Configure a whitelist

Prerequisites

If you configured the network connection between the resource group for Data Integration and data source, but the resource group still cannot access the data source, the data source may be configured with a whitelist that denies access from some IP addresses. In this case, you must add the IP address or CIDR block of the resource group to the whitelist of the data source.

Background information

If a resource group for Data Integration is connected to the data source that you want to access as described in Select a network connectivity solution, but the resource group still cannot access the data source, the data source may be configured with a whitelist that denies access from some IP addresses. In this case, you must obtain and add the IP address or CIDR block of the resource group to the whitelist of the data source.

Add the EIP or CIDR block of an exclusive resource group for Data Integration to the whitelist of a data source

• If you want to use an exclusive resource group for Data Integration to run a node to synchronize data from a data source over a VPC, add the CIDR block of the vSwitch to which the exclusive resource group is bound to the whitelist of the data source. To obtain and add the CIDR block of the vSwitch to which the resource group is bound to the whitelist of the data source, perform the following operations:
  On the Exclusive Resource Groups tab of the DataWorks console, find the desired exclusive resource group for Data Integration and click Network Settings in the Actions column to view the CIDR block to which the resource group is bound. Then, add the CIDR block to the whitelist of the data source.
• If you want to use an exclusive resource group for Data Integration to run a node to synchronize data from a data source over the Internet, add the EIP of the exclusive resource group to the whitelist of the data source. To obtain and add the EIP of the exclusive resource group for Data Integration to the whitelist of the data source, perform the following operations:
  On the Exclusive Resource Groups tab of the DataWorks console, find the exclusive resource group for Data Integration whose EIP you want to view and click View Information in the Actions column. In the Exclusive Resource Groups dialog box, copy the EIP. Then, add the copied EIP to the whitelist of the data source.
  Note If you upgrade the configuration of the exclusive resource group for Data Integration, you must check whether the EIP of the resource group changes. If the EIP of the resource group changes, add the new EIP to the whitelist of the data source after the configuration upgrade. This ensures the normal running of your synchronization node.

Add the IP addresses or CIDR blocks of the servers in the region where the DataWorks workspace resides to the whitelist of a data source

To allow the shared resource group for Data Integration to access a data source, you must add the IP addresses or CIDR blocks of the servers in the region where the DataWorks workspace resides to the whitelist of the data source. To view and add the IP addresses or CIDR blocks of the servers in a region to the whitelist of the data source, perform the following steps:

1. Log on to the DataWorks console as a developer.
2. In the left-side navigation pane, click Workspaces.
3. In the top navigation bar, select the region where the desired workspace resides.
4. View the IP addresses or CIDR blocks based on the selected region and add them to the whitelist of the data source that you want to access.

