---
Title: Configure security
URL Source: https://company-skill.com/p/rds/rds-configure-security
Language: en
Description: You want to secure your ApsaraDB RDS instance by configuring IP whitelists, enabling SSL/TLS encryption, managing security groups, or setting up data protection features like TDE or column-level…
---

# Configure security

Part of **ApsaraDB RDS**. Route queries via `POST https://company-skill.com/api/route`.

## What You Want to Do

You want to secure your ApsaraDB RDS instance by configuring IP whitelists, enabling SSL/TLS encryption, managing security groups, or setting up data protection features like TDE or column-level encryption.

**Typical User Questions**:
- How do I configure IP whitelists?
- Can I manage security groups for RDS?

## Decision Tree

Pick the best path for your situation:

- **If** you need to call `ModifySecurityIps` or `ModifyDBInstanceSSL` programmatically to manage **multiple instances** or integrate with CI/CD → Use API (go to *rds/rds-security*)
- **If** you are performing a **one-time configuration** using a graphical interface and prefer clicking through menus like **Whitelist and SecGroup** or **SSL Encryption** → Use (go to *rds/rds-security-general*)
- **If** your task involves **dynamic IP updates** (e.g., auto-scaling app servers adding/removing IPs) → Use API (go to *rds/rds-security*)
- **Otherwise (default)** → — it’s simpler for ad-hoc tasks and doesn’t require coding.

## Path Comparison

| Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill |
|------|----------|------------|---------------|------------|----------|-------------|
| API | medium | Yes | Yes | Billing: IP1000 | `rds/api/rds-security` |
| Console / Dashboard | low | No | No | Billing: SSLSQL | `rds/guide/rds-security-general` |

## Path Details

### Path 1: API

**Brief Description**: ApsaraDB RDSREST API management of security settings, including IP whitelists via `ModifySecurityIps`, SSL/TLS encryption via `ModifyDBInstanceSSL`, and network discovery via `DescribeVSwitches`. Key parameters include `SecurityIps`, `SSLEnabled`, `CAType`, `ServerCert`, `ServerKey`, and `ClientCAEnabled`.

**Key technical facts**:
- Billing: APIIP1000

- 1-65535
- MySQL5.78.020240731
- APIAPI100 QPS

### Path 2: Console / Dashboard
**Brief Description**: The ApsaraDB RDS console offers a graphical interface under sections like **Whitelist and SecGroup**, **SSL Encryption**, **Security Settings**, and **Data Security** to configure IP whitelists, enable **TDE**, define **Column Encryption Rules**, activate **SQL Audit**, and apply **Sensitive Data Protection** policies.

**Key technical facts**:
- Billing: SSLSQL0.008/(GB*)

## FAQ

Q: Which path should I start with?
A: Start with if you're configuring a single instance once. Use the API only if you need to automate across multiple instances or integrate with external systems.

Q: What if I need to update IP whitelists daily based on changing app server IPs but used the console?
A: You’ll have to manually re-enter IPs every time — there’s no way to script or auto-sync changes via the console, leading to operational overhead and potential security gaps.

Q: What if I try to enable disk encryption after creating an RDS instance using either path?
A: You’ll hit a hard limitation: ****, regardless of path. This must be configured at instance creation time.

Q: Can I use the API to switch to Enhanced Whitelist Mode?
A: Yes — via the `ModifyMode` parameter in `ModifySecurityIps`, but note that once switched, the change is irreversible (as noted in both paths’ limitations).

Q: If I need SQL Audit in Frankfurt but chose the console path, will it work?
A: No — **SQL**, so it won’t appear or function in unsupported regions like Frankfurt, even in the console.

Q: Does the API support all the same security features as the console?
A: Mostly, but some UI-only features (like guided **Sensitive Data Protection** setup) may not have direct API equivalents. Always check the detail skill for coverage.

## Related queries

configure database security, set up IP whitelist, enable SSL encryption, manage RDS security groups, switch to enhanced whitelist mode, RAM authorization for RDS, network access control, bulk configure IP whitelists, how to configure IP whitelist, can I manage security groups for RDS, how to enable

---
Part of [ApsaraDB RDS](https://company-skill.com/p/rds.md) · https://company-skill.com/llms.txt