Before you add or back up a data source by using Database Backup (DBS), you must add the CIDR blocks of the DBS server to the security settings of the data source. If the type of the data source is User-Created Database with Public IP Address <IP Address:Port Number> and security settings such as firewall settings are specified on the self-managed database, you must manually add the CIDR blocks of the DBS server to the security settings of the self-managed database. This topic describes how to manually add the CIDR blocks of the DBS server to the security settings of self-managed databases.

Scenarios

  • Automatically add the CIDR blocks of the DBS server to the security settings of a data source

    If the data source that you want to add or back up is an ApsaraDB instance, such as an ApsaraDB RDS instance, a PolarDB instance, or an ApsaraDB for MongoDB instance, or a self-managed database hosted on an Elastic Compute Service (ECS) instance, DBS automatically adds the CIDR blocks of the DBS server to the IP whitelists of the ApsaraDB instance or the security groups of the ECS instance. You do not need to manually configure the security settings of the ApsaraDB instance or ECS instance.

    Note If you log on as a RAM user, make sure that the AliyunDBSFullAccess and AliyunOSSFullAccess polices are attached to the RAM user. Otherwise, DBS cannot automatically add the CIDR blocks of the DBS server to the IP whitelists of ApsaraDB instances or the security groups of ECS instances due to insufficient permissions. For more information, see Grant permissions to a RAM user.
  • Manually add the CIDR blocks of the DBS server to the security settings of a data source

    If the type of the data source is User-Created Database with Public IP Address <IP Address:Port Number> and security settings such as firewall settings are specified on the self-managed database, you must manually add the CIDR blocks of the DBS server to the security settings of the self-managed database.

    If the type of the data source is Express Connect DB/VPN Gateway/Intelligent Gateway, you must add the CIDR blocks of the DBS server to the virtual private clouds (VPCs) that are used. For more information, see Back up a user-created database in an on-premises data center connected to Alibaba Cloud through Express Connect to OSS or DBS and Back up a user-created database in an on-premises data center connected to Alibaba Cloud through VPN Gateway or Smart Access Gateway to OSS or DBS.

Procedure

  1. When you add or back up a data source, click Set Whitelist.
  2. In the message that appears, copy all the CIDR blocks of the DBS server.

    The CIDR blocks of the DBS server that are displayed in the message vary with the region that you select.

  3. Add the CIDR blocks of the DBS server to the security settings of the data source. For example, add the CIDR blocks of the DBS server to the firewall settings of the on-premises server network, the database firewall settings, or a security group of the ECS instance on which the data source is hosted.

    After the CIDR blocks of the DBS server are added to the security settings of the data source, DBS can access the data source by using the username and password that you specify.

    Security settings may be configured to allow the username to access the data source only from specified IP addresses. For example, if 'username'@'localhost' is configured, the username can access the data source only from the local host. In such cases, DBS cannot connect to the data source by using the username. To resolve this issue, change the administrator permissions of the username or specify another username.

    To add the CIDR blocks of the DBS server to a security group of an ECS instance, perform the following steps:

    1. On the Instances page of the ECS console, find the ECS instance to which you want to add the CIDR blocks of the DBS server. Choose More > Network and Security Group Configure Security Group in the Actions column.
    2. Click the security group that you want to configure.
    3. On the Inbound tab, click Quick Add.
    4. In the Quick Add dialog box, paste the copied CIDR blocks to the Authorization Object field. In the Port Range section, select All (1/65535) and click OK.
      Add the CIDR blocks of the DBS server to a security group of the ECS instance
      The CIDR blocks of the DBS server are added to the security group of the ECS instance.
      Note By default, outbound rules of a security group allow you to access ECS instances from all IP addresses. If you disable the outbound traffic for a security group, you must add the CIDR blocks of the DBS server to the outbound rules of the security group.

FAQ

  • Q: What do I do if the CIDR blocks of the DBS server fail to be automatically added to a security group of an ECS instance?

    A: If you revoke the access permissions of DBS on ECS instances, the CIDR blocks of the DBS server fail to be automatically added to the security groups of the ECS instances. To resolve this issue, you must manually add the CIDR blocks of the DBS server to the security groups of the ECS instances.