Add the CIDR blocks of DTS servers to the security settings of on-premises databases -

If your self-managed databases are not deployed on Alibaba Cloud, they may accept connections only from specific IP addresses. In this case, you must configure the security settings of your self-managed databases to allow access from Data Transmission Service (DTS) servers. For example, if you deploy a firewall for a database, you must add the CIDR blocks of DTS servers to the IP whitelist of the firewall. For more information about the CIDR blocks of DTS servers in different regions, see Whitelist DTS IP ranges for your user-created database.

Data migration and change tracking

Data migration
If the source and destination databases of a data migration task are of the self-managed database with a public IP address, self-managed database without a public IP address or port number (connected over Database Gateway), self-managed database connected over Cloud Enterprise Network (CEN), or self-managed database connected over Express Connect, VPN Gateway, or Smart Access Gateway database type, you must modify the database security settings. You must add the CIDR blocks of DTS servers that reside in the same region as the source or destination database to the security settings.

For example, the source database is deployed in the China (Shenzhen) region and the destination database is deployed in the China (Hangzhou) region. In this case, you must add the CIDR blocks of DTS servers in the China (Hangzhou) region to the security settings of the source and destination databases.
Change tracking
If the database of a change tracking task is of the self-managed database with a public IP address, self-managed database without a public IP address or port number (connected over Database Gateway), or self-managed database connected over Express Connect, VPN Gateway, or Smart Access Gateway database type, you must modify the database security settings. You must add the CIDR blocks of DTS servers that reside in the same region as the database to the security settings.

Note If your source or destination database is of the self-managed database with a public IP address database type, and the region of your self-managed database is not within the regions of DTS, we recommend that you add the IP address of the DTS server in the China (Hangzhou) region.

Table 1. CIDR blocks of DTS servers

**Warning**

If the source or destination database instance is an Alibaba Cloud database instance, such as an ApsaraDB RDS for MySQL or ApsaraDB for MongoDB instance, or is a self-managed database hosted on Elastic Compute Service(ECS), DTS automatically adds the CIDR blocks of DTS servers to a whitelist of the database instance or ECS security group rules. For more information, see Add the CIDR blocks of DTS servers to the security settings of on-premises databases. If the source or the destination database is a self-managed database on data centers or is from other cloud service providers, you must manually add the CIDR blocks of DTS servers to allow DTS to access the database.

If the CIDR blocks of DTS servers are automatically or manually added to a whitelist of the database instance or ECS security group rules, security risks may arise. Therefore, before you use DTS to migrate data, you must understand and acknowledge the potential risks and take preventive measures, including but not limited to the following measures: enhance the security of your account and password, limit the ports that are exposed, authenticate API calls, regularly check the whitelist or ECS security group rules and forbid unauthorized CIDR blocks, and connect the database to DTS by using Express Connect, VPN Gateway, or Smart Access Gateway.

After the DTS task is complete or released, we recommend that you manually detect and remove the added CIDR blocks from the whitelist of the database instance or ECS security group rules.

