Configure a whitelist - Data Integration| Alibaba Cloud Documentation Center

After you connect a resource group to a data source, the resource group may fail to access the data source because the data source is configured with a whitelist that allows access only from specific IP addresses. In this case, you must add the IP address or Classless Inter-Domain Routing (CIDR) block of the resource group to the whitelist of the data source. This topic provides instructions on configuring a whitelist.

Prerequisites

Your resource group for Data Integration is connected to your data source. The following situations may exist:

If you use an exclusive resource group for Data Integration and you want to use the resource group to access the data source over a virtual private cloud (VPC), you must configure network connectivity between the resource group and data source. In addition, you must associate the exclusive resource group with your workspace. For more information, see Create and use an exclusive resource group for Data Integration.
If you use a resource group rather than an exclusive resource group for Data Integration or you want to use the resource group to access the data source over the Internet or classic network, you must configure network connectivity between the resource group and data source based on the actual situations of the resource group and network. For more information, see Select a network connectivity solution.

If the network connectivity is configured but the resource group cannot access your data source, the data source may be configured with a whitelist that restricts access from the resource group. In this case, you must add the IP address or CIDR block of the resource group to the whitelist of the data source.

Background information

If a resource group for Data Integration is connected to the data source that you want to access as described in Select a network connectivity solution, but the resource group cannot access the data source, the data source may be configured with a whitelist. You must obtain and add the IP address or CIDR block of the resource group to the whitelist of the data source.

To ensure the security and stability of data sources, most data sources are configured with whitelists. In this case, you must add the required IP addresses or CIDR blocks to the whitelists of the data sources. For example, to allow a resource group to access the ApsaraDB RDS, ApsaraDB for MongoDB, or ApsaraDB for Redis data source, you must add the IP address or CIDR block of the resource group to the whitelists of these data sources. When you add the IP address or CIDR block, take note of the following items:

Exclusive resource group for Data Integration:
You must obtain and add the elastic IP address (EIP) and CIDR block of the exclusive resource group to the whitelist of the data source. You must also obtain and add the CIDR block of the vSwitch to which the exclusive resource group is bound to the whitelist of the data source. For more information, see Obtain the IP address and CIDR block of an exclusive resource group for Data Integration and Add the IP addresses or CIDR blocks of a resource group for Data Integration to the whitelist of the data source that you want to access.
Public resource group for Data Integration:
You must add the IP addresses or CIDR blocks of the servers in the region where the DataWorks workspace resides to the whitelist of the data source. For more information, see Obtain the IP addresses or CIDR blocks of a public resource group for Data Integration and Add the IP addresses or CIDR blocks of a resource group for Data Integration to the whitelist of the data source that you want to access.
Custom resource group for Data Integration:
You must add the private or public IP addresses of the servers in the custom resource group to the whitelist of the data source. For more information, see Obtain the IP addresses or CIDR blocks of a custom resource group for Data Integration and Add the IP addresses or CIDR blocks of a resource group for Data Integration to the whitelist of the data source that you want to access.

Obtain the IP address and CIDR block of an exclusive resource group for Data Integration

To obtain and add the IP address and CIDR block of an exclusive resource group for Data Integration to the whitelist of a data source, perform the following steps:

Log on to the DataWorks console.
In the left-side navigation pane, click Resource Groups.
- Obtain the CIDR block of the vSwitch to which the exclusive resource group is bound.
  To synchronize data to or from a data source in a VPC, you must obtain and add the CIDR block of the vSwitch to which the exclusive resource group is bound to the whitelist of the data source. To obtain the vSwitch CIDR block, perform the following steps:
  
  On the Exclusive Resource Groups tab, find your desired resource group and click Network Settings in the Actions column. On the page that appears, obtain the vSwitch CIDR block and add it to the whitelist of the data source.
- Obtain the EIP and CIDR block of the exclusive resource group.
  To synchronize data over the Internet, you must obtain and add the EIP and CIDR block of the exclusive resource group to the whitelist of the data source. To obtain the EIP and CIDR block, perform the following steps:
  
  On the Exclusive Resource Groups tab, find your desired resource group and click View Information in the Actions column. In the Exclusive Resource Groups dialog box, click to copy the values of the EIPAddress and CIDR Blocks parameters. Then, add the values to the whitelist of the data source.

