This topic describes how to configure whitelists for DataWorks workspaces in different regions.

If you use ApsaraDB for RDS as a data store, you must configure a whitelist for the ApsaraDB for RDS instance to ensure that it is accessible.

Before using a data store, you must add the IP addresses or Classless Inter-Domain Routing (CIDR) blocks that you use to access the data store to a whitelist of the instance where the data store resides. This improves security and stability of the database.

Note The configured whitelist is valid for data integration nodes only.

Determine the IP addresses or CIDR blocks to be added to a whitelist

  1. Log on to the DataWorks console. In the left-side navigation pane, click Workspaces.
  2. Move the pointer over the region in the top navigation bar and click the target region.

    Currently, DataWorks supports multiple regions. Select the region of the MaxCompute project that you have purchased.

  3. Determine the IP addresses or CIDR blocks to be added to a whitelist based on the region of the workspace.
    Currently, access to some data stores is restricted by whitelists. You must add the IP addresses or CIDR blocks used by Data Integration to these whitelists. Otherwise, Data Integration cannot access these data stores. For example, you must add IP addresses or CIDR blocks to a whitelist of an ApsaraDB for RDS, ApsaraDB for MongoDB, or ApsaraDB for Redis instance that serves as a data store. Add IP addresses or CIDR blocks to a whitelist based on the resource group type as follows:
    • If sync nodes run on a custom resource group, add internal and public IP addresses of Elastic Compute Service (ECS) instances on the custom resource group to a whitelist of the data store.
    • If sync nodes run on the default resource group, add the IP addresses or CIDR blocks of the region where the workspace resides to a whitelist of the data store. The following table lists the IP addresses or CIDR blocks used by each region.
      Region Whitelist
      China (Hangzhou) 100.64.0.0/10,11.193.102.0/24,11.193.215.0/24,11.194.110.0/24,11.194.73.0/24,118.31.157.0/24,47.97.53.0/24,11.196.23.0/24,47.99.12.0/24,47.99.13.0/24,114.55.197.0/24,11.197.246.0/24,11.197.247.0/24
      China (Shanghai) 11.193.109.0/24,11.193.252.0/24,47.101.107.0/24,47.100.129.0/24,106.15.14.0/24,10.117.28.203,10.143.32.0/24,10.152.69.0/24,10.153.136.0/24,10.27.63.15,10.27.63.38,10.27.63.41,10.27.63.60,10.46.64.81,10.46.67.156,11.192.97.0/24,11.192.98.0/24,11.193.102.0/24,11.218.89.0/24,11.218.96.0/24,11.219.217.0/24,11.219.218.0/24,11.219.219.0/24,11.219.233.0/24,11.219.234.0/24,118.178.142.154,118.178.56.228,118.178.59.233,118.178.84.74,120.27.160.26,120.27.160.81,121.43.110.160,121.43.112.137,100.64.0.0/10,10.117.39.238
      China (Shenzhen) 100.106.46.0/24,100.106.49.0/24,10.152.27.0/24,10.152.28.0/24,11.192.91.0/24,11.192.96.0/24,11.193.103.0/24,100.64.0.0/10,120.76.104.0/24,120.76.91.0/24,120.78.45.0/24
      China (Chengdu) 11.195.52.0/24,11.195.55.0/24,47.108.22.0/24,100.64.0.0/10
      China (Zhangjiakou) 11.193.235.0/24,47.92.22.0/24,100.64.0.0/10
      China (Hong Kong) 10.152.162.0/24,11.192.196.0/24,11.193.11.0/24,100.64.0.0/10,11.192.196.0/24,47.89.61.0/24,47.91.171.0/24,11.193.118.0/24,47.75.228.0/24
      Singapore 100.106.10.0/24,100.106.35.0/24,10.151.234.0/24,10.151.238.0/24,10.152.248.0/24,11.192.153.0/24,11.192.40.0/24,11.193.8.0/24,100.64.0.0/10,47.88.147.0/24,47.88.235.0/24,11.193.162.0/24,11.193.163.0/24,11.193.220.0/24,11.193.158.0/24,47.74.162.0/24,47.74.203.0/24,47.74.161.0/24,11.197.188.0/24
      Australia (Sydney) 11.192.100.0/24,11.192.134.0/24,11.192.135.0/24,11.192.184.0/24,11.192.99.0/24,100.64.0.0/10,47.91.49.0/24,47.91.50.0/24,11.193.165.0/24,47.91.60.0/24
      China (Beijing) 100.106.48.0/24,10.152.167.0/24,10.152.168.0/24,11.193.50.0/24,11.193.75.0/24,11.193.82.0/24,11.193.99.0/24,100.64.0.0/10,47.93.110.0/24,47.94.185.0/24,47.95.63.0/24,11.197.231.0/24,11.195.172.0/24,47.94.49.0/24,182.92.144.0/24
      US (Silicon Valley) 10.152.160.0/24,100.64.0.0/10,47.89.224.0/24,11.193.216.0/24,47.88.108.0/24
      US (Virginia) 11.193.203.0/24,11.194.68.0/24,11.194.69.0/24,100.64.0.0/10,47.252.55.0/24,47.252.88.0/24
      Malaysia (Kuala Lumpur) 11.193.188.0/24,11.221.205.0/24,11.221.206.0/24,11.221.207.0/24,100.64.0.0/10,11.214.81.0/24,47.254.212.0/24,11.193.189.0/24
      Germany (Frankfurt) 11.192.116.0/24,11.192.168.0/24,11.192.169.0/24,11.192.170.0/24,11.193.106.0/24,100.64.0.0/10,11.192.116.14,11.192.116.142,11.192.116.160,11.192.116.75,11.192.170.27,47.91.82.22,47.91.83.74,47.91.83.93,47.91.84.11,47.91.84.110,47.91.84.82,11.193.167.0/24,47.254.138.0/24
      Japan (Tokyo) 100.105.55.0/24,11.192.147.0/24,11.192.148.0/24,11.192.149.0/24,100.64.0.0/10,47.91.12.0/24,47.91.13.0/24,47.91.9.0/24,11.199.250.0/24,47.91.27.0/24
      UAE (Dubai) 11.192.107.0/24,11.192.127.0/24,11.192.88.0/24,11.193.246.0/24,47.91.116.0/24,100.64.0.0/10
      India (Mumbai) 11.194.10.0/24,11.246.70.0/24,11.246.71.0/24,11.246.73.0/24,11.246.74.0/24,100.64.0.0/10,149.129.164.0/24,11.194.11.0/24
      UK (London) 11.199.93.0/24,100.64.0.0/10
      Indonesia (Jakarta) 11.194.49.0/24,11.200.93.0/24,11.200.95.0/24,11.200.97.0/24,100.64.0.0/10,149.129.228.0/24,10.143.32.0/24,11.194.50.0/24
      China (Beijing) Alibaba GovCloud 11.194.116.0/24,100.64.0.0/10

