After creating an ApsaraDB RDS for PostgreSQL instance, configure an IP address whitelist or security group to control which IP addresses can connect. By default, only 127.0.0.1 is in the whitelist, which blocks all external access.
Never set the whitelist to 0.0.0.0/0 in production. This opens the instance to all IP addresses on the internet and creates a serious security risk. Always use the most restrictive whitelist possible.
Prerequisites
Before you begin, make sure that you have:
An ApsaraDB RDS for PostgreSQL instance
The IP addresses or CIDR blocks of the clients that need to connect
Limits
| Limit | Value |
|---|---|
| Maximum whitelist groups per instance | 50 |
| Maximum IP addresses or CIDR blocks per whitelist group | 1,000 |
| CIDR mask range | 1 to 32 |
Configuring IP address whitelists does not affect running workloads on the instance.
All IP addresses across all whitelist groups have the same access permissions. Whitelist groups are for organization purposes only.
The default whitelist group can be cleared but cannot be deleted.
Do not modify or delete whitelist groups generated by other Alibaba Cloud services. For example, ali_dms_group is used by DMS and hdm_security_ips is used by Database Autonomy Service (DAS). Deleting these groups prevents the corresponding services from connecting to your RDS instance.
For instances created after December 2020, the hdm_security_ips whitelist group is hidden to prevent accidental changes.
Determine which IP address to add
The IP address to add depends on how your client connects to the RDS instance.
| Scenario | What to add |
|---|---|
| ECS and RDS in the same VPC (recommended) | Private IP address of the ECS instance |
| ECS and RDS in different VPCs | Migrate the RDS instance to the ECS VPC first, then add the ECS private IP address |
| ACK cluster and RDS in the same VPC (recommended) | Flannel plugin: node IP address. Terway plugin: pod IP address |
| ACK cluster and RDS in different VPCs | Migrate the RDS instance to the ACK VPC first, then add the node or pod IP address |
| Self-managed host outside the cloud | Public IP address of the host |
Connect from an Elastic Compute Service (ECS) instance
Same VPC (recommended): Add the private IP address of the ECS instance to the whitelist.
Different VPCs: Instances in different VPCs cannot communicate over internal networks. To connect:
Migrate the RDS instance to the VPC where the ECS instance resides.
VPC migration is supported only when both instances are in the same region. If they are in different regions, use Data Transmission Service (DTS) to migrate the RDS instance. For details, see Migrate data between ApsaraDB RDS for PostgreSQL instances.
Add the private IP address of the ECS instance to the whitelist.
Connect from a Container Service for Kubernetes (ACK) cluster
Same VPC (recommended):
Flannel container network plugin: Add the IP address of the node where the application runs.
Terway container network plugin: Add the IP address of the pod where the application runs.
View pod and node IP addresses on the pod page of the ACK cluster. For more information about network plugins, see Comparison between Terway and Flannel.
Different VPCs: Instances in different VPCs cannot communicate over internal networks. To connect:
Migrate the RDS instance to the VPC where the ACK cluster resides.
VPC migration is supported only when the ACK cluster and the RDS instance are in the same region. If they are in different regions, use DTS to migrate the RDS instance. For details, see Migrate data between ApsaraDB RDS for PostgreSQL instances.
Add the IP address based on the container network plugin:
Flannel: Add the node IP address.
Terway: Add the pod IP address.
Connect from a self-managed host outside the cloud
Add the public IP address of the host to the whitelist. The host connects through the public endpoint of the RDS instance.
To find the public IP address, run:
curl ipinfo.io/ipConfigure a standard IP address whitelist
Most RDS for PostgreSQL instances use the standard whitelist mode. Cloud disk instances only support this mode.
Go to the RDS Instances page, select a region, and then click the instance ID.
In the left-side navigation pane, click Whitelists and SecGroups.
Click Create Whitelist and enter a Whitelist Name, or click Modify for an existing IP address whitelist group.
Enter the IP addresses or CIDR blocks, and then click OK.
ImportantSeparate multiple entries with commas (,). Do not add spaces before or after commas. Example:
192.168.0.1,172.16.213.9. Each whitelist group supports up to 1,000 entries. To reduce the number of entries, combine individual IP addresses into CIDR blocks, such as10.10.10.0/24. The CIDR mask range must be 1 to 32.(Optional) To sync the whitelist to read-only instances, configure Synchronize Whitelist to Read-only Instances. If multiple read-only instances are attached, select the instances to sync.
(Optional) Click Add Internal IP Address of ECS Instance to display and add private IP addresses of ECS instances under your account.
Tip: You can also add ECS security groups on the Security Group tab of the Whitelists and SecGroups page. Adding a security group allows all ECS instances in that group to access the RDS instance without configuring individual IP addresses.
Configure an enhanced IP address whitelist
Cloud disk instances do not support the enhanced whitelist mode. This mode is available only on high-performance local disk instances, which are no longer available for purchase.
The enhanced whitelist mode separates the classic network and VPCs. Each whitelist group requires a Network Isolation Mode setting. IP addresses in a classic network whitelist cannot access the RDS instance over a VPC, and vice versa.
If your high-performance local disk instance already uses the enhanced whitelist mode, follow these steps. To switch to enhanced whitelist mode, see Switch to enhanced whitelist mode.
Go to the RDS Instances page, select a region, and then click the instance ID.
In the left-side navigation pane, click Whitelists and SecGroups.
Click Create Whitelist and select a Network Isolation Mode.
Enter a Whitelist Name.
In the IP Addresses field, enter the IP addresses or CIDR blocks, and then click OK.
ImportantSeparate multiple entries with commas (,). Do not add spaces before or after commas. Example:
192.168.0.1,172.16.213.9. Each whitelist group supports up to 1,000 entries. To reduce the number of entries, combine individual IP addresses into CIDR blocks, such as10.10.10.0/24.(Optional) To sync the whitelist to read-only instances, configure Synchronize Whitelist to Read-only Instance. If multiple read-only instances are attached, select the instances to sync.
(Optional) Click Add Internal IP Address of ECS Instance to display and add private IP addresses of ECS instances under your account.
In enhanced whitelist mode, select a network isolation mode when adding ECS IP addresses.
Verify the whitelist configuration
After configuring the whitelist, verify that the client can connect to the RDS instance:
psql -h <endpoint> -U <username> -p <port> [-d <database>]Replace <endpoint>, <username>, and <port> with the actual connection details of your RDS instance. The -d flag specifies the database name and is optional.
A successful connection returns the PostgreSQL command prompt. If the connection fails, see FAQ.
FAQ
Why can't I connect after adding my IP to the whitelist?
Your ISP may use a different outbound IP address than expected. Run curl ipinfo.io/ip from the machine that needs to connect, and verify that the returned IP address is in the whitelist. If the address changes frequently, add a CIDR block that covers the range instead of a single IP address. For more solutions, see FAQ about IP address whitelist settings.
Related API operations
| API | Description |
|---|---|
| DescribeDBInstanceIPArrayList | Query the IP address whitelists of an RDS instance |
| ModifySecurityIps | Modify the IP address whitelists of an RDS instance |