If you want to collect the metadata of a data source or use the category management feature in Data Map, you must configure an IP address whitelist for your MaxCompute project or the data source. Then, add the CIDR blocks of the region in which your DataWorks workspace resides to the whitelist. Before you manage categories in Data Map, you must also grant the related permissions to the account that you use. This topic describes how to configure IP address whitelists for metadata collection.

Background information

The metadata collection feature allows you to collect metadata from different data sources. This way, you can manage the metadata in a centralized manner. After the metadata of a data source is collected, you can view the metadata in Data Map. Before you collect metadata from the data source, check whether an IP address whitelist is configured for the data source. If a whitelist is configured, make sure that the CIDR blocks of the region where your DataWorks workspace resides are in the whitelist.

If the connectivity test fails when you collect metadata from a data source, check the configuration of the data source on the Data Source page. When you added the data source, if you select Connection string mode for the Data source type parameter, you cannot enter the address of the VPC in which the data source resides in the JDBC URL field. For more information, see Supported data sources, readers, and writers.

Configure an IP address whitelist for metadata collection from a data source

  1. Check whether the whitelist feature is enabled for the data source.
    Data Map allows you to collect metadata from the following types of data sources:
    The method used to check whether the whitelist feature is enabled varies based on the data source type. You can submit a ticket to consult technical support.
    If the whitelist feature is not enabled for the data source, you can directly use Data Map to collect metadata from the data source. If the whitelist feature is enabled, go to the next step.
  2. Configure a whitelist.
    Add the CIDR blocks of the region in which your DataWorks workspace resides to a whitelist. The following table lists the CIDR blocks of each region. The position where the CIDR blocks are added varies based on the data source type. You can submit a ticket to consult technical support.
    Region CIDR block
    China (Shanghai) 100.104.189.64/26,11.115.110.10/24,11.115.109.9/24,47.102.181.128/26,47.102.181.192/26,47.102.234.0/26,47.102.234.64/26,100.104.38.192/26
    China (Hangzhou) 100.104.135.128/26,11.193.215.233/24,11.194.73.32/24,118.31.243.0/26,118.31.243.64/26,118.31.243.128/26,118.31.243.192/26,100.104.242.0/26
    China (Shenzhen) 100.104.46.128/26,11.192.91.119/24,120.77.195.128/26,120.77.195.192/26,120.77.195.64/26,47.112.86.0/26,100.104.138.128/26
    China (Beijing) 100.104.37.128/26,11.193.82.20/24,11.197.254.171/24,39.107.223.0/26,39.107.223.64/26,39.107.223.128/26,39.107.223.192/26,100.104.152.128/26
    China (Chengdu) 100.104.88.64/26,11.195.57.28/24,47.108.46.0/26,47.108.46.64/26,47.108.46.128/26,47.108.46.192/26,100.104.248.128/26
    China (Zhangjiakou) 100.104.197.0/26,11.193.236.121/24,47.92.185.0/26,47.92.185.64/26,47.92.185.128/26,47.92.185.192/26,100.104.75.64/26
    UK (London) 8.208.84.22, 100.104.161.0/26

Precautions for configuring an IP address whitelist

In this section, ApsaraDB RDS is used in the example to describe the precautions for configuring a whitelist. When you add CIDR blocks to a whitelist of an ApsaraDB RDS instance for metadata collection, take note of the following items:

ApsaraDB RDS supports standard whitelists and enhanced whitelists. The IP address whitelist that you configured for the RDS instance may affect the connection to the instance.

  • If you configure a standard whitelist for the RDS instance, the following situations occur:
    • You can add CIDR blocks from both the classic network and VPCs to the same whitelist.
    • Shared resource groups and exclusive resource groups for scheduling use the same whitelist.
      Note The CIDR blocks in a standard whitelist are granted access to your RDS instance over both the classic network and VPCs.
  • If you configure an enhanced whitelist for the RDS instance, the following situations occur:
    • You must add CIDR blocks from the classic network and VPCs to different whitelists.
      Note You must specify the network isolation mode of each enhanced whitelist. For example, if the Network Type Allowed for Instance Access parameter is set to Classic Network/Public IP for a whitelist, the CIDR blocks in the whitelist are granted access to your RDS instance only over the classic network. In this case, you cannot connect to your RDS instance over VPCs from these CIDR blocks.
    • If you use an exclusive resource group for scheduling to access the RDS database over a VPC, the whitelist of the VPC type is used.
    • If you use the shared resource group to access an ApsaraDB RDS for MySQL instance that resides in a VPC, the whitelist of the VPC type is used.
    • If you access the RDS database over the Internet or the classic network, the whitelist of the classic network type is used.
  • If you switch the network isolation mode of an RDS instance from the standard whitelist mode to the enhanced whitelist mode, the following situations occur:

    The standard whitelist is replicated into two enhanced whitelists that contain the same CIDR blocks. The two enhanced whitelists have different network isolation modes.

Other notes about whitelist configuration:

  • When you configure whitelists, the workloads on your RDS instance are not interrupted.
  • The whitelist labeled default can be cleared, but cannot be deleted.
  • Do not modify or delete the whitelists that are generated by other Alibaba Cloud services. If you delete these whitelists, the related Alibaba Cloud services cannot connect to your RDS instance. For example, if you delete a whitelist ali_dms_group that is generated for Data Management (DMS) or a whitelist hdm_security_ips that is generated for Database Autonomy Service (DAS), DMS and DAS cannot access your RDS instance.
    Note We recommend that you create a separate whitelist for DataWorks in your RDS instance.
  • The whitelist labeled default contains only the 127.0.0.1 IP address. This indicates that no IP addresses can access your RDS instance.

For more information about how to configure a whitelist in your RDS instance, see Configure an IP address whitelist for an ApsaraDB RDS for MySQL instance. You can use a similar method to configure a whitelist for another type of data source. To configure whitelists for other types of data sources, see the related instructions.

What to do next

After the whitelists are configured and category management permissions are granted, you can view MaxCompute table data, collect metadata, or manage categories in Data Map. For more information, see Collect metadata or Manage table categories and visibility.