DataWorks:Configure an IP address whitelist

Prerequisites

If you configured the network connection between the resource group for Data Integration and data source, but the resource group still cannot access the data source, the data source may be configured with an IP address whitelist that denies access from some IP addresses. In this case, you must add the IP address or CIDR block of the resource group to the IP address whitelist of the data source.

Background information

If a resource group for Data Integration is connected to the data source that you want to access as described in Select a network connectivity solution, but the resource group still cannot access the data source, the data source may be configured with an IP address whitelist that denies access from some IP addresses. In this case, you must obtain and add the IP address or CIDR block of the resource group to the IP address whitelist of the data source.

Add the EIP or CIDR block of an exclusive resource group for Data Integration to an IP address whitelist of a data source

• If you want to use an exclusive resource group for Data Integration to run a node to synchronize data from a data source over a VPC, you must add the CIDR block of the vSwitch to which the exclusive resource group is bound to an IP address whitelist of the data source. To obtain and add the CIDR block of the vSwitch to which the resource group is bound to an IP address whitelist of the data source, perform the following operations:
  On the Exclusive Resource Groups tab of the DataWorks console, find the desired exclusive resource group for Data Integration and click Network Settings in the Actions column to view the CIDR block of the vSwitch to which the resource group is bound. Then, add the CIDR block to the IP address whitelist of the data source.
• If you want to use an exclusive resource group for Data Integration to run a node to synchronize data from a data source over the Internet, add the EIP of the exclusive resource group to an IP address whitelist of the data source. To obtain and add the EIP of the exclusive resource group for Data Integration to an IP address whitelist of the data source, perform the following operations:
  On the Exclusive Resource Groups tab of the DataWorks console, find the exclusive resource group for Data Integration whose EIP you want to view and click View Information in the Actions column. In the Exclusive Resource Groups dialog box, copy the EIP. Then, add the copied EIP to the IP address whitelist of the data source.
  Note If you upgrade the configuration of the exclusive resource group for Data Integration, you must check whether the EIP of the resource group changes. If the EIP of the resource group changes, add the new EIP to the IP address whitelist of the data source after the configuration upgrade. This ensures the normal running of your synchronization node.

Add the IP addresses or CIDR blocks of the servers in the region where the DataWorks workspace resides to an IP address whitelist of a data source

To allow the shared resource group for Data Integration to access a data source, you must add the IP addresses or CIDR blocks of the servers in the region where the DataWorks workspace resides to an IP address whitelist of the data source. To view and add the IP addresses or CIDR blocks of the servers in a region to an IP address whitelist of the data source, perform the following steps:

1. Log on to the DataWorks console as a developer.
2. In the left-side navigation pane, click Workspaces.
3. In the top navigation bar, select the region where the desired workspace resides.
4. View the IP addresses or CIDR blocks based on the selected region and add them to the IP address whitelist of the data source that you want to access.

