DataWorks:Appendix: Configure a security group for an ECS instance on which a self-managed database is hosted

Prerequisites

1. A network connection is established between your resource group and data source. For more information, see Network connectivity solutions.

2. The IP address or CIDR block of the resource group is added to the IP address whitelist that is configured for the data source. For more information, see Configure an IP address whitelist.

Configure security groups

Access over a VPC

Add an inbound rule whose authorization object is the CIDR block of the vSwitch with which the resource group is associated to the security group of the ECS instance.

1. On the Exclusive Resource Groups tab of the Resource Groups page in the DataWorks console, find the desired resource group and click Network Settings in the Actions column. On the VPC Binding tab of the page that appears, view and record the CIDR block of the related vSwitch.

2. Add an inbound rule whose authorization object is the CIDR block of the vSwitch to the security group of the ECS instance.

   • If your resource group needs to access a data source, set the Port Range parameter to the port number of the data source.

   • If your resource group needs to access other business, set the Port Range parameter to the port number provided by your business based on your business requirements.

Access over the Internet

• If you use a resource group of the new version, add an inbound rule to the security group of the ECS instance and set the Authorization Object parameter to the Elastic IP Address (EIP) configured for the VPC with which the resource group is associated.

  1. On the Internet NAT Gateway page of the VPC console, find the source network address translation (SNAT) entry that is configured and obtain the public IP address that is associated with the related vSwitch.

     

  2. Add an inbound rule whose authorization object is the public IP address to the security group of the ECS instance.

     • If your resource group needs to access a data source, set the Port Range parameter to the port number of the data source.

     • If your resource group needs to access other business, set the Port Range parameter to the port number provided by your business based on your business requirements.

• If you use a resource group of the old version, add an inbound rule whose authorization object is the Elastic IP Address (EIP) of the resource group to the security group of the ECS instance.

  1. On the Exclusive Resource Groups tab of the Resource Groups page in the DataWorks console, find the desired resource group and click Details in the Actions column. In the Resource Group Details section of the page that appears, view and record the EIP displayed next to the EIPAddress parameter.

  2. Add an inbound rule whose authorization object is the EIP of the resource group to the security group of the ECS instance.

     • If your resource group needs to access a data source, set the Port Range parameter to the port number of the data source.

     • If your resource group needs to access other business, set the Port Range parameter to the port number provided by your business based on your business requirements.

     Note

     If you scale out the resource group in subsequent operations, you must check whether the EIP changes. If the EIP changes, we recommend that you add the latest EIP to the IP address whitelist of the database at the earliest opportunity after the scale-out. This ensures that your task can run as expected.

References

• For more information about how to add a security group rule, see Add a security group rule.

• For more information about how to add the IP address or CIDR block of a resource group to the IP address whitelist of a data source, see Configure an IP address whitelist.