After you connect a resource group to a data source, the resource group may fail to access the data source because an IP address whitelist that allows access only from specific IP addresses is configured for the data source. In this case, you must add the IP address or CIDR block of the resource group to the IP address whitelist of the data source. This topic provides instructions on configuring an IP address whitelist.
Prerequisites
- If the data source that you want to connect and your resource group for Data Integration reside in different regions and belong to different Alibaba Cloud accounts, you must select an appropriate network connectivity solution based on the network environment of the resource group for Data Integration. For more information, see Select a network connectivity solution.
- If you use an exclusive resource group for Data Integration to connect to a data source that resides in a virtual private cloud (VPC), resides in the same region, and belongs to the same Alibaba Cloud account as the resource group, you must configure network environment for the resource group and associate the resource group with the desired workspace. For more information, see Create and use an exclusive resource group for Data Integration.
If you configured the network connection between the resource group for Data Integration and data source, but the resource group still cannot access the data source, the data source may be configured with an IP address whitelist that denies access from some IP addresses. In this case, you must add the IP address or CIDR block of the resource group to the IP address whitelist of the data source.
Background information
If a resource group for Data Integration is connected to the data source that you want to access as described in Select a network connectivity solution, but the resource group still cannot access the data source, the data source may be configured with an IP address whitelist that denies access from some IP addresses. In this case, you must obtain and add the IP address or CIDR block of the resource group to the IP address whitelist of the data source.
- Exclusive resource group for Data Integration:
You must obtain and add the elastic IP address (EIP) and CIDR block of the exclusive resource group to the IP address whitelist of the data source. You must also obtain and add the CIDR block of the vSwitch to which the exclusive resource group is bound to the IP address whitelist of the data source. For more information, see Add the EIP or CIDR block of an exclusive resource group for Data Integration to an IP address whitelist of a data source and Precautions for configuring an IP address whitelist.
- Shared resource group for Data Integration (debugging):
You must add the IP addresses or CIDR blocks of the servers in the region where the DataWorks workspace resides to the IP address whitelist of the data source. For more information, see Add the IP addresses or CIDR blocks of the servers in the region where the DataWorks workspace resides to an IP address whitelist of a data source and Precautions for configuring an IP address whitelist. The shared resource group for Data Integration is used only for debugging. We recommend that you do not use this type of resource group in the production environment.
- Custom resource group for Data Integration:
You must add the private or public IP addresses of the servers in the custom resource group for Data Integration to the IP address whitelist of the data source. For more information, see Add the private or public IP addresses of the servers in the custom resource group for Data Integration to an IP address whitelist of a data source and Precautions for configuring an IP address whitelist.
Add the EIP or CIDR block of an exclusive resource group for Data Integration to an IP address whitelist of a data source
- If you want to use an exclusive resource group for Data Integration to run a node
to synchronize data from a data source over a VPC, you must add the CIDR block of
the vSwitch to which the exclusive resource group is bound to an IP address whitelist
of the data source. To obtain and add the CIDR block of the vSwitch to which the resource
group is bound to an IP address whitelist of the data source, perform the following
operations:
On the Exclusive Resource Groups tab of the DataWorks console, find the desired exclusive resource group for Data Integration and click Network Settings in the Actions column to view the CIDR block of the vSwitch to which the resource group is bound. Then, add the CIDR block to the IP address whitelist of the data source.
- If you want to use an exclusive resource group for Data Integration to run a node
to synchronize data from a data source over the Internet, add the EIP of the exclusive
resource group to an IP address whitelist of the data source. To obtain and add the
EIP of the exclusive resource group for Data Integration to an IP address whitelist
of the data source, perform the following operations:
On the Exclusive Resource Groups tab of the DataWorks console, find the exclusive resource group for Data Integration whose EIP you want to view and click View Information in the Actions column. In the Exclusive Resource Groups dialog box, copy the EIP. Then, add the copied EIP to the IP address whitelist of the data source.Note If you upgrade the configuration of the exclusive resource group for Data Integration, you must check whether the EIP of the resource group changes. If the EIP of the resource group changes, add the new EIP to the IP address whitelist of the data source after the configuration upgrade. This ensures the normal running of your synchronization node.