**Note** When an on-premises database is connected to Alibaba Cloud over CEN, Express Connect, VPN Gateway, Smart Access Gateway, or Database Gateway, the CIDR block added to the database security settings is a subnet range of the CIDR block of Alibaba Cloud 100.64.0.0/10.
Region	CIDR blocks to add when an on-premises database is connected to Alibaba Cloud over the Internet	CIDR blocks to add when an on-premises database is connected to Alibaba Cloud over CEN, Express Connect, VPN Gateway, Smart Access Gateway, or Database Gateway
China (Hangzhou)	101.37.14.0/24,114.55.89.0/24,115.29.198.0/24,118.178.120.0/24,118.178.121.0/24,120.26.106.0/24,120.26.116.0/24,120.26.117.0/24,120.26.118.0/24,120.55.192.0/24,120.55.193.0/24,120.55.194.0/24,120.55.241.0/24,121.40.125.0/24,121.196.246.0/24,101.37.12.0/24,101.37.13.0/24,101.37.15.0/24,101.37.25.0/24,47.96.39.0/24,118.31.165.0/24,118.31.246.0/24,120.55.12.0/24,47.97.7.0/24,47.97.27.142,47.97.73.210,121.43.162.118,121.43.185.141,121.196.211.16,114.55.125.94,121.43.179.168,121.43.174.187,47.99.171.0/24,118.31.118.0/24,47.97.118.0/24,47.98.251.0/24,47.99.43.0/24,47.97.195.0/24,120.27.211.0/24,47.97.125.0/24,47.98.52.0/24,47.97.116.0/24,47.97.119.0/24,47.98.51.0/24,47.97.106.0/24,116.62.172.0/24,120.55.40.0/24,47.98.39.0/24,121.43.162.0/24,47.97.73.0/24,121.43.174.0/24,114.55.125.0/24,47.97.27.0/24,121.43.179.0/24,121.43.185.0/24,118.31.238.0/24,118.31.43.0/24,118.31.38.0/24,101.37.152.0/24,120.55.60.0/24,101.37.149.0/24,47.98.103.0/24,47.98.101.0/24,47.98.96.0/24,118.31.45.0/24,47.97.103.0/24,47.96.31.0/24,47.98.115.0/24,47.96.15.0/24,121.40.66.0/24,120.55.67.0/24,112.124.6.0/24,121.41.48.20,121.199.28.0/24,121.41.49.0/24,121.40.249.0/24,121.41.50.0/24,121.196.211.0/24,112.124.237.96/27,112.124.239.0/26,118.31.37.0/24,121.40.111.0/24,121.41.113.0/24,121.40.155.0/24,121.41.104.0/24,121.41.106.0/24,47.97.98.0/24,120.26.42.0/24,114.55.92.0/24,120.55.94.0/24,114.55.36.0/24,116.62.171.0/24,121.40.60.0/24,121.43.233.0/24,121.41.73.0/24,112.124.140.0/24,120.55.129.0/24,47.102.181.0/24,47.102.234.0/24,47.101.109.0/24,118.31.243.0/24	100.104.52.0/24,100.104.61.128/26,100.104.244.64/26,100.104.216.192/26,100.104.85.0/26,100.104.221.128/26,100.104.2.0/26,100.104.251.192/26,100.104.159.64/26,100.104.216.128/26
China (Shanghai)	139.196.17.0/24,139.196.18.0/24,139.196.25.0/24,139.196.27.0/24,139.196.154.0/24,139.196.116.0/24,139.196.254.0/24,139.196.166.0/24,106.14.46.0/24,106.14.37.0/24,106.14.36.0/24,106.15.250.0/24,101.132.248.0/24,47.100.95.0/24,106.15.73.0/24,106.15.75.0/24,47.100.137.0/24,106.14.177.89,106.14.178.118,139.196.138.36,106.14.4.132,139.196.92.27,139.196.143.11,139.196.44.156,139.196.6.35,139.196.50.106,139.196.25.56,139.196.47.137,139.196.6.124,139.196.49.138,139.196.41.168,139.196.48.218,139.196.51.72,47.101.194.0/24,47.101.166.0/24,47.101.181.0/24,47.101.177.0/24,47.100.186.0/24,139.196.6.0/24,139.196.138.0/24,139.196.51.0/24,139.196.49.0/24,106