This topic describes how to configure an IP address whitelist for an ApsaraDB RDS for PostgreSQL instance. After an RDS instance is created, you must configure IP address whitelists or security groups for the RDS instance. Otherwise, the RDS instance is inaccessible.
Scenarios
An IP address whitelist consists of IP addresses and CIDR blocks that are granted access to the RDS instance. You can configure IP address whitelists for an RDS instance to provide high-level access control and security protection for the RDS instance. We recommend that you update the configured IP address whitelists on a regular basis.
You need to configure an IP address whitelist in the following scenarios:
Scenario 1
After an RDS instance is created, you must add the IP addresses of specific devices to an IP address whitelist of the instance. Then, these devices can access the RDS instance.
Scenario 2
An RDS instance cannot be connected. In this case, you need to check the IP address whitelists of the RDS instance. Then, you can modify the IP address whitelists that are improperly configured.
The following table provides the IP address whitelist configurations in various connection scenarios.
NoteA virtual private cloud (VPC) is an isolated network on Alibaba Cloud. It provides higher security than the classic network. For more information, see What is a VPC?
Connection scenario
Network type
IP address whitelist configuration
Connect an Elastic Compute Service (ECS) instance to the RDS instance
The ECS instance and the RDS instance reside in the same VPC. This is the recommended connection method.
Add the private IP address of the ECS instance to an IP address whitelist of your RDS instance.
The ECS and RDS instances reside in different VPCs.
Instances in different VPCs cannot communicate with each other over internal networks. In this case, perform the following operations:
Migrate the RDS instance to the VPC in which the ECS instance resides.
NoteThis operation is supported only when the ECS and RDS instances reside in the same region. If the ECS instance and the RDS instance reside in different regions, we recommend that you use DTS to migrate the RDS instance to the region in which the ECS instance resides. This way, you can ensure the stability of the database service. For more information, see Migrate data between ApsaraDB RDS for PostgreSQL instances.
Add the private IP address of the ECS instance to an IP address whitelist of your RDS instance.
The ECS and RDS instances reside in the classic network.
Add the private IP address of the ECS instance to an IP address whitelist of your RDS instance.
The ECS instance resides in the classic network.
Your RDS instance resides in a VPC.
Instances of different network types cannot communicate with each other over internal networks. In this case, perform the following operations:
Migrate the ECS instance from the classic network to the VPC in which the RDS instance resides. For more information, see Migrate an ECS instance from the classic network to a VPC.
NoteThis operation is supported only when the ECS and RDS instances reside in the same region. If the ECS instance and the RDS instance reside in different regions, we recommend that you use DTS to migrate the RDS instance to the region in which the ECS instance resides. This way, you can ensure the stability of the database service. For more information, see Migrate data between ApsaraDB RDS for PostgreSQL instances.
Add the private IP address of the ECS instance to an IP address whitelist of your RDS instance.
The ECS instance resides in a VPC.
Your RDS instance resides in the classic network.
Instances of different network types cannot communicate with each other over internal networks. In this case, perform the following operations:
Migrate the RDS instance from the classic network to the VPC in which the ECS instance resides.
NoteThis operation is supported only when the ECS and RDS instances reside in the same region. If the ECS instance and the RDS instance reside in different regions, we recommend that you use DTS to migrate the RDS instance to the region in which the ECS instance resides. This way, you can ensure the stability of the database service. For more information, see Migrate data between ApsaraDB RDS for PostgreSQL instances.
Add the private IP address of the ECS instance to an IP address whitelist of your RDS instance.
Connect a self-managed host outside the cloud to your RDS instance
None.
Add the public IP address of the self-managed host to an IP address whitelist of the RDS instance.
NoteThe applications that run on the self-managed host connect to the public endpoint of your RDS instance.
For more information about how to obtain the public IP address of the self-managed host, see Why am I unable to connect to my ApsaraDB RDS for MySQL or ApsaraDB RDS for MariaDB instance from a local server over the Internet?
Usage notes
A maximum of 50 IP address whitelists can be configured for each RDS instance.
When you configure IP address whitelists, the workloads on the RDS instance are not interrupted.
You can delete the entries in the IP address whitelist that is labeled default but you cannot delete the whitelist.
Do not modify or delete the IP address whitelists that are automatically generated for other Alibaba Cloud services. If you delete the IP address whitelist that is automatically generated for an Alibaba Cloud service, the Alibaba Cloud service cannot connect to the RDS instance. For example, the IP address whitelist labeled ali_dms_group is generated for Data Management (DMS), and the IP address whitelist labeled hdm_security_ips is generated for Database Autonomy Service (DAS).
