All Products
Search
Document Center

:Connect an on-premises database to DTS by using CEN

Last Updated:Nov 02, 2023

This topic describes how to connect an on-premises database to Data Transmission Service (DTS) by using Cloud Enterprise Network (CEN). To establish the connection, you must connect the database to Alibaba Cloud over Express Connect or Smart Access Gateway and deploy DTS in a virtual private cloud (VPC).

Background information

The cloud services discussed in this topic refer to the Alibaba Cloud services that use the 100.64.0.0/10 CIDR block to provide services, such as Object Storage Service (OSS), Log Service, and Data Transmission Service (DTS). If an on-premises network needs to access a cloud service, you must attach the VBR or CCN instance associated with the on-premises network to a CEN instance, and then attach a virtual private cloud (VPC) to the CEN instance. The VPC and the cloud resource must belong to the same region. This way, your on-premises network can access the VPC and access the cloud service through the VPC. Access cloud services

Prerequisites

  • The on-premises network to which a self-managed database belongs is connected to Alibaba Cloud over Express Connect or Smart Access Gateway. For more information, see Connect a VPC to a data center in single-tunnel mode.

  • A CEN instance is created. For more information, see Create a CEN instance.

  • A VPC that belongs to the region in which DTS is deployed is attached to the CEN instance.

    Note

    For example, you have three VPCs in a region: VPC 1, VPC 2, and VPC 3. All of the VPCs are attached to the CEN instance. VPC 1 is used to access other cloud services such as OSS and Server Load Balancer (SLB). When you configure a DTS task, you must set the Connected VPC parameter to VPC 1.

  • A VPC that belongs to the region in which the cloud services are deployed is connected to a transit router. For more information, see Connect VPCs.

Procedure

  1. Log on to the CEN console.

  2. On the Instances page, click the ID of the CEN instance that you want to manage.

  3. On the Basic Settings > Transit Router tab, click the ID of the transit router that resides in the region in which DTS is deployed.

  4. Configure the transit router based on your business requirements.

    • Enterprise Edition transit router

      1. On the details page of the transit router, click the Route Table tab.

      2. On the Route Table tab, click the ID of the route table that you want to manage. On the Route Table Details page, click the Route Entry tab and click Add Route Entry.

      3. In the Add Route Entry dialog box, configure the following parameters and click OK.

        Parameter

        Description

        Route Table

        The route table to which you want to add a route entry. By default, the current route table is selected.

        Transit Router

        The transit router for which you want to add a route entry. By default, the current transit router is selected.

        Name

        The name of the route entry.

        Destination CIDR

        Enter the IP addresses or CIDR blocks that correspond to the region in which DTS is deployed. The IP addresses or CIDR blocks must belong to 100.64.0.0/10. For example, if you deploy DTS in the China (Hangzhou) region, you can enter the following CIDR blocks: 100.104.52.0/24, 100.104.61.128/26, 100.104.244.64/26, 100.104.216.192/26, 100.104.85.0/26, and 100.104.221.128/26. For more information about IP addresses or CIDR blocks in other regions, see Add the CIDR blocks of DTS servers to the security settings of on-premises databases.

        Note
        • You can enter only one IP address or CIDR block at a time. To add multiple IP addresses or CIDR blocks, you must repeat the preceding steps.

        • If you do not update the whitelist of the self-managed database at the earliest opportunity when new DTS servers are added, DTS may fail to connect to the database. To resolve this issue, we recommend that you directly add 100.104.0.0/16 to the value of this parameter.

        Blackhole Route

        Specifies whether the route is a blackhole route. In this example, No is selected.

        Next Hop

        The ID of the VPC that is attached to the transit router.

        Description

        The description of the route entry.

        Note

        For more information, see the Enable access to a cloud service from an Enterprise Edition transit router section of the "Access to cloud services" topic.

    • Basic Edition transit router

      1. On the details page of the transit router, click the Cloud Services tab.

      2. On the Cloud Services tab, click Configure AnyTunnel.

      3. In the Configure AnyTunnel dialog box, configure the following parameters and click OK.

        Parameter

        Description

        Service IP Address

        Enter the IP addresses or CIDR blocks that correspond to the region in which DTS is deployed. The IP addresses or CIDR blocks must belong to 100.64.0.0/10. For example, if you deploy DTS in the China (Hangzhou) region, you can enter the following CIDR blocks: 100.104.52.0/24, 100.104.61.128/26, 100.104.244.64/26, 100.104.216.192/26, 100.104.85.0/26, and 100.104.221.128/26. For more information about IP addresses or CIDR blocks in other regions, see Add the CIDR blocks of DTS servers to the security settings of on-premises databases.

        Note
        • You can enter only one IP address or CIDR block at a time. To add multiple IP addresses or CIDR blocks, you must repeat the preceding steps.

