This topic describes how to add information about an exclusive resource group for Data Integration, the default resource group, or a custom resource group to the whitelist of a data store.

Background

Before you use a database as a data store in DataWorks, you must add the IP addresses or Classless Inter-Domain Routing (CIDR) blocks that you use to access the database to the whitelist of the database. This improves security and stability of the database.

Access to specific data stores is controlled based on whitelists. Therefore, to use Data Integration to import data from a data store to another, you must first authorize Data Integration to access the data stores. Specifically, you must add the relevant IP addresses or CIDR blocks to the whitelists of the data stores. For example, to use an ApsaraDB for RDS, ApsaraDB for MongoDB, or ApsaraDB for Redis instance as a data store, you must first add the relevant IP addresses or CIDR blocks to the whitelist of the instance. To allow specific sync nodes to access a data store, you must add IP addresses or CIDR blocks to the whitelist of the data store based on the type of the resource group on which the sync nodes run.
  • If the sync nodes run on an exclusive resource group for Data Integration, add the CIDR block or the Elastic Network Interface (ENI) IP address of the VSwitch to which the exclusive resource group is bound to the whitelist of the data store.
  • If the sync nodes run on the default resource group, add the IP addresses or CIDR blocks of the region where the workspace resides to the whitelist of the data store. For more information about the IP addresses and CIDR blocks of each region, see Add the information about the default resource group to the whitelist of a data store.
  • If the sync nodes run on a custom resource group, add the internal or public IP addresses of the servers in the custom resource group to the whitelist of the data store.

Add the information about an exclusive resource group for Data Integration to the whitelist of a data store

To access a data store, an exclusive resource group for Data Integration must meet the following conditions:
  • The exclusive resource group for Data Integration is in the same region as the data store to be accessed.
  • The exclusive resource group for Data Integration is bound to the same virtual private cloud (VPC) and VSwitch as the data store to be accessed.
Note If you have purchased an exclusive resource group for Data Integration in a different zone from the data store to be accessed, bind the resource group to the same VPC as the data store. Then, configure a route for the resource group to access the data store.

For more information about how to purchase an exclusive resource group for Data Integration and bind it to a VPC, see Add an exclusive resource group for data integration. .

An exclusive resource group for Data Integration may still fail to access a data store after you bind it to the same VPC and VSwitch as the data store and configure a route. This is because the resource group is not in the whitelist of the data store.

In this case, add the required information to the whitelist of the data store. The required information includes the elastic IP address (EIP) of the resource group and the Elastic Network Interface (ENI) IP address of the VPC to which the resource group is bound. To obtain and add the information to the whitelist, perform the following steps:
  1. Log on to the DataWorks console.
  2. In the left-side navigation pane, click Resource Groups.
  3. On the Exclusive Resource Groups tab, find the resource group whose information you want to view and click View Information in the Actions column.
  4. In the dialog box that appears, click the value of the EIPAddress parameter. The value is automatically copied. Add the value to the whitelist of the data store. Use the same method to add the value of CIDR Blocks to the whitelist.EIP
  5. On the Exclusive Resource Groups tab, find the resource group whose information you want to view and click Add VPC Binding in the Actions column. On the page that appears, obtain the ENI IP address and add it to the whitelist of the data store.Dialog box

Add the information about the default resource group to the whitelist of a data store

  1. Log on to the DataWorks console as a developer.
  2. In the left-side navigation pane, click Workspaces.
  3. In the top navigation bar, select a region.

    DataWorks supports multiple regions. Select the region where your MaxCompute project resides.