.14.177.0/24,139.196.48.0/24,106.14.178.0/24,106.14.4.0/24,139.196.41.0/24,139.196.44.0/24,139.196.92.0/24,139.196.143.0/24,139.196.47.0/24,47.101.175.0/24,101.132.174.0/24,139.196.52.0/24,47.101.31.0/24,47.100.3.0/24,47.100.160.244,47.101.61.0/24,47.101.205.0/24,106.14.95.0/24,101.132.133.0/24,139.224.19.0/24,139.196.155.0/24,47.102.40.0/24,106.15.248.0/24,139.196.209.0/24,101.132.17.0/24,106.14.105.0/24,101.132.223.0/24,101.133.205.0/24,112.124.140.0/24,120.55.129.0/24,47.102.181.0/24,47.102.234.0/24,47.101.109.0/24,47.103.61.0/24,47.103.23.0/24,47.103.197.0/24,47.103.194.0/24,47.103.156.0/24,47.103.206.0/24,47.103.196.0/24,47.103.199.0/24,47.103.151.0/24,47.103.200.0/24,47.103.97.0/24,47.103.108.0/24	100.104.205.0/24,100.104.226.128/26,100.104.149.64/26,100.104.241.128/26,100.104.177.128/26
China (Qingdao)	115.28.200.0/24,115.28.216.0/24,115.28.226.0/24,115.28.247.0/24,118.190.133.0/24,120.27.53.0/24,10.31.69.0/24,10.144.88.0/24,10.144.153.0/24,10.161.39.0/24,10.161.59.0/24,10.252.29.0/24,100.104.72.0/24,47.104.10.200,118.190.157.247,47.104.19.209,47.104.105.196,47.104.97.251,118.190.207.25,118.190.207.194,118.190.159.0/24,118.190.158.0/24,112.124.140.0/24,120.55.129.0/24,47.102.181.0/24,47.102.234.0/24,47.101.109.0/24	100.104.72.0/24,100.104.35.192/26,100.104.12.0/26,100.104.111.0/26
China (Beijing)	112.126.80.0/24,112.126.87.0/24,112.126.91.0/24,112.126.92.0/24,123.56.108.0/24,123.56.137.0/24,123.56.148.0/24,123.56.164.0/24,123.57.48.0/24,182.92.153.0/24,101.200.174.0/24,101.200.160.0/24,101.200.176.0/24,47.94.36.0/24,47.94.47.0/24,101.201.214.0/24,101.201.82.0/24,123.56.182.0/24,101.201.105.0/24,182.92.132.0/24,60.205.157.0/24,101.201.107.0/24,60.205.164.0/24,60.205.165.0/24,59.110.4.0/24,59.110.17.0/24,123.56.186.0/24,60.205.146.0/24,59.110.37.0/24,59.110.19.0/24,60.205.112.0/24,60.205.243.0/24,59.110.38.0/24,60.205.197.0/24,60.205.166.0/24,101.200.194.0/24,101.200.182.0/24,123.57.204.0/24,101.200.235.0/24,123.57.206.0/24,123.57.65.0/24,47.94.167.117/32,182.92.157.129/32,101.200.39.123/32,101.200.192.4/32,39.105.58.165/32,101.200.213.59/32,59.110.164.0/24,47.94.150.0/24,39.105.56.0/24,47.93.21.0/24,47.93.30.0/24,47.93.24.0/24,60.205.222.0/24,60.205.186.0/24,47.93.22.174/32,47.93.10.168/32,47.94.246.43/32,47.94.94.233/32,47.95.241.173/32,59.110.155.242/32,60.205.230.219/32,101.200.50.74/32,101.201.65.33/32,112.126.96.49/32,112.126.96.184/32,112.126.98.30/32,112.126.99.22/32,112.126.99.87/32,112.126.99.205/32,39.105.247.0/24,8.131.132.0/26,39.105.161.255/32,123.56.70.208/32,101.200.120.94/32,123.57.238.231/32,182.92.217.14/32,47.94.240.86/32,47.94.2.56/32,59.110.226.187/32,47.94.210.30/32,47.93.236.163/32,47.94.212.10/32,47.95.241.0/24,101.201.152.0/24,47.93.10.0/24,182.92.217.0/24,112.126.96.0/24,101.200.192.0/24,123.56.244.0/24,101.200.215.0/24,123.56.43.0/24,101.200.72.0/24,123.56.100.0/24,123.57.166.0/24,182.92.196.0/24,101.200.141.0/24,123.57.136.0/24,123.57.5.0/24,182.92.0.0/24,39.106.90.0/24,123.56.128.0/24,123.57.205.0/24,101.200.189.0/24,101.200.209.0/24,112.124.140.0/24,120.55.129.0/24,47.102.181.0/24,47.102.234.0/24,47.101.109.0/24,100.104.143.0/26,100.104.201.0/26,100.104.247.64/26,100.104.232.128/26	100.104.183.0/24,100.104.236.128/26,100.104.227.192/26,100.104.128.192/26,100.104.11.64/26,100.104.84.128/26,100.104.200.64/26