   Region	CIDR block or IP address
   China (Hangzhou)	100.64.0.0/10,11.193.102.0/24,11.193.215.0/24,11.194.110.0/24,11.194.73.0/24,118.31.157.0/24,47.97.53.0/24,11.196.23.0/24,47.99.12.0/24,47.99.13.0/24,114.55.197.0/24,11.197.246.0/24,11.197.247.0/24
   China (Shanghai)	11.193.109.0/24,11.193.252.0/24,47.101.107.0/24,47.100.129.0/24,106.15.14.0/24,10.117.28.203,10.143.32.0/24,10.152.69.0/24,10.153.136.0/24,10.27.63.15,10.27.63.38,10.27.63.41,10.27.63.60,10.46.64.81,10.46.67.156,11.192.97.0/24,11.192.98.0/24,11.193.102.0/24,11.218.89.0/24,11.218.96.0/24,11.219.217.0/24,11.219.218.0/24,11.219.219.0/24,11.219.233.0/24,11.219.234.0/24,118.178.142.154,118.178.56.228,118.178.59.233,118.178.84.74,120.27.160.26,120.27.160.81,121.43.110.160,121.43.112.137,100.64.0.0/10,10.117.39.238
   China (Shenzhen)	100.106.46.0/24,100.106.49.0/24,10.152.27.0/24,10.152.28.0/24,11.192.91.0/24,11.192.96.0/24,11.193.103.0/24,100.64.0.0/10,120.76.104.0/24,120.76.91.0/24,120.78.45.0/24,47.106.63.0/26,47.106.63.128/26,47.106.63.192/26,47.106.63.64/26
   China (Chengdu)	11.195.52.0/24,11.195.55.0/24,47.108.22.0/24,100.64.0.0/10
   China (Zhangjiakou)	11.193.235.0/24,47.92.22.0/24,100.64.0.0/10
   China (Hong Kong)	10.152.162.0/24,11.192.196.0/24,11.193.11.0/24,100.64.0.0/10,47.89.61.0/24,47.91.171.0/24,11.193.118.0/24,47.75.228.0/24,47.56.45.0/25,47.244.92.128/25,47.101.109.0/24
   Singapore (Singapore)	100.106.10.0/24,100.106.35.0/24,10.151.234.0/24,10.151.238.0/24,10.152.248.0/24,11.192.153.0/24,11.192.40.0/24,11.193.8.0/24,100.64.0.0/10,47.88.147.0/24,47.88.235.0/24,11.193.162.0/24,11.193.163.0/24,11.193.220.0/24,11.193.158.0/24,47.74.162.0/24,47.74.203.0/24,47.74.161.0/24,11.197.188.0/24
   Australia (Sydney)	11.192.100.0/24,11.192.134.0/24,11.192.135.0/24,11.192.184.0/24,11.192.99.0/24,100.64.0.0/10,47.91.49.0/24,47.91.50.0/24,11.193.165.0/24,47.91.60.0/24
   China (Beijing)	100.106.48.0/24,10.152.167.0/24,10.152.168.0/24,11.193.50.0/24,11.193.75.0/24,11.193.82.0/24,11.193.99.0/24,100.64.0.0/10,47.93.110.0/24,47.94.185.0/24,47.95.63.0/24,11.197.231.0/24,11.195.172.0/24,47.94.49.0/24,182.92.144.0/24
   US (Silicon Valley)	10.152.160.0/24,100.64.0.0/10,47.89.224.0/24,11.193.216.0/24,47.88.108.0/24
   US (Virginia)	47.88.98.0/26,47.88.98.64/26,47.88.98.128/26,47.88.98.192/26,47.252.91.0/26,47.252.91.64/26,47.252.91.128/26,47.252.91.192/26,10.128.134.0/24,11.193.203.0/24,11.194.68.0/24,11.194.69.0/24,100.64.0.0/10
   Malaysia (Kuala Lumpur)	11.193.188.0/24,11.221.205.0/24,11.221.206.0/24,11.221.207.0/24,100.64.0.0/10,11.214.81.0/24,47.254.212.0/24,11.193.189.0/24
   Germany (Frankfurt)	11.192.116.0/24,11.192.168.0/24,11.192.169.0/24,11.192.170.0/24,11.193.106.0/24,100.64.0.0/10,11.192.116.14,11.192.116.142,11.192.116.160,11.192.116.75,11.192.170.27,47.91.82.22,47.91.83.74,47.91.83.93,47.91.84.11,47.91.84.110,47.91.84.82,11.193.167.0/24,47.254.138.0/24
   Japan (Tokyo)	100.105.55.0/24,11.192.147.0/24,11.192.148.0/24,11.192.149.0/24,100.64.0.0/10,47.91.12.0/24,47.91.13.0/24,47.91.9.0/24,11.199.250.0/24,47.91.27.0/24,11.59.59.0/24,47.245.51.128/26,47.245.51.192/26,47.91.0.128/26,47.91.0.192/26
   UAE (Dubai)	11.192.107.0/24,11.192.127.0/24,11.192.88.0/24,11.193.246.0/24,47.91.116.0/24,100.64.0.0/10
   India (Mumbai)	11.194.10.0/24,11.246.70.0/24,11.246.71.0/24,11.246.73.0/24,11.246.74.0/24,100.64.0.0/10,149.129.164.0/24,11.194.11.0/24,11.59.62.0/24,147.139.23.0/26,147.139.23.128/26,147.139.23.64/26,149.129.165.192/26
   UK (London)	11.199.93.0/24,100.64.0.0/10
   Indonesia (Jakarta)	11.194.49.0/24,11.200.93.0/24,11.200.95.0/24,11.200.97.0/24,100.64.0.0/10,149.129.228.0/24,10.143.32.0/24,11.194.50.0/24,11.59.135.0/24,147.139.156.0/26,147.139.156.128/26,147.139.156.64/26,149.129.230.192/26
   China North 2 Ali Gov 1	11.194.116.0/24,100.64.0.0/10,39.107.188.202 If access is still denied after the preceding IP addresses and CIDR blocks are added, add the following IP addresses and CIDR blocks: 11.194.116.160,11.194.116.161,11.194.116.162,11.194.116.163,11.194.116.164,11.194.116.165,11.194.116.167,11.194.116.169,11.194.116.170,11.194.116.171,11.194.116.172,11.194.116.173,11.194.116.174,11.194.116.175,39.107.188.0/24.
   China East 2 Finance	140.205.46.128/25,140.205.48.0/25,140.205.48.128/25,140.205.49.0/25,140.205.49.128/25,11.192.156.0/25,11.192.157.0/25,11.192.164.0/25,11.192.165.0/25,11.192.166.0/25,11.192.167.0/25,106.11.245.0/26,106.11.245.128/26,106.11.245.192/26,106.11.245.64/26,140.205.39.0/24,106.11.225.0/24,106.11.226.0/24,106.11.227.0/24,106.11.242.0/24,100.104.8.0/24

