable to log on to the Tair instance from DMS.

    hdm_security_ips

    This whitelist is automatically created by Database Autonomy Service (DAS) when you use CloudDBA features such as offline key analysis. For more information, see Use the offline key analysis feature. Do not delete or modify this whitelist. Otherwise, CloudDBA features may become unavailable.

    A whitelist contains the IP address 127.0.0.1 in addition to client IP addresses. In this case, can these clients connect to the Tair instance?

    Yes, these clients can connect to the Tair instance. If the whitelist contains only the IP address 127.0.0.1, no IP addresses are allowed to connect to the instance.

    The public IP address of my on-premises device is different each time I connect to a Redis instance. As a result, I need to add the new IP address to a whitelist of the Redis instance each time I connect to the instance. What do I do?

    If the public IP address of your on-premises device is dynamic and changes frequently, you can add the relevant CIDR block to an IP address whitelist of the Redis instance. For example, if the IP address is always in the 10.10.10.* CIDR block, such as 10.10.10.15 or 10.10.10.155, you can add 10.10.10.0/24 to the whitelist. This indicates that all IP addresses from 10.10.10.0 to 10.10.10.255 are added to the whitelist.

    Warning

    This solution reduces the security of the instance. Exercise caution when you use this solution.