China (Zhangjiakou)	47.92.22.0/24,47.92.185.0/26,47.92.185.64/26,47.92.185.128/26,47.92.185.192/26,39.98.96.0/26,39.98.96.128/26,39.98.96.192/26,39.98.96.64/26,39.101.252.128/26,47.92.22.110,47.92.22.16,47.92.22.131,47.92.22.169,47.92.22.212,47.92.22.211,47.92.22.210,47.92.22.209,47.92.22.208,47.92.22.68,112.124.140.0/24,120.55.129.0/24,47.102.181.0/24,47.102.234.0/24,47.101.109.0/24,100.104.144.128/26,100.104.84.128/26,100.104.52.0/26,100.104.32.64/26	100.104.175.0/24,100.104.249.0/26,100.104.180.192/26
China (Hohhot)	39.104.29.0/24,112.124.140.0/24,120.55.129.0/24,47.102.181.0/24,47.102.234.0/24,47.101.109.0/24	100.104.72.0/24
China (Shenzhen)	120.78.6.0/24,120.78.5.0/24,47.115.165.0/24,47.115.166.0/24,47.115.162.0/24,47.115.161.0/24,120.24.65.0/24,120.24.67.0/24,120.24.160.0/24,120.25.215.0/24,120.24.214.0/24,120.24.223.0/24,120.25.124.0/24,120.25.107.0/24,120.25.79.0/24,112.74.211.0/24,120.24.174.0/24,120.24.173.0/24,120.25.150.0/24,112.74.98.0/24,120.25.123.0/24,112.74.97.0/24,47.106.221.0/24,120.78.184.0/24,47.107.118.0/24,47.106.38.0/24,39.108.66.0/24,39.108.110.0/24,47.113.76.192/26,120.25.248.86,120.24.64.155,120.25.105.105,47.106.37.166,47.112.160.156,120.79.71.173,120.79.74.179,112.74.44.248,120.79.72.217,120.79.68.184,120.79.71.129,120.77.195.128/26,120.77.195.192/26,47.106.63.192/26,112.124.140.0/24,120.55.129.0/24,47.102.181.0/24,47.102.234.0/24,47.101.109.0/24,120.78.179.0/24,120.77.61.0/24,120.24.177.0/24,120.79.101.0/24,119.23.189.0/24,120.77.234.0/24,47.112.115.0/24,120.76.231.0/24,120.79.26.0/24,47.107.224.0/24,119.23.104.0/24,120.77.28.0/24,120.77.68.0/24,120.77.73.0/24,47.112.103.0/24,119.23.66.0/24,47.106.10.0/24,47.107.29.0/24,119.23.186.0/24,120.76.218.0/24,47.107.66.0/24,10.66.94.0/24,120.77.69.0/24	100.104.75.64/26,100.104.235.192/26,100.104.205.0/24,100.104.41.64/26,100.104.171.128/26
China (Heyuan)	47.113.158.0/26,47.113.157.64/26,47.113.157.128/25	100.104.147.192/26
China (Guangzhou)	8.134.79.124,8.134.79.169,8.134.79.140/30,112.124.140.0/24,120.55.129.0/24,47.102.181.0/24,47.102.234.0/24,47.101.109.0/24	100.104.132.64/26,100.104.240.128/26,100.104.122.128/26,100.104.233.0/26
China (Chengdu)	47.109.5.0/26,112.124.140.0/24,120.55.129.0/24,47.102.181.0/24,47.102.234.0/24,47.101.109.0/24,100.104.166.64/26,100.104.100.128/26,100.104.136.192/26,100.104.16.64/26	100.104.76.192/26,100.104.145.64/26,100.104.235.192/26,100.104.127.0/26