  4. Determine the IP addresses or CIDR blocks to be added to the whitelist of the data store to be accessed based on the selected region.
    Region CIDR block or IP address
    China (Hangzhou) 100.64.0.0/10,11.193.102.0/24,11.193.215.0/24,11.194.110.0/24,11.194.73.0/24,118.31.157.0/24,47.97.53.0/24,11.196.23.0/24,47.99.12.0/24,47.99.13.0/24,114.55.197.0/24,11.197.246.0/24,11.197.247.0/24
    China (Shanghai) 11.193.109.0/24,11.193.252.0/24,47.101.107.0/24,47.100.129.0/24,106.15.14.0/24,10.117.28.203,10.143.32.0/24,10.152.69.0/24,10.153.136.0/24,10.27.63.15,10.27.63.38,10.27.63.41,10.27.63.60,10.46.64.81,10.46.67.156,11.192.97.0/24,11.192.98.0/24,11.193.102.0/24,11.218.89.0/24,11.218.96.0/24,11.219.217.0/24,11.219.218.0/24,11.219.219.0/24,11.219.233.0/24,11.219.234.0/24,118.178.142.154,118.178.56.228,118.178.59.233,118.178.84.74,120.27.160.26,120.27.160.81,121.43.110.160,121.43.112.137,100.64.0.0/10,10.117.39.238
    China (Shenzhen) 100.106.46.0/24,100.106.49.0/24,10.152.27.0/24,10.152.28.0/24,11.192.91.0/24,11.192.96.0/24,11.193.103.0/24,100.64.0.0/10,120.76.104.0/24,120.76.91.0/24,120.78.45.0/24,47.106.63.0/26,47.106.63.128/26,47.106.63.192/26,47.106.63.64/26
    China (Chengdu) 11.195.52.0/24,11.195.55.0/24,47.108.22.0/24,100.64.0.0/10
    China (Zhangjiakou-Beijing Winter Olympics) 11.193.235.0/24,47.92.22.0/24,100.64.0.0/10
    China (Hong Kong) 10.152.162.0/24,11.192.196.0/24,11.193.11.0/24,100.64.0.0/10,47.89.61.0/24,47.91.171.0/24,11.193.118.0/24,47.75.228.0/24,47.56.45.0/25,47.244.92.128/25,47.101.109.0/24
    Singapore (Singapore) 100.106.10.0/24,100.106.35.0/24,10.151.234.0/24,10.151.238.0/24,10.152.248.0/24,11.192.153.0/24,11.192.40.0/24,11.193.8.0/24,100.64.0.0/10,47.88.147.0/24,47.88.235.0/24,11.193.162.0/24,11.193.163.0/24,11.193.220.0/24,11.193.158.0/24,47.74.162.0/24,47.74.203.0/24,47.74.161.0/24,11.197.188.0/24
    Australia (Sydney) 11.192.100.0/24,11.192.134.0/24,11.192.135.0/24,11.192.184.0/24,11.192.99.0/24,100.64.0.0/10,47.91.49.0/24,47.91.50.0/24,11.193.165.0/24,47.91.60.0/24
    China (Beijing) 100.106.48.0/24,10.152.167.0/24,10.152.168.0/24,11.193.50.0/24,11.193.75.0/24,11.193.82.0/24,11.193.99.0/24,100.64.0.0/10,47.93.110.0/24,47.94.185.0/24,47.95.63.0/24,11.197.231.0/24,11.195.172.0/24,47.94.49.0/24,182.92.144.0/24
    US (Silicon Valley) 10.152.160.0/24,100.64.0.0/10,47.89.224.0/24,11.193.216.0/24,47.88.108.0/24
    US (Virginia) 47.88.98.0/26,47.88.98.64/26,47.88.98.128/26,47.88.98.192/26,47.252.91.0/26,47.252.91.64/26,47.252.91.128/26,47.252.91.192/26,10.128.134.0/24,11.193.203.0/24,11.194.68.0/24,11.194.69.0/24,100.64.0.0/10
    Malaysia (Kuala Lumpur) 11.193.188.0/24,11.221.205.0/24,11.221.206.0/24,11.221.207.0/24,100.64.0.0/10,11.214.81.0/24,47.254.212.0/24,11.193.189.0/24
    Germany (Frankfurt) 11.192.116.0/24,11.192.168.0/24,11.192.169.0/24,11.192.170.0/24,11.193.106.0/24,100.64.0.0/10,11.192.116.14,11.192.116.142,11.192.116.160,11.192.116.75,11.192.170.27,47.91.82.22,47.91.83.74,47.91.83.93,47.91.84.11,47.91.84.110,47.91.84.82,11.193.167.0/24,47.254.138.0/24
    Japan (Tokyo) 100.105.55.0/24,11.192.147.0/24,11.192.148.0/24,11.192.149.0/24,100.64.0.0/10,47.91.12.0/24,47.91.13.0/24,47.91.9.0/24,11.199.250.0/24,47.91.27.0/24,11.59.59.0/24,47.245.51.128/26,47.245.51.192/26,47.91.0.128/26,47.91.0.192/26
    UAE (Dubai) 11.192.107.0/24,11.192.127.0/24,11.192.88.0/24,11.193.246.0/24,47.91.116.0/24,100.64.0.0/10
    India (Mumbai) 11.194.10.0/24,11.246.70.0/24,11.246.71.0/24,11.246.73.0/24,11.246.74.0/24,100.64.0.0/10,149.129.164.0/24,11.194.11.0/24,11.59.62.0/24,147.139.23.0/26,147.139.23.128/26,147.139.23.64/26,149.129.165.192/26
    UK (London) 11.199.93.0/24,100.64.0.0/10
    Indonesia (Jakarta) 11.194.49.0/24,11.200.93.0/24,11.200.95.0/24,11.200.97.0/24,100.64.0.0/10,149.129.228.0/24,10.143.32.0/24,11.194.50.0/24,11.59.135.0/24,147.139.156.0/26,147.139.156.128/26,147.139.156.64/26,149.129.230.192/26
    China North 2 Ali Gov 11.194.116.0/24,100.64.0.0/10,39.107.188.202

