The Group Replication plugin has a configuration option to
determine from which hosts an incoming Group Communication
connection can be accepted. This option is called
If you set this option on a server s1, then when server s2 is
establishing a connection to s1 for the purpose of engaging group
communication, then s1 first checks the whitelist before accepting
the connection from s2. If s2 is in the whitelist, then s1 accepts
the connection, otherwise s1 rejects the connection attempt by s2.
By default, if not specified explicitly, the whitelist is automatically set to the private network addresses that the server has network interfaces on.
If you do not configure any whitelist, the server automatically sets the whitelist to the private networks that the server has an interface on. This means that a server, even if it has interfaces on public IPs, does not by default allow connections from external hosts.
Whenever the IP whitelist is set to AUTOMATIC, an entry in the error log can be emitted in such case, similar to: 2016-07-07T06:40:49.320686Z 4 [Note] Plugin group_replication reported: 'Added automatically \\ IP ranges 10.120.40.237/18,10.178.59.44/22,127.0.0.1/8 to the whitelist'.
You can improve the security of the group further by manually setting the list of IP addresses permitted for group communication connections to come from. The list can be specified in CIDR notation or as simple IP addresses. A comma must separate each entry. For example:
mysql> STOP GROUP_REPLICATION; mysql> SET GLOBAL group_replication_ip_whitelist="10.120.40.237/18,10.178.59.44/22,127.0.0.1/8"; mysql> START GROUP_REPLICATION;
The localhost IP address (127.0.0.1) is always added to the whitelist. If not explicitly, it is implicitly and automatically added.