Configure an IP address whitelist - DataWorks - Alibaba Cloud Documentation Center

After you establish a network connection between a resource group and a data source, such as a database, a data service, or other data in a specific network environment, the resource group may still fail to access the data source because an IP address whitelist that allows access from only specific IP addresses is configured for the data source. In this case, you must add the IP address or CIDR block of the resource group to the IP address whitelist of the data source. This topic provides instructions on configuring an IP address whitelist.

Background information

If a network connection is established between your resource group and your data source as described in Establish a network connection between a resource group and a data source, but the resource group still cannot access the data source, the data source may be configured with an IP address whitelist that denies access from some IP addresses. In this case, you must obtain and add the IP address or CIDR block of the resource group to the IP address whitelist of the data source.

Prerequisites

A network connection is established between the resource group and the data source. For more information, see Establish a network connection between a resource group and a data source.

Obtain the IP address or CIDR block of a resource group

If you want to access a data source over a VPC, you must add the CIDR block of the vSwitch with which the resource group is associated to the IP address whitelist of the data source.
On the Exclusive Resource Groups tab of the Resource Groups page in the DataWorks console, find the desired resource group and click Network Settings in the Actions column. On the VPC Binding tab of the page that appears, view and record the CIDR block of the related vSwitch. Then, add the CIDR block to the IP address whitelist of the data source.
If you want to access a data source over the Internet, you must perform one of the following operations to configure the IP address whitelist of the data source:
- If you use a serverless resource group, you must add the EIP configured for the VPC with which the resource group is associated to the IP address whitelist of the data source.
  On the Internet NAT Gateway page of the VPC console, find the source network address translation (SNAT) entry that is configured, and obtain the public IP address that is associated with the related vSwitch. Then, add the public IP address to the IP address whitelist of the data source.
- If you use an old-version resource group, you must add the EIP of the resource group to the IP address whitelist of the data source.
  On the Exclusive Resource Groups tab of the Resource Groups page in the DataWorks console, find the desired resource group and click Details in the Actions column. In the Basic Information section of the page that appears, view and record the EIP displayed next to the EIPAddress parameter. Then, add the EIP to the IP address whitelist of the data source.
  Note
  If you scale out the resource group in subsequent operations, you must check whether the EIP changes. If the EIP changes, we recommend that you add the latest EIP to the IP address whitelist of the data source at the earliest opportunity after the scale-out operation. This ensures that your task can run as expected.

Appendix

Precautions for configuring an IP address whitelist

If the resource group needs to access other cloud services of Alibaba Cloud, go to the help center of each cloud service to view the precautions for configuring an IP address whitelist.

For example, when you add the IP address or CIDR block of a resource group to an IP address whitelist of an ApsaraDB RDS instance, you must have a command of the precautions described in this section. This section describes only specific items that you must take note of. For more information, see What is ApsaraDB RDS?

ApsaraDB RDS supports standard IP address whitelists and enhanced IP address whitelists.
- If you configure a standard IP address whitelist for an ApsaraDB RDS instance, you must take note of the following items:
  - You can add IP addresses from both the classic network and VPCs to the same IP address whitelist.
  - We recommend that you add the IP addresses of different types of resource groups to different IP address whitelists.
    Note
    The IP addresses in a standard IP address whitelist can be used to access the ApsaraDB RDS instance over both the classic network and VPCs.
- If you configure an enhanced IP address whitelist for an ApsaraDB RDS instance, you must take note of the following items:
  - You must add IP addresses from the classic network and VPCs to different IP address whitelists.
    Note
    You must specify the network isolation mode of each enhanced IP address whitelist. For example, you can configure settings to deny access from the IP addresses of the classic network in an enhanced IP address whitelist to an ApsaraDB RDS instance over a VPC. You can also configure settings to deny access from VPC IP addresses in an enhanced IP address whitelist to an ApsaraDB RDS instance over the classic network.
  - If you use an exclusive resource group for Data Integration to access an ApsaraDB RDS instance over a VPC, an IP address whitelist of the VPC type is used.
  - If you access the Apsara RDS instance over the Internet, an IP address whitelist of the classic network type is used.
- If you change a standard IP address whitelist to an enhanced IP address whitelist for your ApsaraDB RDS instance, take note of the following items:
  The standard IP address whitelist is replicated into two enhanced IP address whitelists that contain the same IP addresses or CIDR blocks. The two enhanced IP address whitelists have different network isolation modes.
Other considerations:
- If you configure IP address whitelists for your ApsaraDB RDS instance, the workloads on the instance are not interrupted.
- The IP address whitelist labeled default can be cleared, but cannot be deleted.
- Do not modify or delete the IP address whitelists that are automatically generated for other Alibaba Cloud services. If you delete these IP address whitelists, the related Alibaba Cloud services cannot connect to your ApsaraDB RDS instance. For example, if you delete the IP address whitelist ali_dms_group that is automatically generated for Data Management (DMS) or the IP address whitelist hdm_security_ips that is automatically generated for Database Autonomy Service (DAS), DMS or DAS cannot access your ApsaraDB RDS instance.
  Note
  We recommend that you create an IP address whitelist that is independent of other whitelists for DataWorks.

References

If your resource group needs to access a self-managed database deployed on an Elastic Compute Service (ECS) instance, you must configure a security group for the ECS instance. This ensures that the resource group can read data from and write data to the database as expected. For more information, see Configure a security group for an ECS instance where a self-managed data store resides.
For more information about how to establish a network connection between a resource group and a data source, see Establish a network connection between a resource group and a data source.