        • If you do not update the whitelist of the self-managed database at the earliest opportunity when new DTS servers are added, DTS may fail to connect to the database. To resolve this issue, we recommend that you directly add 100.104.0.0/16 to the value of this parameter.

        Service Region

        Select the region in which the DTS instance resides.

        Important

        You must set the Service Region parameter to the destination region regardless of whether you migrate or synchronize data within the same region or across different regions. For example, if you use DTS to migrate or synchronize data from a self-managed database in the China (Hangzhou) or China (Beijing) region to an ApsaraDB RDS for MySQL instance in the China (Hangzhou) region, you must set the Service Region parameter to China (Hangzhou). In addition, you must set the Service VPC parameter to a VPC that belongs to the China (Hangzhou) region.

        Service VPC

        Select the VPC that is attached to the CEN instance. After you configure all the parameters described in this table, the on-premises network that is connected to the VBR or CCN instance can access DTS over the VPC.

        Note
        • If you use DTS to synchronize data across regions, you must set the Service VPC parameter to a VPC that belongs to the destination region. For example, if you synchronize data from a self-managed database in the China (Beijing) region to an ApsaraDB RDS for MySQL instance in the China (Hangzhou) region, you must set the Service VPC parameter to a VPC that belongs to the China (Hangzhou) region. The VPC must be attached to the CEN instance to ensure that the self-managed database can access DTS over the VPC.

        • For example, you have three VPCs in a region: VPC 1, VPC 2, and VPC 3. All of the VPCs are attached to the CEN instance. VPC 1 is used to access other cloud services such as OSS and SLB. When you configure a DTS task, you must set the Connected VPC parameter to VPC 1.

        Access Region

        Select the region in which the VBR or CCN instance that is used to access DTS resides.

        Important

        If the self-managed database is connected to Alibaba Cloud by using a VBR instance, you can use CEN to access DTS only in the region in which the VBR instance resides.

        Description

        Enter the description of DTS.

        The description can be empty or 2 to 256 characters in length. It must start with a letter, and can contain letters, digits, hyphens (-), periods (.), and underscores (_). It cannot start with http:// or https://.

Connect databases to DTS across Alibaba Cloud accounts or regions

You can connect databases to DTS across Alibaba Cloud accounts or regions by using CEN. This way, you can configure DTS tasks to migrate or synchronize data or track data changes across Alibaba Cloud accounts or regions. For more information, see Use Enterprise Edition transit routers to connect VPCs across regions and accounts.

Note

You can configure connections across Alibaba Cloud accounts or regions based on your business requirements.

What to do next

When you configure a data migration, data synchronization, or change tracking task, select Cloud Enterprise Network (CEN) for the Access Method parameter and configure the following parameters. You can then use the on-premises database as the source or destination database. For more information, see Overview of data migration scenarios or Overview of data synchronization scenarios.

Parameter

Description

CEN Instance ID

The ID of the CEN instance.

Connected VPC

The VPC that is configured for the Service VPC parameter.

Database Type

The type of the self-managed database.

IP address (domain name is not supported)

The IP address of the server on which the self-managed database is deployed.

Port Number

The port number of the server on which the self-managed database is deployed.

Database Account

The database account of the self-managed database.

Database Password

The password of the database account.

FAQ

Q: Why am I unable to connect an on-premises database to DTS over Express Connect even after I have configured an access control list (ACL) in the firewall settings of the VPC to allow all access?

A: You can perform the following operations to troubleshoot the issue:

  • Check whether all the CIDR blocks of DTS servers are added when you set the Service IP Address parameter in the CEN console. Add a route to allow the on-premises database to access DTS, and then configure the DTS task again. For more information, see the Procedure section of this topic.

  • Check whether the routes to all the required CIDR blocks of DTS servers are configured on your on-premises network. Point the CIDR blocks of DTS servers to the customer-premises equipment (CPE) on the on-premises network.

  • Check whether an ACL is configured in the firewall settings of the VPC to allow access from DTS. DTS fails to establish a connection with the on-premises database if the packets of DTS servers are blocked. When you configure the ACL, you must set the source IP addresses to the CIDR blocks of DTS servers and the destination IP addresses to the CIDR blocks of the on-premises database. Then, the DTS servers can connect to the on-premises database as expected at Layer 4.

Q: What do I do when I receive a notification indicating that the new CIDR blocks of DTS servers need to be added to the whitelist?

A: You must perform the following operations:

  • Add the new CIDR blocks of DTS servers by configuring the Service IP Address parameter in the CEN console. For more information, see the Procedure section of this topic.

  • Point the new CIDR blocks of DTS servers to the CPE on the on-premises network.

  • Add the new CIDR blocks of DTS servers to the ACL of the on-premises database. If other ACLs apply to the network connection, configure the ACLs by setting the source IP addresses to the CIDR blocks of DTS servers and the destination IP addresses to the CIDR blocks of the on-premises database.