Obtain the IP addresses or CIDR blocks of a public resource group for Data Integration

To allow a public resource group for Data Integration to access a data source, you must add the IP addresses or CIDR blocks of the servers in the region where the DataWorks workspace resides to the whitelist of the data source. To view the IP addresses or CIDR blocks of the servers in a specific region, perform the following steps:

Log on to the DataWorks console as a developer.
In the left-side navigation pane, click Workspaces.
In the top navigation bar, select a region.

View the IP addresses or CIDR blocks based on the selected region and add them to the whitelist of the data source that you want to access.


Region	CIDR block or IP address
China (Hangzhou)	100.64.0.0/10,11.193.102.0/24,11.193.215.0/24,11.194.110.0/24,11.194.73.0/24,118.31.157.0/24,47.97.53.0/24,11.196.23.0/24,47.99.12.0/24,47.99.13.0/24,114.55.197.0/24,11.197.246.0/24,11.197.247.0/24
China (Shanghai)	11.193.109.0/24,11.193.252.0/24,47.101.107.0/24,47.100.129.0/24,106.15.14.0/24,10.117.28.203,10.143.32.0/24,10.152.69.0/24,10.153.136.0/24,10.27.63.15,10.27.63.38,10.27.63.41,10.27.63.60,10.46.64.81,10.46.67.156,11.192.97.0/24,11.192.98.0/24,11.193.102.0/24,11.218.89.0/24,11.218.96.0/24,11.219.217.0/24,11.219.218.0/24,11.219.219.0/24,11.219.233.0/24,11.219.234.0/24,118.178.142.154,118.178.56.228,118.178.59.233,118.178.84.74,120.27.160.26,120.27.160.81,121.43.110.160,121.43.112.137,100.64.0.0/10,10.117.39.238
China (Shenzhen)	100.106.46.0/24,100.106.49.0/24,10.152.27.0/24,10.152.28.0/24,11.192.91.0/24,11.192.96.0/24,11.193.103.0/24,100.64.0.0/10,120.76.104.0/24,120.76.91.0/24,120.78.45.0/24,47.106.63.0/26,47.106.63.128/26,47.106.63.192/26,47.106.63.64/26
China (Chengdu)	11.195.52.0/24,11.195.55.0/24,47.108.22.0/24,100.64.0.0/10
China (Zhangjiakou)	11.193.235.0/24,47.92.22.0/24,100.64.0.0/10
China (Hong Kong)	10.152.162.0/24,11.192.196.0/24,11.193.11.0/24,100.64.0.0/10,47.89.61.0/24,47.91.171.0/24,11.193.118.0/24,47.75.228.0/24,47.56.45.0/25,47.244.92.128/25,47.101.109.0/24
Singapore (Singapore)	100.106.10.0/24,100.106.35.0/24,10.151.234.0/24,10.151.238.0/24,10.152.248.0/24,11.192.153.0/24,11.192.40.0/24,11.193.8.0/24,100.64.0.0/10,47.88.147.0/24,47.88.235.0/24,11.193.162.0/24,11.193.163.0/24,11.193.220.0/24,11.193.158.0/24,47.74.162.0/24,47.74.203.0/24,47.74.161.0/24,11.197.188.0/24
Australia (Sydney)	11.192.100.0/24,11.192.134.0/24,11.192.135.0/24,11.192.184.0/24,11.192.99.0/24,100.64.0.0/10,47.91.49.0/24,47.91.50.0/24,11.193.165.0/24,47.91.60.0/24
China (Beijing)	100.106.48.0/24,10.152.167.0/24,10.152.168.0/24,11.193.50.0/24,11.193.75.0/24,11.193.82.0/24,11.193.99.0/24,100.64.0.0/10,47.93.110.0/24,47.94.185.0/24,47.95.63.0/24,11.197.231.0/24,11.195.172.0/24,47.94.49.0/24,182.92.144.0/24
US (Silicon Valley)	10.152.160.0/24,100.64.0.0/10,47.89.224.0/24,11.193.216.0/24,47.88.108.0/24
US (Virginia)	47.88.98.0/26,47.88.98.64/26,47.88.98.128/26,47.88.98.192/26,47.252.91.0/26,47.252.91.64/26,47.252.91.128/26,47.252.91.192/26,10.128.134.0/24,11.193.203.0/24,11.194.68.0/24,11.194.69.0/24,100.64.0.0/10
Malaysia (Kuala Lumpur)	11.193.188.0/24,11.221.205.0/24,11.221.206.0/24,11.221.207.0/24,100.64.0.0/10,11.214.81.0/24,47.254.212.0/24,11.193.189.0/24
