When data sources are accessed by DataWorks services such as Data Integration, DataService Studio, Metadata Collection, and DataAnalysis, the access may be restricted by a whitelist mechanism. To ensure that DataWorks services can run as expected, you must add outbound IP addresses or CIDR blocks to the IP address whitelists of data sources.
Background information
The network paths between the DataWorks services and data sources vary. When you enable the IP address whitelist feature for a data source, you must configure one of the following settings.
Resource group-related services (such as Data Integration and DataService Studio): The resource group-related services access the data source through vSwitch CIDR block or elastic IP address (EIP) of the resource group that is associated with the data source. You must add the vSwitch CIDR block or EIP of the resource group to the IP address whitelist of the data source to run tasks.
Service node-related services (such as Metadata Collection and DataAnalysis): The service node-related services use the service nodes that are separately maintained by DataWorks and independent from the resource group that is associated with the data source to initiate access requests. You must add the preset IP addresses or CIDR blocks of all output service nodes to the IP address whitelist of the data source. Otherwise, the services may fail to run as expected.
Prerequisites
A network connection is established between a resource group and a data source. For more information, see Network connectivity solutions.
Obtain the required IP addresses or ClDR blocks
IP address whitelist required for associating a computing resource and adding a data source
Serverless resource group
Query the internal IP address or CIDR block of the resource group
If you want to establish a network connection between the resource group and the data source over an internal network, perform the following operations to add the CIDR block of the vSwitch with which the resource group is associated to the IP address whitelist of the data source.
Go to the Resource Groups page of the DataWorks console. In the top navigation bar, select the region in which the resource group resides. Find the resource group on the page.
Click Network Settings in the Actions column to go to the VPC Binding tab.
In the Data Scheduling & Data Integration section of the VPC Binding tab, view the vSwitch CIDR Block.
Add the vSwitch CIDR block to the IP address whitelist of the data source.
Query the EIP of the resource group
If you want to establish a network connection between the resource group and the data source over the Internet, perform the following operations to add the EIP of the resource group to the IP address whitelist of the data source.
By default, serverless resource groups cannot access the Internet. If you want to use a serverless resource group to access a data source over the Internet, you must configure an Internet NAT gateway for the VPC with which the serverless resource group is associated and associate an EIP for the Internet NAT gateway.
Go to the Resource Groups page of the DataWorks console. In the top navigation bar, select the region in which the resource group resides. Find the resource group on the page.
Click Network Settings in the Actions column to go to the VPC Binding tab.
In the Data Scheduling & Data Integration section of the VPC Binding tab, click the
icon next to the VPC to go to the VPC details page.
On the page that appears, click the Resource Management tab. In the Access to Internet section, click the number next to Internet NAT Gateway to go to the Internet NAT Gateway page of the VPC.
On the Internet NAT Gateway page, view the EIP that is associated with the VPC.
Add the EIP to the IP address whitelist of the data source.
Old-version exclusive resource group
Query the internal IP address or CIDR block of the resource group
If you want to establish a network connection between the resource group and the data source over an internal network, perform the following operations to add the CIDR block of the vSwitch with which the resource group is associated to the IP address whitelist of the data source.
Go to the Resource Groups page of the DataWorks console. In the top navigation bar, select the region in which the resource group resides. Find the resource group on the page.
Click Network Settings in the Actions column to go to the VPC Binding tab.
Find the VPC with which the resource group is associated and view the vSwitch CIDR Block.
Add the vSwitch CIDR block to the IP address whitelist of the data source.
Query the EIP of the resource group
If you want to establish a network connection between the resource group and the data source over the Internet, perform the following operations to add the EIP of the resource group to the IP address whitelist of the data source.
Go to the Resource Groups page of the DataWorks console. In the top navigation bar, select the region in which the resource group resides. Find the resource group on the page.
Click Details in the Actions column to go to the details page of the resource group.
On the page that appears, copy the EIP that is displayed next to EIPAddress.
Add the EIP to the IP address whitelist of the data source.