Add the IP addresses or CIDR blocks of the servers in the region where the DataWorks workspace resides to an IP address whitelist of a data source
To allow the shared resource group for Data Integration to access a data source, you must add the IP addresses or CIDR blocks of the servers in the region where the DataWorks workspace resides to an IP address whitelist of the data source. To view and add the IP addresses or CIDR blocks of the servers in a region to an IP address whitelist of the data source, perform the following steps:
- Log on to the DataWorks console as a developer.
- In the left-side navigation pane, click Workspaces.
- In the top navigation bar, select the region where the desired workspace resides.
- View the IP addresses or CIDR blocks based on the selected region and add them to
the IP address whitelist of the data source that you want to access.
Region CIDR block or IP address China (Hangzhou) 11.193.215.0/24,11.194.110.0/24,11.194.73.0/24,11.196.23.0/24,11.197.247.0/24,11.193.102.0/24,100.104.0.0/16,118.31.157.0/24,47.97.53.0/24,47.99.12.0/24,47.99.13.0/24,114.55.197.0/24,11.197.246.0/24 China (Shanghai) 10.152.69.0/24,10.153.136.0/24,11.115.106.0/24,11.192.97.0/24,11.192.98.0/24,11.193.102.0/24,11.193.109.0/24,11.193.252.0/24,11.218.89.0/24,11.218.96.0/24,11.219.217.0/24,11.219.218.0/24,11.219.219.0/24,11.219.233.0/24,11.219.234.0/24,10.117.28.203,10.117.39.238,10.27.63.15,10.27.63.38,10.27.63.41,10.27.63.60,10.46.64.81,10.46.67.156,100.104.0.0/16,118.178.142.154,118.178.56.228,118.178.59.233,118.178.84.74,120.27.160.26,120.27.160.81,121.43.110.160,121.43.112.137,47.100.129.0/24,47.101.107.0/24,47.102.181.128/26,47.102.181.192/26,47.102.234.0/26,47.102.234.64/26,106.15.14.0/24,10.143.32.0/22 China (Shenzhen) 100.106.46.0/24,100.106.49.0/24,10.152.27.0/24,10.152.28.0/24,11.192.96.0/24,11.193.103.0/24,11.193.104.0/24,11.196.76.0/24,11.192.91.0/24,100.104.0.0/16,120.76.104.0/24,120.76.91.0/24,120.78.45.0/24,47.106.63.0/26,47.106.63.128/26,47.106.63.192/26,47.106.63.64/26,120.77.195.128/26,120.77.195.192/26,120.77.195.64/26,47.112.86.0/26 China (Chengdu) 11.195.52.0/24,11.195.55.0/24,47.108.46.0/26,47.108.46.128/26,47.108.46.192/26,47.108.46.64/26,47.108.22.0/24,100.104.0.0/16 China (Zhangjiakou) 11.193.235.0/24,100.104.0.0/16,47.92.185.0/26,47.92.185.64/26,47.92.185.128/26,47.92.185.192/26,47.92.22.0/24 China (Hong Kong) 10.152.162.0/24,11.192.196.0/24,11.193.11.0/24,11.193.118.0/24,100.104.0.0/16,47.75.228.0/24,47.89.61.0/24,47.244.92.128/26,47.244.92.192/26,47.56.45.0/26,47.56.45.64/26,47.91.171.0/25,47.101.109.0/26,47.56.45.128/26,47.56.45.192/26,47.90.24.0/26,47.90.24.64/26 Singapore (Singapore) 11.193.162.0/24,11.193.163.0/24,11.193.8.0/24,11.197.188.0/24,11.193.158.0/24,11.193.220.0/24,11.192.152.0/23,11.192.40.0/26,10.151.234.0/26,10.151.238.0/26,10.152.248.0/26,100.106.10.0/26,100.106.35.0/26,100.104.0.0/16,47.74.161.0/24,47.74.162.0/24,47.88.235.0/25,47.88.147.0/24,47.74.203.0/24,161.117.146.128/26,161.117.146.192/26,161.117.164.0/26,161.117.164.64/26,47.74.206.0/26,47.74.206.128/26,47.74.206.192/26,47.74.206.64/26 Australia (Sydney) 11.192.100.0/24,11.192.134.0/24,11.192.135.0/24,11.192.184.0/24,11.192.99.0/24,11.193.165.0/24,100.104.0.0/16,47.91.60.0/24,47.91.50.0/25,47.91.49.128/25,47.91.49.0/25 China (Beijing) 11.193.75.0/24,100.106.48.0/24,11.193.82.0/24,11.193.99.0/24,11.197.231.0/24,10.152.167.0/24,10.152.168.0/24,11.193.50.0/24,11.195.172.0/22,100.104.0.0/16,47.93.110.0/24,47.94.185.0/24,47.95.63.0/24,47.94.49.0/24,182.92.144.0/24,182.92.32.128/26,39.107.7.0/26 