DocsICP FilingConsole
官方文档
首页

Configure an IP whitelist

更新时间:
复制 MD 格式
产品详情
我的收藏

To ensure the security and stability of Tair (Redis OSS-compatible) instances, access from all IP addresses to Tair (and open-source Redis) instances is blocked by default. Before you use a Tair (and open-source Redis) instance, you must add the IP address or IP address range of your client to the instance's whitelist. Maintain your whitelist regularly to keep access secure.

Whitelist configuration methods

Method

Description

Use cases

Add to an IP whitelist

Add your client IP address to the instance whitelist.

Add a security group

A security group acts as a virtual firewall that controls inbound and outbound traffic for the ECS instances within it.

Associate the ECS security group with your Tair instance to grant access to all ECS instances in the group without adding each IP individually.

Bulk add private and public IPs of ECS instances by using a security group

Configure an IP whitelist by using the Alibaba Cloud app (mobile)

The Alibaba Cloud app is the official mobile application from Alibaba Cloud that allows you to manage your cloud resources anytime, anywhere. You can use the Alibaba Cloud app to quickly configure an IP whitelist. You can also monitor cloud resources, stay updated on product news, and purchase cloud products.

Add VPC or public IPs via the mobile app
Note

Whitelist groups and ECS security groups can be used together. Both the IPs in whitelist groups and the ECS instances in added security groups can access the instance.

Add an ECS private IP to a whitelist

If your ECS and Tair instances are in the same VPC, connect over the VPC.

Note

If your ECS and Tair instances are in different VPCs, change the VPC of the ECS instance.

  1. Log on to the console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.

  2. In the left-side navigation pane, click Whitelist Settings.

  3. In the default whitelist group, click Modify.

    Note

    You can also click Add Whitelist to create a group. The name must be 2–32 characters: lowercase letters, digits, and underscores (_). It must start with a lowercase letter and end with a lowercase letter or a digit.

  4. For Add Method, select Import ECS Internal IP Address. This displays the private IPs of ECS instances in the same region.

    Hover over an IP address to view the ID and name of the associated ECS instance.

  5. Select the required IP addresses and move them to the box on the right.

  6. Click OK.

  7. Optional: To remove all IP addresses from a whitelist group, click Delete to the right of the target whitelist group.

    You cannot delete system-generated whitelist groups, such as default and hdm_security_ips.

Add a public IP to a whitelist

To connect from a local device or from an ECS instance in a different VPC, add the public IP address to a whitelist.

  1. Log on to the console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.

  2. In the navigation pane on the left, click Whitelist Settings.

  3. In the default whitelist group, click Modify.

    Note

    You can also click Add Whitelist to create a group. The name must be 2–32 characters: lowercase letters, digits, and underscores (_). It must start with a lowercase letter and end with a lowercase letter or a digit.

  4. For Add Method, select Add Manually.

  5. In the Whitelist text box, enter the IP addresses or CIDR blocks.

    How to find the public IP address of an ECS instance or a local device

    Category

    Method

    ECS instance

    How do I find the IP address of an ECS instance?

    Local device

    Use the following commands to find your public IP:

    • Linux: Open a terminal and run the curl ifconfig.me command.

    • Windows: Open Command Prompt and run the curl ip.me command.

    • macOS: Open a terminal and run the curl ifconfig.me command.

    Separate multiple IP addresses with commas (,). Up to 1,000 unique addresses are supported. Formats:

    • A specific IP address, for example, 10.23.12.24.

    • A CIDR block in CIDR notation. For example, 10.23.12.0/24 represents the IP address range from 10.23.12.0 to 10.23.12.255. The prefix length must be an integer from 1 to 32.

    Warning

    Adding 0.0.0.0/0 allows access from any IP address, which poses a significant security risk. Use with caution.

  6. Click OK.

  7. Optional: To remove all IP addresses from a whitelist group, click Delete to the right of the target whitelist group.

    You cannot delete system-generated whitelist groups, such as default and hdm_security_ips.

Bulk add ECS IPs via security group

When multiple ECS instances need to access a Tair instance, you can add a Tair to the instance's whitelist. Once added, the security group grants access to the Tair instance for all associated resources within it, including their private and public IPs.

Note

  • This access control applies only to resources associated with the security group, such as ECS instances. It does not apply to CIDR blocks or IP addresses defined in security group rules.

  • The Tair instance must be compatible with Redis 4.0 (latest minor version) or a later major version. To upgrade the major version, see Upgrade the major version.