    If the CIDR blocks cannot be added, add the following IP addresses: 11.194.116.160,11.194.116.161,11.194.116.162,11.194.116.163,11.194.116.164,11.194.116.165,11.194.116.167,11.194.116.169,11.194.116.170,11.194.116.171,11.194.116.172,11.194.116.173,11.194.116.174,11.194.116.175,39.107.188.0/24
    China East 2 Finance 140.205.46.128/25,140.205.48.0/25,140.205.48.128/25,140.205.49.0/25,140.205.49.128/25,11.192.156.0/25,11.192.157.0/25,11.192.164.0/25,11.192.165.0/25,11.192.166.0/25,11.192.167.0/25,106.11.245.0/26,106.11.245.128/26,106.11.245.192/26,106.11.245.64/26,140.205.39.0/24,106.11.225.0/24,106.11.226.0/24,106.11.227.0/24,106.11.242.0/24,100.104.8.0/24

Add the information about a custom resource group to the whitelist of a data store

To allow a sync node that runs on a custom resource group to access a data store, you must add the required information to the whitelist of the data store. If the data store is hosted on an Elastic Compute Service (ECS) instance, you must also add the information to the security group of the ECS instance. The required information includes the internal or public IP addresses of the servers in the custom resource group.

Configure a whitelist for an ApsaraDB for RDS instance

You can add a Relational Database Service (RDS) connection in one of the following modes:
  • ApsaraDB for RDS instance mode

    You can add an RDS connection by specifying the corresponding ApsaraDB for RDS instance. Connectivity testing is supported for RDS connections added in this mode, including RDS connections for ApsaraDB for RDS instances deployed in a VPC. If an RDS connection added in this mode fails the connectivity test, add the RDS connection in JDBC URL mode.

  • JDBC URL mode

    When you add an RDS connection in JDBC URL mode, specify the internal endpoint of the corresponding ApsaraDB for RDS instance as the JDBC URL. If no internal endpoint is available, enter the public endpoint as the JDBC URL. The internal endpoint is used to transfer data inside a data center of Alibaba Cloud. If you use the internal endpoint, data can be synchronized in a faster manner. If you use the public endpoint, the data synchronization speed is limited by the Internet bandwidth package that you purchased.

Configure a whitelist for an ApsaraDB for RDS instance

To allow Data Integration to synchronize data from or to an ApsaraDB for RDS instance, you must connect Data Integration to the ApsaraDB for RDS instance by using a standard database protocol. By default, an ApsaraDB for RDS instance allows connections from all IP addresses. However, if you have configured a whitelist for the ApsaraDB for RDS instance, you must add the IP addresses or CIDR blocks used by Data Integration to the whitelist. If you have not configured a whitelist for the ApsaraDB for RDS instance, you do not need to perform this operation.

If you have configured a whitelist for the ApsaraDB for RDS instance, log on to the ApsaraDB for RDS console and add the corresponding IP addresses or CIDR blocks to the whitelist. For more information, see Control access to an ApsaraDB RDS for MySQL instance.