US (Silicon Valley) 10.152.160.0/24,11.193.216.0/24,100.104.0.0/16,47.89.224.0/24,47.88.108.0/24,47.89.124.0/26,47.89.124.128/26,47.89.124.192/26,47.89.124.64/26 US (Virginia) 47.88.98.0/26,47.88.98.64/26,47.88.98.128/26,47.88.98.192/26,47.252.91.0/26,47.252.91.128/26,47.252.91.192/26,47.252.91.64/26,47.252.71.128/26,47.252.71.192/26,47.252.90.0/26,47.252.90.64/26,10.128.134.0/24,11.193.203.0/24,11.194.68.0/24,11.194.69.0/24,100.104.0.0/16 Malaysia (Kuala Lumpur) 11.193.188.0/24,11.193.189.0/24,11.214.81.0/24,11.221.206.0/24,11.221.205.0/24,11.221.207.0/24,100.104.0.0/16,47.254.212.0/24,47.250.29.0/26,47.250.29.128/26,47.250.29.192/26,47.250.29.64/26 Germany (Frankfurt) 11.192.116.0/24,11.192.170.0/24,11.193.167.0/24,11.192.169.0/24,11.193.106.0/24,11.192.168.0/24,100.104.0.0/16,47.91.82.0/24,47.91.83.0/24,47.91.84.0/24,47.254.138.0/24,47.254.180.0/26,47.254.180.128/26,47.254.180.192/26,47.254.180.64/26 Japan (Tokyo) 100.105.55.0/24,11.192.147.0/24,11.192.149.0/24,11.199.250.0/24,11.59.59.0/24,11.192.148.0/24,100.104.0.0/16,47.91.0.128/26,47.91.0.192/26,47.91.27.128/26,47.91.12.0/24,47.91.13.0/24,47.91.9.0/24,47.91.27.0/26,47.245.18.128/26,47.245.18.192/26,47.245.51.0/26,47.245.51.64/26,47.245.51.128/26,47.245.51.192/26 UAE (Dubai) 11.192.107.0/24,11.192.127.0/24,11.192.88.0/24,11.193.246.0/24,100.104.0.0/16,47.91.116.0/24 India (Mumbai) 11.194.10.0/24,11.246.70.0/24,11.246.71.0/24,11.246.73.0/24,11.246.74.0/24,11.59.62.0/24,11.194.11.0/24,100.104.0.0/16,149.129.164.0/24,149.129.165.192/26,147.139.23.0/26,147.139.23.128/26,147.139.23.64/26,147.139.21.0/26,147.139.21.128/26,147.139.21.192/26,147.139.21.64/26 UK (London) 11.199.93.0/24,100.104.0.0/16,8.208.17.0/24,8.208.72.0/26,8.208.72.128/26,8.208.72.192/26,8.208.72.64/26 Indonesia (Jakarta) 11.194.49.0/24,11.194.50.0/24,11.200.93.0/24,11.200.97.0/24,11.59.135.0/24,11.200.95.0/26,10.143.32.0/22,100.104.0.0/16,149.129.228.0/24,47.89.94.128/27,47.89.94.160/27,47.89.94.192/27,47.89.94.224/27,47.89.95.128/26,149.129.229.0/26,149.129.229.128/26,149.129.229.192/26,149.129.229.64/26,147.139.156.0/26,147.139.156.128/26,147.139.156.64/26,149.129.230.192/26 China North 2 Ali Gov 11.194.116.0/24,100.104.0.0/16,39.107.188.0/24 If access is still denied after the preceding IP addresses and CIDR blocks are added, add the following IP addresses and CIDR blocks: 11.194.116.160,11.194.116.161,11.194.116.162,11.194.116.163,11.194.116.164,11.194.116.165,11.194.116.167,11.194.116.169,11.194.116.170,11.194.116.171,11.194.116.172,11.194.116.173,11.194.116.174,11.194.116.175,39.107.188.0/24,100.104.0.0/16
China East 2 Finance 140.205.46.128/25,140.205.48.0/25,140.205.48.128/25,140.205.49.0/25,140.205.49.128/25,11.192.156.0/25,11.192.157.0/25,11.192.164.0/25,11.192.165.0/25,11.192.166.0/25,11.192.167.0/25,106.11.245.0/26,106.11.245.128/26,106.11.245.192/26,106.11.245.64/26,140.205.39.0/24,106.11.225.0/24,106.11.226.0/24,106.11.227.0/24,106.11.242.0/24,100.104.0.0/16
Add the private or public IP addresses of the servers in the custom resource group for Data Integration to an IP address whitelist of a data source
To allow a custom resource group for Data Integration to access a data source, you must add the private or public IP addresses of the servers in the custom resource group to an IP address whitelist of the data source.
