This topic describes how to configure security groups for DataWorks workspaces in different regions.

If you use a user-created data store deployed on Elastic Compute Service (ECS) instances, you must configure a security group to guarantee successful connection to the data store.

Before using a data store, you must add the IP addresses or Classless Inter-Domain Routing (CIDR) blocks that you use to access the data store to a whitelist of the instance where the data store resides. This improves security and stability of the database. For more information, see Configure a whitelist.

Determine the security group rule to be configured

  • If sync nodes for a user-created data store deployed on your ECS instances run on a custom resource group, add internal or public IP addresses and ports of ECS instances on the custom resource group to your security group.
  • If sync nodes for a user-created data store deployed on your ECS instances run on the default resource group, you must authorize the default resource group to access your ECS instances. For example, your ECS instances reside in the China (Beijing) region. You must add the authorization object sg-2ze3236e8pcbxw61o9y0 and account ID 1156529087455811 to your security group, as described in the following table. In addition, you can add connections for the data store only in the China (Beijing) region.
    Region Security group Account ID
    China (Hangzhou) sg-bp13y8iuj33uqpqvgqw2 1156529087455811
    China (Shanghai) sg-uf6ir5g3rlu7thymywza 1156529087455811
    China (Shenzhen) sg-wz9ar9o9jgok5tajj7ll 1156529087455811
    Singapore sg-t4n222njci99ik5y6dag 1156529087455811
    China (Hong Kong) sg-j6c28uqpqb27yc3tjmb6 1156529087455811
    US (Silicon Valley) sg-rj9bowpmdvhyl53lza2j 1156529087455811
    US (Virginia) sg-0xienf2ak8gs0puz68i9 1156529087455811
    China (Beijing) sg-2ze3236e8pcbxw61o9y0 1156529087455811
    Note The default resource group uses IP addresses on classic networks. If your ECS instances reside in a Virtual Private Cloud (VPC), you cannot add the preceding information to your security group due to the network type difference.

Configure a security group for ECS instances

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Network & Security > Security Groups. Select the target region.
  3. Find the security group for which you want to add an authorization rule, and click Add Rules in the Actions column.
  4. On the Security Group Rules page, click the Inbound tab and then click Add Security Group Rule in the upper-right corner.
  5. In the Add Security Group Rule dialog box that appears, set the parameters.
  6. Click OK.