All Products
Search

This Product

    ApsaraMQ for Kafka:Configure whitelists

    Document Center

    ApsaraMQ for Kafka:Configure whitelists

    Last Updated:Jul 04, 2024

    You can configure whitelists for ApsaraMQ for Kafka instances. After a whitelist is configured for an ApsaraMQ for Kafka instance, only the IP addresses and ports in the whitelist can access the instance.

    Prerequisites

    An ApsaraMQ for Kafka instance is purchased and deployed. Make sure that the instance is in the Running state.

    Usage notes

    • The default whitelist of an Internet- and virtual private cloud (VPC)-connected instance is 0.0.0.0/0. You can access an Internet- and VPC-connected instance by using the Secure Sockets Layer (SSL) endpoint. We recommend that you configure a whitelist for an Internet- and VPC-connected instance to control the IP addresses that are allowed to access the instance.

    • The default whitelist of a VPC-connected instance is the CIDR block of the vSwitch that is specified when the instance is deployed. This means that devices in the same vSwitch CIDR block of a VPC can access the instance by using the default endpoint. In this case, you can specify the whitelist as 0.0.0.0/0 to enable connection within the VPC.

    • When you configure a whitelist, you can add multiple IP addresses and CIDR blocks to each whitelist. Separate multiple IP addresses and CIDR blocks with commas (,). You can specify up to 200 entries for a whitelist.

    • You can remove an entry from or add an entry to a whitelist.

    • You can remove the last entry from a whitelist. Proceed with caution because you can no longer access the ApsaraMQ for Kafka instance by using ports within the port range specified in the last entry after you remove the entry.

      Note

      The whitelist feature of ApsaraMQ for Kafka is implemented based on security groups. If you specify a security group when you deploy an ApsaraMQ for Kafka instance, all instances that use the security group share the whitelist. If you do not specify a security group when you deploy an ApsaraMQ for Kafka instance, the system automatically creates a security group for the instance. In this case, the whitelist is used only by the instance that you deploy. In most cases, we recommend that you do not specify a security group when you deploy an ApsaraMQ for Kafka instance. If you use a shared whitelist, the impacts of misoperations increase. Proceed with caution.

    Add IP addresses or CIDR blocks to a whitelist

    To add IP addresses or CIDR blocks to a whitelist, perform the following steps:

    1. Log on to the ApsaraMQ for Kafka console. In the Resource Distribution section of the Overview page, select the region where the ApsaraMQ for Kafka instance that you want to manage resides.

    2. On the Instances page, click the name of the instance that you want to manage.

    3. In the Endpoint Information section of the Instance Details page, find the endpoint for which you want to configure a whitelist and click Manage Whitelist in the Actions column.

    4. On the Whitelist Management page, click Create Whitelist, configure the Name and IP Addresses parameters, and then click OK.

    Delete an IP address or a CIDR block from a whitelist

    1. In the left-side navigation pane of the Instance Details page, click Whitelist Management.

    2. Find the whitelist to which the IP address or CIDR block that you want to delete belongs and click Modify in the Actions column.

    3. In the Modify Whitelist panel, find the IP address or CIDR block that you want to delete and click Delete. In the lower part of the panel, click Modify.

    References

    • You can also configure a whitelist by calling the corresponding API operation. For more information, see UpdateAllowedIp.

    • If your device and ApsaraMQ for Kafka instance reside in different VPCs, you can connect the device and ApsaraMQ for Kafka instance by using Express Connect, VPN Gateway, or Cloud Enterprise Network (CEN). For more information, see Select a private network service.