Before you use Database Backup (DBS) to add or back up a data source whose type is User-Created Database with Public IP Address <IP Address:Port Number>, you must manually add the CIDR blocks of DBS servers to the security settings such as firewall settings of the self-managed database.

Usage notes

CategoryDescription
Automatically add the CIDR blocks of DBS servers to the security settings of a data source

If the data source that you want to add or back up is an ApsaraDB instance, such as an ApsaraDB RDS instance, a PolarDB instance, or an ApsaraDB for MongoDB instance, or a self-managed database hosted on an Elastic Compute Service (ECS) instance, DBS automatically adds the CIDR blocks of DBS servers to the IP address whitelist of the ApsaraDB instance or the security group rules of the ECS instance. You do not need to manually configure the security settings of the ApsaraDB instance or ECS instance.

Note If you log on as a RAM user, make sure that the AliyunDBSFullAccess and AliyunOSSFullAccess policies are attached to the RAM user. Otherwise, DBS cannot automatically add the CIDR blocks of DBS servers to the IP address whitelist of an ApsaraDB instance or the security group rules of an ECS instance due to insufficient permissions. For more information, see Grant permissions to the RAM user.
Manually add the CIDR blocks of DBS servers to the security settings of a data source

If the type of the data source that you want to add or back up is User-Created Database with Public IP Address <IP Address:Port Number> and security settings such as firewall settings are configured for the self-managed database, you must manually add the CIDR blocks of DBS servers to the security settings of the self-managed database.

If the type of the data source that you want to add or back up is Express Connect DB/VPN Gateway/Intelligent Gateway, you must add a CIDR block of DBS servers as the destination for the virtual private cloud (VPC) to which the data source is connected. For more information, see Back up a self-managed database in a data center connected to Alibaba Cloud over Express Connect to OSS or DBS and Back up a user-created database in an on-premises data center connected to Alibaba Cloud through VPN Gateway or Smart Access Gateway to OSS or DBS.

Warning If the data source is a self-managed database, you must manually add the public CIDR blocks of DBS servers to the IP address whitelist of the self-managed database to allow access from DBS servers. In this case, security risks may arise. We recommend that you strengthen authentication with accounts and passwords, restrict allowed ports, or use the internal access methods of Express Connect, VPN Gateway, or Smart Access Gateway.

Procedure

  1. When you add or back up a data source, click Set Whitelist.
  2. In the message that appears, copy all the CIDR blocks of DBS servers.

    The CIDR blocks of DBS servers that are displayed in the message vary based on the region that you select.

  3. Add the CIDR blocks of DBS servers to the security settings of the data source. For example, add the CIDR blocks of DBS servers to the firewall settings of the on-premises server, the firewall settings of the data source, or the security group rules of the ECS instance on which the data source is hosted.

    After the CIDR blocks of DBS servers are added to the security settings of the data source, DBS can access the data source by using the username and password that you specify.

    Note Security settings may be configured to allow the username to access the data source only from specified IP addresses. For example, username'@'localhost specifies that the username can access the data source only from the local host. In such cases, DBS cannot connect to the data source by using the username. To resolve this issue, change the administrator permissions of the username or specify another username.

    To add the CIDR blocks of DBS servers to the security group rules of an ECS instance, perform the following steps:

    1. On the Instances page of the ECS console, click the ECS instance that you want to manage.
    2. On the instance details page, click the Security Groups tab.
    3. On the tab that appears, click the security group that you want to configure.
    4. On the Inbound tab, click Quick Add.
    5. In the Quick Add dialog box, paste the copied CIDR blocks to the Authorization Object field. In the Port Range section, select All (1/65535) and click OK.
      The CIDR blocks of DBS servers are added to the security group rules of the ECS instance.
      Note By default, the outbound rules of a security group allow you to access ECS instances from all IP addresses. If you disable the outbound traffic for a security group, you must add the CIDR blocks of DBS servers to the outbound rules of the security group.

FAQ

What do I do if the CIDR blocks of DBS servers fail to be automatically added to the security group rules of an ECS instance?

If you revoke the access permissions of DBS on ECS instances, the CIDR blocks of DBS servers fail to be automatically added to the security group rules of the ECS instances. To resolve this issue, you must manually add the CIDR blocks of DBS servers to the security group rules of the ECS instances.