All Products
Search

This Product

    ApsaraDB for MongoDB:Modify a whitelist for an instance

    Document Center

    ApsaraDB for MongoDB:Modify a whitelist for an instance

    Last Updated:May 12, 2025

    This topic describes how to modify an IP address whitelist for an ApsaraDB for MongoDB instance. Only devices whose IP addresses are added to the IP address whitelists of the instance are allowed to access the instance. The default IP address whitelist contains only the IP address 127.0.0.1. The IP address indicates that no devices can connect to the instance. The proper settings of IP address whitelists can enhance access security of ApsaraDB for MongoDB instances. We recommend that you maintain the IP address whitelists of your instance on a regular basis.

    Prerequisites

    When you add an Elastic Compute Service (ECS) security group, make sure that the ApsaraDB for MongoDB instance has the same network type as the ECS instances in the ECS security group. If both the ApsaraDB for MongoDB instance and ECS instances are of the virtual private cloud (VPC) type, make sure that the two instances reside in the same VPC.

    Background information

    • Before using an ApsaraDB for MongoDB instance for the first time, add an IP address whitelist to the instance.

    • After the IP address whitelist is added, the instance endpoint is displayed on the Basic Information and Database Connections pages of the instance.

    Procedure

    1. Log on to the ApsaraDB for MongoDB console.

    2. In the left-side navigation pane, click Replica Set Instances or Sharded Cluster Instances.

    3. In the upper-left corner of the page, select the resource group and region to which the desired instance belongs.

    4. Click the ID of the instance whose whitelist you want to modify or click Manage in the Actions column.

    5. In the left-side navigation pane of the page that appears, choose Data Security > Whitelist Settings.

    6. In the Whitelist Settings section, select one of the following methods to modify the whitelist for the instance:

      Manually modify a whitelist

      1. Find the whitelist that you want to manage and click Modify in the Actions column.

      2. In the IP Whitelist field of the Manually Modify panel, enter an IP address or a CIDR block.

        • An IP address or a CIDR block can be specified in one of the following formats:

          • A single IP address. Example: 10.23.12.24.

          • 0.0.0.0/0

            Warning

            If you specify only 0.0.0.0/0 in a whitelist, the instance can be accessed by all IP addresses. This exposes instance databases to high security risks. Exercise caution when you specify only this IP address in a whitelist.

          • A CIDR block. For more information about CIDR blocks, see FAQ. Example: 10.23.12.24/24. 24 indicates that the prefix of the CIDR block is 24 bits in length. You can replace 24 with a value within the range of 1 to 32.

        • Separate multiple IP addresses with commas (,).

      3. Click OK.

      Load the internal IP addresses of ECS instances

      1. Find the whitelist that you want to manage and click Add Internal IP Addresses of ECS Instances in the Actions column.

      2. In IP Whitelist of the Import ECS Intranet IP panel, select the ECS internal IP address to be added.

      3. Click 添加.

      4. Click OK.

    FAQ

    Why am I unable to connect to my ApsaraDB for MongoDB instance after I add the public IP address of my local machine to a whitelist of the instance?

    A failed connection may be caused by the incorrect public IP address. You can perform one of the following steps to query the public IP address of your local machine:

    1. Add the IP address 0.0.0.0/0 to a whitelist of the ApsaraDB for MongoDB instance.

      Warning

      If you add 0.0.0.0/0 to the whitelist, all servers are granted access to the ApsaraDB for MongoDB instance. This may raise security risks. Exercise caution when you add 0.0.0.0/0 to a whitelist. If you use the IP address 0.0.0.0/0, remove the IP address from the whitelist at the earliest opportunity to ensure access security.

    2. Use the mongo shell to connect to the ApsaraDB for MongoDB instance.

      If you still cannot connect to the instance after you add the IP address 0.0.0.0/0 to the whitelist, you can use DMS to connect to the instance and check whether the account password and authentication database are correct.

    3. Run the following command to query information about the client to which you use the mongo shell to log on: 

      db.currentOp({"appName" : "MongoDB Shell","active" : true})

      The following figure shows an example.客户端IP查询

      Note

      If you use other methods to log on to the instance, you can run the following command to query information about all clients: 

      db.runCommand({currentOp: 1, "active" : true})

    4. Add the IP address returned by the preceding command to the whitelist and then remove the IP address 0.0.0.0/0 from the whitelist.

    Why cannot I connect to my instance with correct whitelist settings?

    Check whether the current network environment and instance endpoint are correct. ApsaraDB for MongoDB supports both private and public endpoints. The endpoint used for connections varies based on the current network environment.

    For more information, see Connection and network.

    How do I configure an instance whitelist if my client IP address dynamically changes?

    If your client IP address is not fixed, you can connect to your instance by using an SSL-VPN tunnel, or add the CIDR block of your client to an instance whitelist.

    Important

    If adding the CIDR block of your client to an instance whitelist, you must minimize the CIDR block range based on your actual business requirements to reduce security risks.