ImportantIf an RDS instance is created after December 2020, the IP address whitelist that is labeled hdm_security_ips is invisible to users. This prevents the IP address whitelist from being unintentionally modified or deleted.
The IP address whitelist that is labeled default contains only the IP address 127.0.0.1. This indicates that no IP addresses can access the RDS instance.
Configure a standard IP address whitelist
In standard whitelist mode, ApsaraDB RDS does not distinguish between the classic network and VPCs. The IP addresses or CIDR blocks in a standard IP address whitelist can be used to access the RDS instance over both the classic network and VPCs.
- Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane of the page that appears, click Whitelist and SecGroup.
Click Create Whitelist. In the dialog box that appears, configure the Whitelist Name parameter. Alternatively, click Modify to the right of an IP address whitelist.
Enter the IP addresses or Classless Inter-Domain Routing (CIDR) blocks that require access to your RDS instance. Then, click OK.
NoteIf you enter more than one IP address or CIDR block, you must separate these IP addresses or CIDR blocks with commas (,). Do not add spaces preceding or following the commas. Example:
192.168.0.1,172.16.213.9
.A maximum of 1,000 IP addresses and CIDR blocks can be configured for each RDS instance. If you want to enter a large number of IP addresses, we recommend that you merge the IP addresses into CIDR blocks, such as
10.10.10.0/24
.
Optional. If a read-only RDS instance is attached to the RDS instance, configure the Synchronize Whitelist to Read-only Instance parameter to synchronize the IP address whitelists of the RDS instance to the read-only RDS instance. If multiple read-only RDS instances are attached to the RDS instance, you can select more than one read-only RDS instance for synchronization.
Optional. Click Add Internal IP Addresses of ECS Instances. In the dialog box that appears, view the IP addresses of all the ECS instances that are created within your Alibaba Cloud account. Then, add the IP addresses of the ECS instances that you want to connect to the IP address whitelist.
Configure an enhanced IP address whitelist
RDS instances that use cloud disks do not support the enhanced whitelist mode. Local disks are no longer available for purchase. For more information, see [EOS/Discontinuation] Local SSDs are no longer available for purchase for ApsaraDB RDS for PostgreSQL instances from September 01, 2023.
In enhanced whitelist mode, ApsaraDB RDS distinguishes between the classic network and VPCs. You must specify the network isolation mode of each enhanced IP address whitelist. For example, if the Network Isolation Mode parameter is set to Classic Network for an IP address whitelist, the IP addresses in the IP address whitelist are granted access to the RDS instance only over the classic network, and you cannot connect to the RDS instance over VPCs from these IP addresses.
The enhanced whitelist mode is supported only for RDS instances that use local SSDs. If your RDS instance runs in enhanced whitelist mode, you can perform the following procedure to configure an enhanced IP address whitelist. For more information about how to switch to the enhanced whitelist mode, see Switch an ApsaraDB RDS for PostgreSQL instance to the enhanced whitelist mode.
- Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane of the page that appears, click Whitelist and SecGroup.
Click Create Whitelist and select a network isolation mode.
Configure the Whitelist Name parameter.
Configure the IP Addresses parameter. You can enter the IP addresses or CIDR blocks that are used to access the RDS instance and click OK.
NoteIf you enter more than one IP address or CIDR block, you must separate these IP addresses or CIDR blocks with commas (,). Do not add spaces preceding or following the commas. Example:
192.168.0.1,172.16.213.9
.A maximum of 1,000 IP addresses and CIDR blocks can be configured for each RDS instance. If you want to enter a large number of IP addresses, we recommend that you merge the IP addresses into CIDR blocks, such as 10.10.10.0/24.
Optional. If a read-only RDS instance is attached to the RDS instance, configure the Synchronize Whitelist to Read-only Instance parameter to synchronize the IP address whitelists of the RDS instance to the read-only RDS instance. If multiple read-only RDS instances are attached to the RDS instance, you can select more than one read-only RDS instance for synchronization.
Optional. Click Add Internal IP Addresses of ECS Instances. In the dialog box that appears, view the IP addresses of all the ECS instances that are created within your Alibaba Cloud account. Then, add the IP addresses of the ECS instances that you want to connect to the IP address whitelist.
NoteIf the enhanced whitelist mode is enabled for the RDS instance, you must select a network isolation mode.
What to do next
Related operations
Operation | Description |
Queries the IP address whitelists of an instance. | |
Modifies an IP address whitelist of an instance. |