Add the private or public IP addresses of the servers in the custom resource group for Data Integration to the whitelist of a data source

To allow a custom resource group for Data Integration to access a data source, you must add the private or public IP addresses of the servers in the custom resource group to the whitelist of the data source.

Precautions for configuring a whitelist

In this section, ApsaraDB RDS is used to demonstrate the precautions for configuring a whitelist. Before you add the IP address or CIDR block of a resource group for Data Integration to a whitelist of an ApsaraDB RDS instance, you must take note of the following items:

ApsaraDB RDS supports standard whitelists and enhanced whitelists. The IP address whitelist that you configured for the RDS instance may affect the connectivity between the resource group for Data Integration and an RDS database.

• If you configure a standard IP address whitelist for the RDS instance, the following situations occur:
  • You can add IP addresses from both the classic network and VPCs to the same IP address whitelist.
  • You can use the same IP address whitelist regardless of whether you use the shared resource group for Data Integration, an exclusive resource group for Data Integration, or a custom resource group for Data Integration.
    Note The IP addresses in a standard IP address whitelist are granted access to your RDS instance over both the classic network and VPCs.
• If you configure an enhanced IP address whitelist for the RDS instance, the following situations occur:
  • You must add IP addresses from the classic network and VPCs to different IP address whitelists.
    Note You must specify the network isolation mode of each enhanced IP address whitelist. For example, if the Network Type Allowed for Instance Access parameter is set to Classic Network/Public IP for an IP address whitelist, the IP addresses in the IP address whitelist are granted access to your RDS instance only over the classic network. In this case, you cannot connect to your RDS instance over VPCs from these IP addresses.
  • If you use an exclusive resource group for Data Integration to access the RDS database over a VPC, the IP address whitelist of the VPC type is used.
  • If you use the shared resource group for Data Integration to access an ApsaraDB RDS for MySQL instance that resides in a VPC, the IP address whitelist of the VPC type is used.
  • If you access the RDS database over a public endpoint, the IP address whitelist of the classic network type is used.
• If you switch the network isolation mode of an ApsaraDB RDS instance from the standard whitelist mode to the enhanced whitelist mode, the following situations occur:

  The system generates two copies of the standard IP address whitelist and uses one copy as the enhanced IP address whitelist of the VPC type and the other copy as the enhanced IP address whitelist of the classic network type.

Other precautions for configuring a whitelist:

• IP address whitelists do not interrupt the workloads on your RDS instance.
• The IP address whitelist labeled default can be cleared, but cannot be deleted.
• Do not modify or delete the IP address whitelists that are automatically generated for other Alibaba Cloud services. If you delete these IP address whitelists, the related Alibaba Cloud services cannot connect to your RDS instance. For example, if you delete an IP address whitelist ali_dms_group that is generated for Data Management (DMS) or an IP address whitelist hdm_security_ips that is generated for Database Autonomy Service (DAS), DMS and DAS cannot access your RDS instance.
  Note We recommend that you create an IP address whitelist that is independent of other whitelists for DataWorks.
• The IP address whitelist labeled default contains only 127.0.0.1. This indicates that no IP addresses can access your RDS instance.

For more information about how to configure an IP address whitelist for an RDS instance, see Configure an IP address whitelist for an ApsaraDB RDS for MySQL instance. You can use a similar method to configure a whitelist for another type of data source. For more information about how to configure whitelists for other types of data sources, see the related topics.

What to do next

If you use a self-managed database that is deployed on an Elastic Compute Service (ECS) instance, you must configure a security group to ensure that the resource group can read data from and write data to the database. For more information, see Configure a security group for an ECS instance where a self-managed data store resides.