China (Hong Kong)	203.88.163.0/24,47.90.37.0/24,47.90.38.0/24,47.89.39.0/24,47.52.111.0/24,47.52.25.202/32,47.91.228.249/32,47.52.166.98/32,47.244.33.65/32,47.244.35.187/32,47.243.9.0/24,47.91.155.181,47.52.23.184,47.89.12.225,47.244.92.0/24,47.56.45.0/24,112.124.140.0/24,120.55.129.0/24,47.102.181.0/24,47.102.234.0/24,47.101.109.0/24,47.243.0.32/28	100.104.233.0/24,100.104.177.192/26,100.104.158.192/26,100.104.180.192/26
Singapore (Singapore)	47.88.235.0/24,47.88.139.0/24,161.117.146.128/26,161.117.146.192/26,161.117.164.0/26,161.117.164.64/26,161.117.234.42,47.241.209.7,47.241.217.237,10.88.51.0/24,112.124.140.0/24,120.55.129.0/24,47.102.181.0/24,47.102.234.0/24,47.101.109.0/24,161.117.172.0/24,47.243.0.32/28	100.104.188.0/24,100.104.207.128/26,100.104.12.0/26,100.104.179.64/26,10.88.51.0/24
Australia (Sydney)	47.91.49.0/24,47.91.50.0/24,112.124.140.0/24,120.55.129.0/24,47.102.181.0/24,47.102.234.0/24,47.101.109.0/24	100.104.233.0/24,100.104.3.128/26
Malaysia (Kuala Lumpur)	47.254.212.0/24,112.124.140.0/24,120.55.129.0/24,47.102.181.0/24,47.102.234.0/24,47.101.109.0/24	100.104.5.0/24,100.104.36.0/26,100.104.234.192/26,100.104.76.192/26
Indonesia (Jakarta)	149.129.228.0/24,149.129.229.0/24,147.139.156.0/24,112.124.140.0/24,120.55.129.0/24,47.102.181.0/24,47.102.234.0/24,47.101.109.0/24	100.104.175.0/24,100.104.35.192/26
Philippines (Manila)	112.124.140.0/24,120.55.129.0/24,47.102.181.0/24,47.102.234.0/24,47.101.109.0/24	100.104.153.64/26,100.104.76.192/26,100.104.246.192/26
India (Mumbai)	149.129.164.0/24,147.139.21.0/24,147.139.23.0/24,149.129.165.192/26,112.124.140.0/24,120.55.129.0/24,47.102.181.0/24,47.102.234.0/24,47.101.109.0/24	100.104.8.0/24,100.104.127.0/26
Japan (Tokyo)	47.91.9.0/24,47.91.13.0/24,47.91.27.0/24,47.245.18.0/24,47.245.51.0/24,47.91.0.192/26,47.91.0.128/26,112.124.140.0/24,120.55.129.0/24,47.102.181.0/24,47.102.234.0/24,47.101.109.0/24,47.245.51.128/26,47.245.51.192/26	100.104.112.0/24,100.104.117.192/26,100.104.12.0/26
US (Silicon Valley)	198.11.174.0/24,198.11.175.0/24,47.89.244.175/32,112.124.140.0/24,120.55.129.0/24,47.102.181.0/24,47.102.234.0/24,47.101.109.0/24,47.88.1.17,47.88.6.196,47.88.10.217,47.88.15.174,47.88.52.0/24,47.88.54.0/24,47.89.250.0/24,47.88.61.0/24,47.88.19.0/24	100.104.175.0/24,100.104.48.128/26
US (Virginia)	47.89.170.0/24,47.88.98.0/24,47.250.29.0/24,112.124.140.0/24,120.55.129.0/24,47.102.181.0/24,47.102.234.0/24,47.101.109.0/24,47.253.64.0/28	100.104.233.0/24,100.104.240.128/26
Germany (Frankfurt)	47.254.185.0/24,47.91.82.0/24,47.91.83.0/24,47.91.84.0/24,112.124.140.0/24,120.55.129.0/24,47.102.181.0/24,47.102.234.0/24,47.101.109.0/24,47.254.180.0/26,47.254.180.128/26,47.254.180.192/26,47.254.180.64/26	100.104.5.0/24,100.104.193.128/26
UK (London)	8.208.17.0/24,8.208.72.0/24,47.91.82.0/24,47.91.83.0/24,112.124.140.0/24,120.55.129.0/24,47.102.181.0/24,47.102.234.0/24,47.101.109.0/24	100.104.133.64/26,100.104.207.128/26
UAE (Dubai)	47.91.102.0/24,47.91.103.0/24,112.124.140.0/24,120.55.129.0/24,47.102.181.0/24,47.102.234.0/24,47.101.109.0/24,100.104.161.0/26,100.104.53.0/26,100.104.111.128/26,100.104.248.128/26	100.104.205.0/24

