After you connect a resource group to a data store, the resource group may fail to access data in the data store because the data store is configured with a whitelist to allow access only from specific IP addresses. In this case, you must add the IP addresses and classless inter-domain routing (CIDR) blocks of the resource group to the whitelist of the data store. This topic describes how to configure whitelists.

Prerequisites

The network connectivity is configured. For more information, see Test data store connectivity.

If the network connectivity is configured and resource groups still cannot access your data store, the data store may be configured with a whitelist to restrict access from these resource groups. In this case, you must add the IP addresses and CIDR blocks of the resource groups to the whitelist of the data store.

Background information

If a resource group for Data Integration is connected to the data store to be accessed as described in Test data store connectivity and the resource group still cannot access the data store, the data store may be configured with a whitelist. You must obtain and add the IP addresses and CIDR blocks of the resource group to the whitelist of the data store.

To ensure the security and stability of data stores, most data stores are configured with whitelists. In this case, you must add the relevant IP addresses and CIDR blocks to the whitelists of the data stores. For example, to allow a resource group to access data in an ApsaraDB RDS, ApsaraDB for MongoDB, or ApsaraDB for Redis instance, you must add the IP addresses or CIDR blocks of the resource group to the whitelist of the instance. When you add the IP addresses and CIDR blocks of a resource group to the whitelist of a data store, take note of the following items:

Obtain the IP address and CIDR block of an exclusive resource group for Data Integration

To allow an exclusive resource group for Data Integration to access data in a data store, you must add the EIP and CIDR block of the exclusive resource group and the CIDR block of the vSwitch to which the exclusive resource group is bound to the whitelist of the data store. To obtain and add the IP address and CIDR block of an exclusive resource group for Data Integration to the whitelist of a data store, perform the following steps:
  1. Log on to the DataWorks console.
  2. In the left-side navigation pane, click Resource Groups.
    • Obtain the CIDR block of the vSwitch to which the exclusive resource group is bound.

      To synchronize data to or from a data store in a virtual private cloud (VPC), you must obtain and add the CIDR block of the vSwitch to which the exclusive resource group is bound to the whitelist of the data store. To obtain the vSwitch CIDR block, perform the following steps:

      On the Exclusive Resource Groups tab, find the resource group whose information you want to view and click Network Settings in the Actions column. On the page that appears, obtain the value of the VSwitch CIDR Block parameter and add the value to the whitelist of the data store. vSwitch CIDR block
    • Obtain the EIP and CIDR block of the exclusive resource group.

      To synchronize data over the Internet, you must obtain and add the EIP of the exclusive resource group to the whitelist of the data store. To obtain the EIP, perform the following steps:

      On the Exclusive Resource Groups tab, find the resource group whose information you want to view and click View Information in the Actions column. In the Exclusive Resource Groups dialog box, click to copy the values of the EIPAddress and CIDR Blocks parameters. Then, add the values to the whitelist of the data store. EIP

Obtain the IP addresses and CIDR blocks of a public resource group for Data Integration

To allow a public resource group for Data Integration to access data in a data store, you must add the IP addresses and CIDR blocks of the servers in region where the DataWorks workspace resides to the whitelist of the data store. To view the IP addresses and CIDR blocks of the servers in a specific region, perform the following steps:

  1. Log on to the DataWorks console as a developer.
  2. In the left-side navigation pane, click Workspaces.
  3. In the top navigation bar, select a region.
  4. View the IP addresses and CIDR blocks based on the selected region and add them to the whitelist of the data store to be accessed.
    Region CIDR block or IP address
    China (Hangzhou) 100.64.0.0/10,11.193.102.0/24,11.193.215.0/24,11.194.110.0/24,11.194.73.0/24,118.31.157.0/24,47.97.53.0/24,11.196.23.0/24,47.99.12.0/24,47.99.13.0/24,114.55.197.0/24,11.197.246.0/24,11.197.247.0/24
    China (Shanghai) 11.193.109.0/24,11.193.252.0/24,47.101.107.0/24,47.100.129.0/24,106.15.14.0/24,10.117.28.203,10.143.32.0/24,10.152.69.0/24,10.153.136.0/24,10.27.63.15,10.27.63.38,10.27.63.41,10.27.63.60,10.46.64.81,10.46.67.156,11.192.97.0/24,11.192.98.0/24,11.193.102.0/24,11.218.89.0/24,11.218.96.0/24,11.219.217.0/24,11.219.218.0/24,11.219.219.0/24,11.219.233.0/24,11.219.234.0/24,118.178.142.154,118.178.56.228,118.178.59.233,118.178.84.74,120.27.160.26,120.27.160.81,121.43.110.160,121.43.112.137,100.64.0.0/10,10.117.39.238
    China (Shenzhen) 100.106.46.0/24,100.106.49.0/24,10.152.27.0/24,10.152.28.0/24,11.192.91.0/24,11.192.96.0/24,11.193.103.0/24,100.64.0.0/10,120.76.104.0/24,120.76.91.0/24,120.78.45.0/24,47.106.63.0/26,47.106.63.128/26,47.106.63.192/26,47.106.63.64/26
    China (Chengdu) 11.195.52.0/24,11.195.55.0/24,47.108.22.0/24,100.64.0.0/10
    China (Zhangjiakou) 11.193.235.0/24,47.92.22.0/24,100.64.0.0/10
    China (Hong Kong) 10.152.162.0/24,11.192.196.0/24,11.193.11.0/24,100.64.0.0/10,47.89.61.0/24,47.91.171.0/24,11.193.118.0/24,47.75.228.0/24,47.56.45.0/25,47.244.92.128/25,47.101.109.0/24
    Singapore 100.106.10.0/24,100.106.35.0/24,10.151.234.0/24,10.151.238.0/24,10.152.248.0/24,11.192.153.0/24,11.192.40.0/24,11.193.8.0/24,100.64.0.0/10,47.88.147.0/24,47.88.235.0/24,11.193.162.0/24,11.193.163.0/24,11.193.220.0/24,11.193.158.0/24,47.74.162.0/24,47.74.203.0/24,47.74.161.0/24,11.197.188.0/24
    Australia (Sydney) 11.192.100.0/24,11.192.134.0/24,11.192.135.0/24,11.192.184.0/24,11.192.99.0/24,100.64.0.0/10,47.91.49.0/24,47.91.50.0/24,11.193.165.0/24,47.91.60.0/24
    China (Beijing) 100.106.48.0/24,10.152.167.0/24,10.152.168.0/24,11.193.50.0/24,11.193.75.0/24,11.193.82.0/24,11.193.99.0/24,100.64.0.0/10,47.93.110.0/24,47.94.185.0/24,47.95.63.0/24,11.197.231.0/24,11.195.172.0/24,47.94.49.0/24,182.92.144.0/24
    US (Silicon Valley) 10.152.160.0/24,100.64.0.0/10,47.89.224.0/24,11.193.216.0/24,47.88.108.0/24
    US (Virginia) 47.88.98.0/26,47.88.98.64/26,47.88.98.128/26,47.88.98.192/26,47.252.91.0/26,47.252.91.64/26,47.252.91.128/26,47.252.91.192/26,10.128.134.0/24,11.193.203.0/24,11.194.68.0/24,11.194.69.0/24,100.64.0.0/10
    Malaysia (Kuala Lumpur) 11.193.188.0/24,11.221.205.0/24,11.221.206.0/24,11.221.207.0/24,100.64.0.0/10,11.214.81.0/24,47.254.212.0/24,11.193.189.0/24
    Germany (Frankfurt) 11.192.116.0/24,11.192.168.0/24,11.192.169.0/24,11.192.170.0/24,11.193.106.0/24,100.64.0.0/10,11.192.116.14,11.192.116.142,11.192.116.160,11.192.116.75,11.192.170.27,47.91.82.22,47.91.83.74,47.91.83.93,47.91.84.11,47.91.84.110,47.91.84.82,11.193.167.0/24,47.254.138.0/24
    Japan (Tokyo) 100.105.55.0/24,11.192.147.0/24,11.192.148.0/24,11.192.149.0/24,100.64.0.0/10,47.91.12.0/24,47.91.13.0/24,47.91.9.0/24,11.199.250.0/24,47.91.27.0/24,11.59.59.0/24,47.245.51.128/26,47.245.51.192/26,47.91.0.128/26,47.91.0.192/26
    UAE (Dubai) 11.192.107.0/24,11.192.127.0/24,11.192.88.0/24,11.193.246.0/24,47.91.116.0/24,100.64.0.0/10
    India (Mumbai) 11.194.10.0/24,11.246.70.0/24,11.246.71.0/24,11.246.73.0/24,11.246.74.0/24,100.64.0.0/10,149.129.164.0/24,11.194.11.0/24,11.59.62.0/24,147.139.23.0/26,147.139.23.128/26,147.139.23.64/26,149.129.165.192/26
    UK (London) 11.199.93.0/24,100.64.0.0/10
    Indonesia (Jakarta) 11.194.49.0/24,11.200.93.0/24,11.200.95.0/24,11.200.97.0/24,100.64.0.0/10,149.129.228.0/24,10.143.32.0/24,11.194.50.0/24,11.59.135.0/24,147.139.156.0/26,147.139.156.128/26,147.139.156.64/26,149.129.230.192/26
    China North 2 Ali Gov 1 11.194.116.0/24,100.64.0.0/10,39.107.188.202