Precautions for configuring an IP address whitelist
In this section, ApsaraDB RDS is used to demonstrate the precautions for configuring an IP address whitelist. Before you add the IP address or CIDR block of a resource group for Data Integration to an IP address whitelist of an ApsaraDB RDS instance, you must have a command of the precautions described in this section.
ApsaraDB RDS supports standard IP address whitelists and enhanced IP address whitelists. The IP address whitelist that you configured for an ApsaraDB RDS instance may affect the connectivity between a resource group for Data Integration and the instance.
- If you configure a standard IP address whitelist for an ApsaraDB RDS instance, you
must take note of the following items:
- You can add IP addresses from both the classic network and VPCs to the same IP address whitelist.
- We recommend that you add the IP addresses of different types of resource groups to
different IP address whitelists.
Note The IP addresses in a standard IP address whitelist can be used to access the ApsaraDB RDS instance over both the classic network and VPCs.
- If you configure an enhanced IP address whitelist for an ApsaraDB RDS instance, you
must take note of the following items:
- You must add IP addresses from the classic network and VPCs to different IP address
whitelists.
Note You must specify the network isolation mode of each enhanced IP address whitelist. For example, if the Network Type Allowed for Instance Access parameter is set to Classic Network/Public IP for an IP address whitelist, the IP addresses in the IP address whitelist can be used to access an ApsaraDB RDS instance only over the classic network. In this case, you cannot connect to the ApsaraDB RDS instance over VPCs from these IP addresses.
- If you use an exclusive resource group for Data Integration to access an ApsaraDB RDS instance over a VPC, an IP address whitelist of the VPC type is used.
- If the ApsaraDB RDS instance resides in a VPC and you use the shared resource group for Data Integration to access the instance, an IP address whitelist of the VPC type is used.
- If you access the Apsara RDS instance over a public endpoint, an IP address whitelist of the classic network type is used.
- You must add IP addresses from the classic network and VPCs to different IP address
whitelists.
- If you switch the network isolation mode of an ApsaraDB RDS instance from the standard
whitelist mode to the enhanced whitelist mode, you must take note of the following
item:
The standard IP address whitelist is replicated into two enhanced IP address whitelists that contain the same CIDR blocks. The two enhanced IP address whitelists have different network isolation modes.
Other precautions:
- If you configure IP address whitelists for your ApsaraDB RDS instance, the workloads on the instance are not interrupted.
- The IP address whitelist labeled default can be cleared, but cannot be deleted.
- Do not modify or delete the IP address whitelists that are generated for other Alibaba
Cloud services. If you delete these IP address whitelists, the related Alibaba Cloud
services cannot connect to your ApsaraDB RDS instance. For example, if you delete
the IP address whitelist ali_dms_group that is generated for Data Management (DMS) or the IP address whitelist hdm_security_ips that is generated for Database Autonomy Service (DAS), DMS and DAS cannot access your ApsaraDB RDS instance.
Note We recommend that you create an IP address whitelist that is independent of other whitelists for DataWorks.
- The IP address whitelist labeled default contains only the IP address 127.0.0.1. This indicates that access from all IP addresses to your ApsaraDB RDS instance is denied.
For more information about how to configure an IP address whitelist for an ApsaraDB RDS instance, see Use a database client or the CLI to connect to an ApsaraDB RDS for MySQL instance. You can use a similar method to configure IP address whitelists for other types of data sources. To configure IP address whitelists for other types of data sources, see the related instructions.
What to do next
If you use a self-managed database that is deployed on an Elastic Compute Service (ECS) instance, you must configure a security group to ensure that the resource group can read data from and write data to the database. For more information, see Configure a security group for an ECS instance where a self-managed data store resides.