Shared resource group for Data Integration
If the resource group is a shared resource group for Data Integration, you must add IP address or CIDR block of the resource group to the IP address whitelist of the data source. For more information, see Configure network connectivity.
IP address whitelist for using a resource group for DataService Studio
Serverless resource group
Query the internal IP address or CIDR block of the resource group
If you want to establish a network connection between the resource group and the data source over an internal network, perform the following operations to add the CIDR block of the vSwitch with which the resource group is associated to the IP address whitelist of the data source.
Go to the Resource Groups page of the DataWorks console. In the top navigation bar, select the region in which the resource group resides. Find the resource group on the page.
Click Network Settings in the Actions column to go to the VPC Binding tab.
In the DataService Studio section of the VPC Binding tab, copy the vSwitch CIDR Block.
NoteIf no VPC and vSwitch are associated with DataService Studio, click Add VPC Association. Query the vSwitch CIDR Block after you finish the association as prompted.
Add the vSwitch CIDR block to the IP address whitelist of the data source.
Query the EIP of the resource group
If you want to establish a network connection between the resource group and the data source over the Internet, perform the following operations to add the EIP of the resource group to the IP address whitelist of the data source.
By default, serverless resource groups cannot access the Internet. If you want to use a serverless resource group to access a data source over the Internet, you must configure an Internet NAT gateway for the VPC with which the serverless resource group is associated and associate an EIP for the Internet NAT gateway.
Go to the Resource Groups page of the DataWorks console. In the top navigation bar, select the region in which the resource group resides. Find the resource group on the page.
Click Network Settings in the Actions column to go to the VPC Binding tab.
In the DataService Studio section of the VPC Binding tab, click the
icon next to the VPC name to go to the VPC details page.
On the page that appears, click the Resource Management tab. In the Access to Internet section, click the number next to Internet NAT Gateway to go to the Internet NAT Gateway page of the VPC.
On the Internet NAT Gateway page, view the EIP that is associated with the VPC.
Add the EIP to the IP address whitelist of the data source.
Old-version exclusive resource group
Query the internal IP address or CIDR block of the resource group
If you want to establish a network connection between the resource group and the data source over an internal network, perform the following operations to add the CIDR block of the vSwitch with which the resource group is associated to the IP address whitelist of the data source.
Go to the Resource Groups page of the DataWorks console. In the top navigation bar, select the region in which the resource group resides. Find the resource group on the page.
Click Details in the Actions column to go to the details page of the resource group.
Obtain the CIDR block of the vSwitch that is associated with the resource group. Then, go to the VPC console. On the overview page, search for the vSwitch and obtain the IPv4 CIDR block of the vSwitch.
Add the vSwitch CIDR Block to the IP address whitelist of the data source.
Shared resource group for Data Integration
If the resource group is a shared resource group for Data Integration, you must add IP address or CIDR block of the resource group to the IP address whitelist of the data source. For more information, see Configure network connectivity.
IP address whitelist required for metadata collection
If whitelist-based access control is enabled for the data source that is used for metadata collection, you must add the configure an IP address whitelist for the data source. For more information, see Configure IP address whitelists for metadata collection.
IP address whitelist required for DataAnalysis
If whitelist-based access control is enabled for the MaxCompute project that is created in DataAnalysis, you must configure an IP address whitelist for the MaxCompute project. For more information, see Appendix: IP address whitelist for Data Analysis.
Configure an IP address whitelist
If your data source belongs to Alibaba Cloud, you can refer to the following table to configure the IP address whitelist to the data source based on your business requirements.
The following table describes only how to configure IP address whitelists for some of the common Alibaba Cloud services. For information about other Alibaba Cloud services, see the corresponding official documentation.
If your data source does not belong to Alibaba Cloud, you can refer to the corresponding official documentation to configure the IP address whitelist of the data source.
References
For FAQ about network connectivity, see Network connectivity and operations on resource groups.
For FAQ about how to configure an IP address whitelist, see Configure an IP address whitelist.