  1. Log on to the console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.

  2. In the navigation pane on the left, click Whitelist Settings.

  3. Click the Security Groups tab.

  4. On the Security Groups tab, click Add Security Group.

  5. In the dialog box that appears, select the security group that you want to add.

    You can perform a fuzzy search by Security Group Name or Security Group ID.

    Figure 3. Add Security GroupAdd security group

    Note

    You can add up to 10 security groups to each instance.

  6. Click OK.

  7. Optional: To remove all security groups, click Delete.

Configure a whitelist with the Alibaba Cloud app

  1. Download and install the Alibaba Cloud app by using one of the following methods:

  2. Log on to the Alibaba Cloud app.

  3. Open the Alibaba Cloud app. On the O&M page, in the My Resources section, find Tair (Redis OSS-compatible) and then tap Instance List.

  4. Tap the target instance. At the top of the page, tap Account & Whitelist.

  5. Perform one of the following operations based on your business needs:

    • To manually modify a whitelist, tap the Alibaba Cloud app more icon icon to the right of the target whitelist group, tap Modify, and then enter the IP whitelist.

    • To add a whitelist group, tap Add Whitelist Group at the bottom of the page and enter a group name and an IP whitelist.

    • To delete a whitelist group, tap the Alibaba Cloud app more icon icon to the right of the target whitelist group and select Delete.

API reference

API

Description

DescribeSecurityIps

Queries the IP whitelist of an instance.

ModifySecurityIps

Modifies the IP whitelist of an instance.

DescribeSecurityGroupConfiguration

Queries the security groups that are configured in the whitelist of an instance.

ModifySecurityGroupConfiguration

Modifies the security groups in the whitelist of an instance.

FAQ

Why do I receive the error(error) ERR illegal address after connecting with redis-cli?

The client IP running redis-cli is not in the whitelist. Verify your whitelist configuration.

Missing security group settings

You cannot add IP whitelists by using security groups for the following types of instances:

  • The major version of the instance must be Redis 4.0 (latest minor version) or later. For more information, see Upgrade the major version.

  • You cannot add ECS security groups as whitelists for cloud-native cluster instances or cloud-native read/write splitting instances.

Security group rules ineffective

Symptom: You configured a security group rule to allow access from an IP address, such as 118.31.XX.XX, but requests from other IP addresses are still allowed.

Cause: The inbound and outbound traffic rules that you configure for a security group do not apply to Tair (and open-source Redis) instances. When you add a security group to a Tair (or open-source Redis) instance, you are granting access to all ECS instances within that security group over the VPC or the internet.

What do I do if I receive an error when I test a port by using telnet, such as Connection closed by foreign host?

The following error message is returned:

Escape character is '^]'.
Connection closed by foreign host.

This error occurs because the client's IP address is not in the instance's IP whitelist. To resolve this, add the IP address to the whitelist.

Auto-generated whitelist groups

Initially, an instance has only the default whitelist group. Other groups are added automatically when you perform certain operations.

Whitelist group name

Source description

default

This is the default whitelist group and cannot be deleted.

ali_dms_group

Automatically created when you log on through Data Management Service (DMS). Do not delete or modify this group, or DMS logon may fail.

hdm_security_ips

Automatically created by Database Autonomy Service (DAS) when you use CloudDBA features such as offline full key analysis. Do not delete or modify this group, or CloudDBA features may become unavailable.

Effect of 127.0.0.1

The 127.0.0.1 entry becomes invalid when you add any other client IP or security group to the whitelist. If 127.0.0.1 is the only entry in all whitelist groups, access from all IPs is denied.

Handling dynamic public IPs

If your local device has a dynamic public IP, add the corresponding CIDR block to the whitelist. For example, add 10.10.10.0/24 to cover all addresses from 10.10.10.0 to 10.10.10.255.

Warning

This approach reduces the security of your instance. Use it with caution.

Ping or telnet succeeds

Tair (Redis OSS-compatible) validates connections during authentication, not at the network layer. A successful ping or telnet only confirms network reachability, not a successful connection.

Persistent connection after IP removal

  • Connection persistence: Whitelist changes apply only to new connections. Existing long-lived connections (connection pools, persistent sessions) remain active until disconnected. To block a client immediately, remove its IP from the whitelist and restart the client application.

  • VPC Password-free Access: If VPC Password-free Access is enabled, clients in the same VPC may connect without being in the whitelist. Enforce whitelist checks by setting the parameter #no_loose_check-whitelist-always to yes.

  • Conflicting security group policies: Check whether a security group still grants the IP address access to the instance.

Previous:Change or reset the passwordNext:Configure an IP whitelist template