Germany (Frankfurt)	11.192.116.0/24,11.192.168.0/24,11.192.169.0/24,11.192.170.0/24,11.193.106.0/24,100.64.0.0/10,11.192.116.14,11.192.116.142,11.192.116.160,11.192.116.75,11.192.170.27,47.91.82.22,47.91.83.74,47.91.83.93,47.91.84.11,47.91.84.110,47.91.84.82,11.193.167.0/24,47.254.138.0/24
Japan (Tokyo)	100.105.55.0/24,11.192.147.0/24,11.192.148.0/24,11.192.149.0/24,100.64.0.0/10,47.91.12.0/24,47.91.13.0/24,47.91.9.0/24,11.199.250.0/24,47.91.27.0/24,11.59.59.0/24,47.245.51.128/26,47.245.51.192/26,47.91.0.128/26,47.91.0.192/26
UAE (Dubai)	11.192.107.0/24,11.192.127.0/24,11.192.88.0/24,11.193.246.0/24,47.91.116.0/24,100.64.0.0/10
India (Mumbai)	11.194.10.0/24,11.246.70.0/24,11.246.71.0/24,11.246.73.0/24,11.246.74.0/24,100.64.0.0/10,149.129.164.0/24,11.194.11.0/24,11.59.62.0/24,147.139.23.0/26,147.139.23.128/26,147.139.23.64/26,149.129.165.192/26
UK (London)	11.199.93.0/24,100.64.0.0/10
Indonesia (Jakarta)	11.194.49.0/24,11.200.93.0/24,11.200.95.0/24,11.200.97.0/24,100.64.0.0/10,149.129.228.0/24,10.143.32.0/24,11.194.50.0/24,11.59.135.0/24,147.139.156.0/26,147.139.156.128/26,147.139.156.64/26,149.129.230.192/26
China North 2 Ali Gov 1	11.194.116.0/24,100.64.0.0/10,39.107.188.202 If access is still denied after the preceding IP addresses and CIDR blocks are added, add the following IP addresses and CIDR blocks: 11.194.116.160,11.194.116.161,11.194.116.162,11.194.116.163,11.194.116.164,11.194.116.165,11.194.116.167,11.194.116.169,11.194.116.170,11.194.116.171,11.194.116.172,11.194.116.173,11.194.116.174,11.194.116.175,39.107.188.0/24.
China East 2 Finance	140.205.46.128/25,140.205.48.0/25,140.205.48.128/25,140.205.49.0/25,140.205.49.128/25,11.192.156.0/25,11.192.157.0/25,11.192.164.0/25,11.192.165.0/25,11.192.166.0/25,11.192.167.0/25,106.11.245.0/26,106.11.245.128/26,106.11.245.192/26,106.11.245.64/26,140.205.39.0/24,106.11.225.0/24,106.11.226.0/24,106.11.227.0/24,106.11.242.0/24,100.104.8.0/24

Obtain the IP addresses or CIDR blocks of a custom resource group for Data Integration

To allow a synchronization node that is run on a custom resource group for Data Integration to access a data source, you must add the private or public IP addresses of the servers in the custom resource group to the whitelist of the data source.

Add the IP addresses or CIDR blocks of a resource group for Data Integration to the whitelist of the data source that you want to access

An ApsaraDB RDS instance is used in this example. If you have configured a whitelist for the ApsaraDB RDS instance, you must add the IP addresses or CIDR blocks of your resource group for Data Integration to the whitelist. For more information, see Configure an IP address whitelist for an ApsaraDB RDS for MySQL instance.

You can use a similar method to configure a whitelist for another type of data source. To configure whitelists for other types of data sources, see the related instructions.

Additional information

If you use a self-managed database that is deployed on an ECS instance, you must configure a security group to ensure that the resource group can read data from and write data to the database. For more information, see Configure a security group for an ECS instance where a self-managed data store resides.