After you connect a resource group to a data source, the resource group may fail to access the data source because a whitelist that allows access only from specific IP addresses is configured for the data source. In this case, you must add the IP address or Classless Inter-Domain Routing (CIDR) block of the resource group to the whitelist of the data source. This topic provides instructions on configuring a whitelist.

Prerequisites

Your resource group for Data Integration is connected to your data source. The following situations may exist:
  • If the data source that you want to connect and your resource group for Data Integration reside in different regions and belong to different Alibaba Cloud accounts, you must select an appropriate network connectivity solution based on the network environment of the resource group for Data Integration. For more information, see Select a network connectivity solution.
  • If you use an exclusive resource group for Data Integration to connect to a data source that resides in a virtual private cloud (VPC), resides in the same region, and belongs to the same Alibaba Cloud account as the resource group, you must configure network environment for the resource group and associate the resource group with the desired workspace. For more information, see Create and use an exclusive resource group for Data Integration.

If you configured the network connection between the resource group for Data Integration and data source, but the resource group still cannot access the data source, the data source may be configured with a whitelist that denies access from some IP addresses. In this case, you must add the IP address or CIDR block of the resource group to the whitelist of the data source.

Background information

If a resource group for Data Integration is connected to the data source that you want to access as described in Select a network connectivity solution, but the resource group still cannot access the data source, the data source may be configured with a whitelist that denies access from some IP addresses. In this case, you must obtain and add the IP address or CIDR block of the resource group to the whitelist of the data source.

To ensure the security and stability of data sources, most data sources are configured with whitelists. You must add the required IP addresses or CIDR blocks to the whitelists of the data sources. For example, if you want a resource group to access an ApsaraDB RDS, ApsaraDB for MongoDB, or ApsaraDB for Redis data source, you must add the IP address or CIDR block of the resource group to the whitelists of these data sources. When you add the IP address or CIDR block of a resource group to a whitelist, take note of the following items:

Add the EIP or CIDR block of an exclusive resource group for Data Integration to the whitelist of a data source

  • If you want to use an exclusive resource group for Data Integration to run a node to synchronize data from a data source over a VPC, add the CIDR block of the vSwitch to which the exclusive resource group is bound to the whitelist of the data source. To obtain and add the CIDR block of the vSwitch to which the resource group is bound to the whitelist of the data source, perform the following operations:
    On the Exclusive Resource Groups tab of the DataWorks console, find the desired exclusive resource group for Data Integration and click Network Settings in the Actions column to view the CIDR block to which the resource group is bound. Then, add the CIDR block to the whitelist of the data source. View the CIDR block of the vSwitch to which the resource group is bound
  • If you want to use an exclusive resource group for Data Integration to run a node to synchronize data from a data source over the Internet, add the EIP of the exclusive resource group to the whitelist of the data source. To obtain and add the EIP of the exclusive resource group for Data Integration to the whitelist of the data source, perform the following operations:
    On the Exclusive Resource Groups tab of the DataWorks console, find the exclusive resource group for Data Integration whose EIP you want to view and click View Information in the Actions column. In the Exclusive Resource Groups dialog box, copy the EIP. Then, add the copied EIP to the whitelist of the data source. View the EIP of the exclusive resource group for Data Integration
    Note If you upgrade the configuration of the exclusive resource group for Data Integration, you must check whether the EIP of the resource group changes. If the EIP of the resource group changes, add the new EIP to the whitelist of the data source after the configuration upgrade. This ensures the normal running of your synchronization node.

Add the IP addresses or CIDR blocks of the servers in the region where the DataWorks workspace resides to the whitelist of a data source

To allow the shared resource group for Data Integration to access a data source, you must add the IP addresses or CIDR blocks of the servers in the region where the DataWorks workspace resides to the whitelist of the data source. To view and add the IP addresses or CIDR blocks of the servers in a region to the whitelist of the data source, perform the following steps:

  1. Log on to the DataWorks console as a developer.
  2. In the left-side navigation pane, click Workspaces.
  3. In the top navigation bar, select the region where the desired workspace resides.
  4. View the IP addresses or CIDR blocks based on the selected region and add them to the whitelist of the data source that you want to access.
    Region CIDR block or IP address
    China (Hangzhou) 100.64.0.0/10,11.193.102.0/24,11.193.215.0/24,11.194.110.0/24,11.194.73.0/24,118.31.157.0/24,47.97.53.0/24,11.196.23.0/24,47.99.12.0/24,47.99.13.0/24,114.55.197.0/24,11.197.246.0/24,11.197.247.0/24
    China (Shanghai) 11.193.109.0/24,11.193.252.0/24,47.101.107.0/24,47.100.129.0/24,106.15.14.0/24,10.117.28.203,10.143.32.0/24,10.152.69.0/24,10.153.136.0/24,10.27.63.15,10.27.63.38,10.27.63.41,10.27.63.60,10.46.64.81,10.46.67.156,11.192.97.0/24,11.192.98.0/24,11.193.102.0/24,11.218.89.0/24,11.218.96.0/24,11.219.217.0/24,11.219.218.0/24,11.219.219.0/24,11.219.233.0/24,11.219.234.0/24,118.178.142.154,118.178.56.228,118.178.59.233,118.178.84.74,120.27.160.26,120.27.160.81,121.43.110.160,121.43.112.137,100.64.0.0/10,10.117.39.238
    China (Shenzhen) 100.106.46.0/24,100.106.49.0/24,10.152.27.0/24,10.152.28.0/24,11.192.91.0/24,11.192.96.0/24,11.193.103.0/24,100.64.0.0/10,120.76.104.0/24,120.76.91.0/24,120.78.45.0/24,47.106.63.0/26,47.106.63.128/26,47.106.63.192/26,47.106.63.64/26
    China (Chengdu) 11.195.52.0/24,11.195.55.0/24,47.108.22.0/24,100.64.0.0/10
    China (Zhangjiakou) 11.193.235.0/24,47.92.22.0/24,100.64.0.0/10
    China (Hong Kong) 10.152.162.0/24,11.192.196.0/24,11.193.11.0/24,100.64.0.0/10,47.89.61.0/24,47.91.171.0/24,11.193.118.0/24,47.75.228.0/24,47.56.45.0/25,47.244.92.128/25,47.101.109.0/24
    Singapore (Singapore) 100.106.10.0/24,100.106.35.0/24,10.151.234.0/24,10.151.238.0/24,10.152.248.0/24,11.192.153.0/24,11.192.40.0/24,11.193.8.0/24,100.64.0.0/10,47.88.147.0/24,47.88.235.0/24,11.193.162.0/24,11.193.163.0/24,11.193.220.0/24,11.193.158.0/24,47.74.162.0/24,47.74.203.0/24,47.74.161.0/24,11.197.188.0/24
    Australia (Sydney) 11.192.100.0/24,11.192.134.0/24,11.192.135.0/24,11.192.184.0/24,11.192.99.0/24,100.64.0.0/10,47.91.49.0/24,47.91.50.0/24,11.193.165.0/24,47.91.60.0/24
    China (Beijing) 100.106.48.0/24,10.152.167.0/24,10.152.168.0/24,11.193.50.0/24,11.193.75.0/24,11.193.82.0/24,11.193.99.0/24,100.64.0.0/10,47.93.110.0/24,47.94.185.0/24,47.95.63.0/24,11.197.231.0/24,11.195.172.0/24,47.94.49.0/24,182.92.144.0/24
    US (Silicon Valley) 10.152.160.0/24,100.64.0.0/10,47.89.224.0/24,11.193.216.0/24,47.88.108.0/24
    US (Virginia) 47.88.98.0/26,47.88.98.64/26,47.88.98.128/26,47.88.98.192/26,47.252.91.0/26,47.252.91.64/26,47.252.91.128/26,47.252.91.192/26,10.128.134.0/24,11.193.203.0/24,11.194.68.0/24,11.194.69.0/24,100.64.0.0/10
    Malaysia (Kuala Lumpur) 11.193.188.0/24,11.221.205.0/24,11.221.206.0/24,11.221.207.0/24,100.64.0.0/10,11.214.81.0/24,47.254.212.0/24,11.193.189.0/24
    Germany (Frankfurt) 11.192.116.0/24,11.192.168.0/24,11.192.169.0/24,11.192.170.0/24,11.193.106.0/24,100.64.0.0/10,11.192.116.14,11.192.116.142,11.192.116.160,11.192.116.75,11.192.170.27,47.91.82.22,47.91.83.74,47.91.83.93,47.91.84.11,47.91.84.110,47.91.84.82,11.193.167.0/24,47.254.138.0/24
    Japan (Tokyo) 100.105.55.0/24,11.192.147.0/24,11.192.148.0/24,11.192.149.0/24,100.64.0.0/10,47.91.12.0/24,47.91.13.0/24,47.91.9.0/24,11.199.250.0/24,47.91.27.0/24,11.59.59.0/24,47.245.51.128/26,47.245.51.192/26,47.91.0.128/26,47.91.0.192/26
    UAE (Dubai) 11.192.107.0/24,11.192.127.0/24,11.192.88.0/24,11.193.246.0/24,47.91.116.0/24,100.64.0.0/10
    India (Mumbai) 11.194.10.0/24,11.246.70.0/24,11.246.71.0/24,11.246.73.0/24,11.246.74.0/24,100.64.0.0/10,149.129.164.0/24,11.194.11.0/24,11.59.62.0/24,147.139.23.0/26,147.139.23.128/26,147.139.23.64/26,149.129.165.192/26
    UK (London) 11.199.93.0/24,100.64.0.0/10
    Indonesia (Jakarta) 11.194.49.0/24,11.200.93.0/24,11.200.95.0/24,11.200.97.0/24,100.64.0.0/10,149.129.228.0/24,10.143.32.0/24,11.194.50.0/24,11.59.135.0/24,147.139.156.0/26,147.139.156.128/26,147.139.156.64/26,149.129.230.192/26
    China North 2 Ali Gov 1 11.194.116.0/24,100.64.0.0/10,39.107.188.202

    If access is still denied after the preceding IP addresses and CIDR blocks are added, add the following IP addresses and CIDR blocks: 11.194.116.160,11.194.116.161,11.194.116.162,11.194.116.163,11.194.116.164,11.194.116.165,11.194.116.167,11.194.116.169,11.194.116.170,11.194.116.171,11.194.116.172,11.194.116.173,11.194.116.174,11.194.116.175,39.107.188.0/24.