      If you fail to add the preceding CIDR blocks, add the following IP addresses:

      11.194.116.160,11.194.116.161,11.194.116.162,11.194.116.163,11.194.116.164,11.194.116.165,11.194.116.167,11.194.116.169,11.194.116.170,11.194.116.171,11.194.116.172,11.194.116.173,11.194.116.174,11.194.116.175

Configure a whitelist for an ApsaraDB for RDS instance

An RDS connection can be added in either of the following modes:
  • ApsaraDB for RDS instance mode

    You can add an RDS connection by specifying the corresponding ApsaraDB for RDS instance. Currently, connectivity testing is supported for RDS connections added in this mode, including RDS connections for ApsaraDB for RDS instances deployed in a VPC. If an RDS connection added in this mode fails the connectivity test, add the RDS connection in JDBC URL mode.

  • JDBC URL mode

    When adding an RDS connection in JDBC URL mode, specify the internal endpoint of the corresponding ApsaraDB for RDS instance as the JDBC URL. If no internal endpoint is available, enter the public endpoint as the JDBC URL. If an internal endpoint is used, data is transferred inside an IDC of Alibaba Cloud. In this case, the data synchronization is fast. If a public endpoint is used, the data synchronization speed depends on your public network bandwidth.

Configure a whitelist for an ApsaraDB for RDS instance

To allow Data Integration to synchronize data from or to an ApsaraDB for RDS instance, you must connect Data Integration to the ApsaraDB for RDS instance through a standard database protocol. An ApsaraDB for RDS instance allows connections from all IP addresses by default. However, if you have specified a whitelist for the ApsaraDB for RDS instance, you must add the IP addresses or CIDR blocks used by Data Integration to the whitelist. This operation is unnecessary if you have not specified a whitelist for the ApsaraDB for RDS instance.

If you have specified an endpoint whitelist for the ApsaraDB for RDS instance, go to the Data Security page for the instance in the ApsaraDB for RDS console, and modify the whitelist to add the corresponding IP addresses or CIDR blocks.

Note If you use a custom resource group to run sync nodes that synchronize data from or to the ApsaraDB for RDS instance, you must add the IP addresses of ECS instances on the custom resource group to the whitelist.