Data synchronization

If the source and destination databases of a data synchronization task are of the self-managed database with a public IP address, self-managed database connected over CEN, or self-managed database connected over Express Connect, VPN Gateway, or Smart Access Gateway database type, you must modify the database security settings based on the following business requirements:

If you want to allow DTS to access the source database, you must modify the security settings of the source database. You must add the CIDR blocks of DTS servers that reside in the same regions as the source and destination databases to the security settings of the source database.
For example, the source database is deployed in the China (Shenzhen) region and the destination database is deployed in the China (Hangzhou) region. In this case, you must add the CIDR blocks of DTS servers in both regions to the security settings of the source database.
If you want to allow DTS to access the destination database, you must modify the security settings of the destination database. You must add the CIDR blocks of DTS servers that reside in the same region as the destination database to the security settings of the destination database.
For example, the source database is deployed in the China (Shenzhen) region and the destination database is deployed in the China (Hangzhou) region. In this case, you must add the CIDR blocks of DTS servers in the China (Hangzhou) region to the security settings of the destination database.

Note

Data synchronization does not support databases of the self-managed database with a public IP address database type.
When an on-premises database is connected to Alibaba Cloud over CEN, Express Connect, VPN Gateway, Smart Access Gateway, or Database Gateway, the CIDR block added to the database security settings is a subnet range of the CIDR block of Alibaba Cloud 100.64.0.0/10.

Table 2. CIDR blocks of DTS servers
Region	CIDR blocks to add when an on-premises database is connected to Alibaba Cloud over CEN, Express Connect, VPN Gateway, Smart Access Gateway, or Database Gateway
China (Hangzhou)	100.104.52.0/24,100.104.61.128/26,100.104.244.64/26,100.104.216.192/26,100.104.85.0/26,100.104.221.128/26,100.104.2.0/26,100.104.251.192/26,100.104.159.64/26,100.104.216.128/26
China (Shanghai)	100.104.205.0/24,100.104.226.128/26,100.104.149.64/26,100.104.241.128/26,100.104.177.128/26
China (Qingdao)	100.104.72.0/24,100.104.35.192/26,100.104.12.0/26,100.104.111.0/26
China (Beijing)	100.104.183.0/24,100.104.236.128/26,100.104.227.192/26,100.104.128.192/26,100.104.11.64/26,100.104.84.128/26,100.104.200.64/26
China (Zhangjiakou)	100.104.175.0/24,100.104.249.0/26,100.104.180.192/26
China (Hohhot)	100.104.72.0/24
China (Shenzhen)	100.104.75.64/26,100.104.235.192/26,100.104.205.0/24,100.104.41.64/26,100.104.171.128/26
China (Heyuan)	100.104.147.192/26
China (Guangzhou)	100.104.132.64/26,100.104.240.128/26,100.104.122.128/26,100.104.233.0/26
China (Chengdu)	100.104.76.192/26,100.104.145.64/26,100.104.235.192/26,100.104.127.0/26
China (Hong Kong)	100.104.233.0/24,100.104.177.192/26,100.104.158.192/26,100.104.180.192/26
Singapore (Singapore)	100.104.188.0/24,100.104.207.128/26,100.104.12.0/26,100.104.179.64/26,10.88.51.0/24
Australia (Sydney)	100.104.233.0/24,100.104.3.128/26
Malaysia (Kuala Lumpur)	100.104.5.0/24,100.104.36.0/26,100.104.234.192/26,100.104.76.192/26
Indonesia (Jakarta)	100.104.175.0/24,100.104.35.192/26
Philippines (Manila)	100.104.153.64/26,100.104.76.192/26,100.104.246.192/26
India (Mumbai)	100.104.8.0/24,100.104.127.0/26
Japan (Tokyo)	100.104.112.0/24,100.104.117.192/26,100.104.12.0/26
US (Silicon Valley)	100.104.175.0/24,100.104.48.128/26
US (Virginia)	100.104.233.0/24,100.104.240.128/26
Germany (Frankfurt)	100.104.5.0/24,100.104.193.128/26
UK (London)	100.104.133.64/26,100.104.207.128/26
UAE (Dubai)	100.104.205.0/24

:Add the CIDR blocks of DTS servers to the security settings of on-premises databases

Data migration and change tracking

Data synchronization

References