    China East 2 Finance 140.205.46.128/25,140.205.48.0/25,140.205.48.128/25,140.205.49.0/25,140.205.49.128/25,11.192.156.0/25,11.192.157.0/25,11.192.164.0/25,11.192.165.0/25,11.192.166.0/25,11.192.167.0/25,106.11.245.0/26,106.11.245.128/26,106.11.245.192/26,106.11.245.64/26,140.205.39.0/24,106.11.225.0/24,106.11.226.0/24,106.11.227.0/24,106.11.242.0/24,100.104.8.0/24

Add the private or public IP addresses of the servers in the custom resource group for Data Integration to the whitelist of a data source

To allow a custom resource group for Data Integration to access a data source, you must add the private or public IP addresses of the servers in the custom resource group to the whitelist of the data source.

Note If you upgrade the configuration of the custom resource group for Data Integration, you must add the new private or public IP addresses of the servers in the resource group to the whitelist of the data source after the configuration upgrade. This ensures the normal running of your synchronization node.

Precautions for configuring a whitelist

In this section, ApsaraDB RDS is used to demonstrate the precautions for configuring a whitelist. Before you add the IP address or CIDR block of a resource group for Data Integration to a whitelist of an ApsaraDB RDS instance, you must take note of the following items:

ApsaraDB RDS supports standard whitelists and enhanced whitelists. The IP address whitelist that you configured for the RDS instance may affect the connectivity between the resource group for Data Integration and an RDS database.

  • If you configure a standard IP address whitelist for the RDS instance, the following situations occur:
    • You can add IP addresses from both the classic network and VPCs to the same IP address whitelist.
    • You can use the same IP address whitelist regardless of whether you use the shared resource group for Data Integration, an exclusive resource group for Data Integration, or a custom resource group for Data Integration.
      Note The IP addresses in a standard IP address whitelist are granted access to your RDS instance over both the classic network and VPCs.
  • If you configure an enhanced IP address whitelist for the RDS instance, the following situations occur:
    • You must add IP addresses from the classic network and VPCs to different IP address whitelists.
      Note You must specify the network isolation mode of each enhanced IP address whitelist. For example, if the Network Type Allowed for Instance Access parameter is set to Classic Network/Public IP for an IP address whitelist, the IP addresses in the IP address whitelist are granted access to your RDS instance only over the classic network. In this case, you cannot connect to your RDS instance over VPCs from these IP addresses.
    • If you use an exclusive resource group for Data Integration to access the RDS database over a VPC, the IP address whitelist of the VPC type is used.
    • If you use the shared resource group for Data Integration to access an ApsaraDB RDS for MySQL instance that resides in a VPC, the IP address whitelist of the VPC type is used.
    • If you access the RDS database over a public endpoint, the IP address whitelist of the classic network type is used.
  • If you switch the network isolation mode of an ApsaraDB RDS instance from the standard whitelist mode to the enhanced whitelist mode, the following situations occur:

    The system generates two copies of the standard IP address whitelist and uses one copy as the enhanced IP address whitelist of the VPC type and the other copy as the enhanced IP address whitelist of the classic network type.

Other precautions for configuring a whitelist:

  • IP address whitelists do not interrupt the workloads on your RDS instance.
  • The IP address whitelist labeled default can be cleared, but cannot be deleted.
  • Do not modify or delete the IP address whitelists that are automatically generated for other Alibaba Cloud services. If you delete these IP address whitelists, the related Alibaba Cloud services cannot connect to your RDS instance. For example, if you delete an IP address whitelist ali_dms_group that is generated for Data Management (DMS) or an IP address whitelist hdm_security_ips that is generated for Database Autonomy Service (DAS), DMS and DAS cannot access your RDS instance.
    Note We recommend that you create an IP address whitelist that is independent of other whitelists for DataWorks.
  • The IP address whitelist labeled default contains only 127.0.0.1. This indicates that no IP addresses can access your RDS instance.

For more information about how to configure an IP address whitelist for an RDS instance, see Configure an IP address whitelist for an ApsaraDB RDS for MySQL instance. You can use a similar method to configure a whitelist for another type of data source. For more information about how to configure whitelists for other types of data sources, see the related topics.

What to do next

If you use a self-managed database that is deployed on an Elastic Compute Service (ECS) instance, you must configure a security group to ensure that the resource group can read data from and write data to the database. For more information, see Configure a security group for an ECS instance where a self-managed data store resides.