    If access is still denied after the preceding IP addresses and CIDR blocks are added, add the following IP addresses and CIDR blocks: 11.194.116.160,11.194.116.161,11.194.116.162,11.194.116.163,11.194.116.164,11.194.116.165,11.194.116.167,11.194.116.169,11.194.116.170,11.194.116.171,11.194.116.172,11.194.116.173,11.194.116.174,11.194.116.175,39.107.188.0/24.

    China East 2 Finance 140.205.46.128/25,140.205.48.0/25,140.205.48.128/25,140.205.49.0/25,140.205.49.128/25,11.192.156.0/25,11.192.157.0/25,11.192.164.0/25,11.192.165.0/25,11.192.166.0/25,11.192.167.0/25,106.11.245.0/26,106.11.245.128/26,106.11.245.192/26,106.11.245.64/26,140.205.39.0/24,106.11.225.0/24,106.11.226.0/24,106.11.227.0/24,106.11.242.0/24,100.104.8.0/24

Obtain the IP addresses and CIDR blocks of a custom resource group for Data Integration

To allow a sync node that is run on a custom resource group for Data Integration to access a data store, you must add the required information to the whitelist of the data store. If the data store is deployed on an Elastic Compute Service (ECS) instance, you must also add the information to the security group of the ECS instance. The required information includes the internal or public IP addresses of the servers in the custom resource group.

Add the IP addresses and CIDR blocks of a resource group for Data Integration to the whitelist of the data store to be accessed

An ApsaraDB RDS instance is used in this example. If you have configured a whitelist for the ApsaraDB RDS instance, you must add the IP addresses and CIDR blocks used by Data Integration to the whitelist. For more information, see Configure an IP address whitelist for an ApsaraDB RDS for MySQL instance.

The methods for configuring a whitelist for other types of data stores are similar. To configure a whitelist for other types of data stores, refer to the corresponding instructions.

What to do next

If you use a self-managed data store that is deployed on an ECS instance, you must configure a security group to ensure that the resource group can read data from and write data to the data store. For more information, see Configure a security group for an ECS instance where a self-managed data store resides.