All Products
Search

This Product

    DataWorks:IP whitelisting

    Document Center

    DataWorks:IP whitelisting

    Last Updated:Mar 26, 2026

    When DataWorks runs a data synchronization task, the exclusive resource group connects to your data source from a fixed egress IP address. To allow that connection, add the egress IP to the whitelist of your data source.

    This page explains how to find the egress IP for your resource group and how to configure whitelists for supported data sources.

    Find the egress IP of your resource group

    Public network access

    Exclusive resource groups have public network access enabled by default, with a fixed elastic IP address (EIP) as the egress.

    To find the EIP:

    1. Log on to the DataWorks console. In the top navigation bar, select the region. In the left-side navigation pane, click Resource Group.

    2. In the resource group list, find the target resource group and click Details in the Actions column.

    3. Copy the EIP address.

    If you have bound a VPC and configured a route to forward public network traffic through your own VPC, the egress IP is the IP address from your VPC instead of the EIP. For setup instructions, see Public NAT Gateway.

    Internal network access

    For internal network access, use the vSwitch CIDR block as the whitelist entry — not the IP addresses of individual elastic network interfaces (ENIs). Using ENI IP addresses may cause tasks to fail when they scale out to additional resources.

    To find the vSwitch CIDR block:

    1. Log on to the DataWorks console. In the top navigation bar, select the region. In the left-side navigation pane, click Resource Group.

    2. In the resource group list, find the target resource group and click Network Settings in the Actions column.

    3. Copy the vSwitch CIDR block.

    Configure whitelists for data sources

    How you configure the whitelist depends on whether the data source is a fully managed or semi-managed ApsaraDB product.

    Note MaxCompute and Hologres have no whitelist configured by default. Once you add a whitelist, only IP addresses on the list can access the service. For MaxCompute, see Manage IP address whitelists. For Hologres, see IP address whitelists.

    Fully managed ApsaraDB products

    Fully managed products provide built-in whitelist management. Configure the whitelist in each product's console:

    Product Reference
    RDS Set an IP address whitelist
    PolarDB for MySQL Set a whitelist (migrated to parent)
    PolarDB-X Set a whitelist
    MongoDB Modify a whitelist
    Kafka Configure a whitelist
    Elasticsearch Configure a public or private IP address whitelist for an instance
    AnalyticDB for MySQL Set a whitelist
    Redis Set a whitelist

    Semi-managed ApsaraDB products

    Semi-managed products use ECS security group rules. Add a security group rule that allows traffic from the resource group's egress IP.

    Product Reference
    HBase Set a whitelist
    Self-managed data sources on ECS Add a security group rule

    FAQ

    Why did my data sync task to MaxCompute suddenly start failing or slowing down?

    MaxCompute now enforces VPC whitelists for Tunnel. Make sure the VPC of the resource group running the sync task is included in the Tunnel whitelist. See Manage IP address whitelists for instructions.