   Region	CIDR block or IP address
   China (Hangzhou)	11.193.215.0/24,11.194.110.0/24,11.194.73.0/24,11.196.23.0/24,11.197.247.0/24,11.193.102.0/24,100.104.0.0/16,118.31.157.0/24,47.97.53.0/24,47.99.12.0/24,47.99.13.0/24,114.55.197.0/24,11.197.246.0/24
   China (Shanghai)	10.152.69.0/24,10.153.136.0/24,11.115.106.0/24,11.192.97.0/24,11.192.98.0/24,11.193.102.0/24,11.193.109.0/24,11.193.252.0/24,11.218.89.0/24,11.218.96.0/24,11.219.217.0/24,11.219.218.0/24,11.219.219.0/24,11.219.233.0/24,11.219.234.0/24,10.117.28.203,10.117.39.238,10.27.63.15,10.27.63.38,10.27.63.41,10.27.63.60,10.46.64.81,10.46.67.156,100.104.0.0/16,118.178.142.154,118.178.56.228,118.178.59.233,118.178.84.74,120.27.160.26,120.27.160.81,121.43.110.160,121.43.112.137,47.100.129.0/24,47.101.107.0/24,47.102.181.128/26,47.102.181.192/26,47.102.234.0/26,47.102.234.64/26,106.15.14.0/24,10.143.32.0/22
   China (Shenzhen)	100.106.46.0/24,100.106.49.0/24,10.152.27.0/24,10.152.28.0/24,11.192.96.0/24,11.193.103.0/24,11.193.104.0/24,11.196.76.0/24,11.192.91.0/24,100.104.0.0/16,120.76.104.0/24,120.76.91.0/24,120.78.45.0/24,47.106.63.0/26,47.106.63.128/26,47.106.63.192/26,47.106.63.64/26,120.77.195.128/26,120.77.195.192/26,120.77.195.64/26,47.112.86.0/26
   China (Chengdu)	11.195.52.0/24,11.195.55.0/24,47.108.46.0/26,47.108.46.128/26,47.108.46.192/26,47.108.46.64/26,47.108.22.0/24,100.104.0.0/16
   China (Zhangjiakou)	11.193.235.0/24,100.104.0.0/16,47.92.185.0/26,47.92.185.64/26,47.92.185.128/26,47.92.185.192/26,47.92.22.0/24
   China (Hong Kong)	10.152.162.0/24,11.192.196.0/24,11.193.11.0/24,11.193.118.0/24,100.104.0.0/16,47.75.228.0/24,47.89.61.0/24,47.244.92.128/26,47.244.92.192/26,47.56.45.0/26,47.56.45.64/26,47.91.171.0/25,47.101.109.0/26,47.56.45.128/26,47.56.45.192/26,47.90.24.0/26,47.90.24.64/26
   Singapore (Singapore)	11.193.162.0/24,11.193.163.0/24,11.193.8.0/24,11.197.188.0/24,11.193.158.0/24,11.193.220.0/24,11.192.152.0/23,11.192.40.0/26,10.151.234.0/26,10.151.238.0/26,10.152.248.0/26,100.106.10.0/26,100.106.35.0/26,100.104.0.0/16,47.74.161.0/24,47.74.162.0/24,47.88.235.0/25,47.88.147.0/24,47.74.203.0/24,161.117.146.128/26,161.117.146.192/26,161.117.164.0/26,161.117.164.64/26,47.74.206.0/26,47.74.206.128/26,47.74.206.192/26,47.74.206.64/26
   Australia (Sydney)	11.192.100.0/24,11.192.134.0/24,11.192.135.0/24,11.192.184.0/24,11.192.99.0/24,11.193.165.0/24,100.104.0.0/16,47.91.60.0/24,47.91.50.0/25,47.91.49.128/25,47.91.49.0/25
   China (Beijing)	11.193.75.0/24,100.106.48.0/24,11.193.82.0/24,11.193.99.0/24,11.197.231.0/24,10.152.167.0/24,10.152.168.0/24,11.193.50.0/24,11.195.172.0/22,100.104.0.0/16,47.93.110.0/24,47.94.185.0/24,47.95.63.0/24,47.94.49.0/24,182.92.144.0/24,182.92.32.128/26,39.107.7.0/26
   US (Silicon Valley)	10.152.160.0/24,11.193.216.0/24,100.104.0.0/16,47.89.224.0/24,47.88.108.0/24,47.89.124.0/26,47.89.124.128/26,47.89.124.192/26,47.89.124.64/26
   US (Virginia)	47.88.98.0/26,47.88.98.64/26,47.88.98.128/26,47.88.98.192/26,47.252.91.0/26,47.252.91.128/26,47.252.91.192/26,47.252.91.64/26,47.252.71.128/26,47.252.71.192/26,47.252.90.0/26,47.252.90.64/26,10.128.134.0/24,11.193.203.0/24,11.194.68.0/24,11.194.69.0/24,100.104.0.0/16
   Malaysia (Kuala Lumpur)	11.193.188.0/24,11.193.189.0/24,11.214.81.0/24,11.221.206.0/24,11.221.205.0/24,11.221.207.0/24,100.104.0.0/16,47.254.212.0/24,47.250.29.0/26,47.250.29.128/26,47.250.29.192/26,47.250.29.64/26
   Germany (Frankfurt)	11.192.116.0/24,11.192.170.0/24,11.193.167.0/24,11.192.169.0/24,11.193.106.0/24,11.192.168.0/24,100.104.0.0/16,47.91.82.0/24,47.91.83.0/24,47.91.84.0/24,47.254.138.0/24,47.254.180.0/26,47.254.180.128/26,47.254.180.192/26,47.254.180.64/26
   Japan (Tokyo)	100.105.55.0/24,11.192.147.0/24,11.192.149.0/24,11.199.250.0/24,11.59.59.0/24,11.192.148.0/24,100.104.0.0/16,47.91.0.128/26,47.91.0.192/26,47.91.27.128/26,47.91.12.0/24,47.91.13.0/24,47.91.9.0/24,47.91.27.0/26,47.245.18.128/26,47.245.18.192/26,47.245.51.0/26,47.245.51.64/26,47.245.51.128/26,47.245.51.192/26
   UAE (Dubai)	11.192.107.0/24,11.192.127.0/24,11.192.88.0/24,11.193.246.0/24,100.104.0.0/16,47.91.116.0/24
   India (Mumbai)	11.194.10.0/24,11.246.70.0/24,11.246.71.0/24,11.246.73.0/24,11.246.74.0/24,11.59.62.0/24,11.194.11.0/24,100.104.0.0/16,149.129.164.0/24,149.129.165.192/26,147.139.23.0/26,147.139.23.128/26,147.139.23.64/26,147.139.21.0/26,147.139.21.128/26,147.139.21.192/26,147.139.21.64/26
   UK (London)	11.199.93.0/24,100.104.0.0/16,8.208.17.0/24,8.208.72.0/26,8.208.72.128/26,8.208.72.192/26,8.208.72.64/26
   Indonesia (Jakarta)	11.194.49.0/24,11.194.50.0/24,11.200.93.0/24,11.200.97.0/24,11.59.135.0/24,11.200.95.0/26,10.143.32.0/22,100.104.0.0/16,149.129.228.0/24,47.89.94.128/27,47.89.94.160/27,47.89.94.192/27,47.89.94.224/27,47.89.95.128/26,149.129.229.0/26,149.129.229.128/26,149.129.229.192/26,149.129.229.64/26,147.139.156.0/26,147.139.156.128/26,147.139.156.64/26,149.129.230.192/26
   China North 2 Ali Gov	11.194.116.0/24,100.104.0.0/16,39.107.188.0/24 If access is still denied after the preceding IP addresses and CIDR blocks are added, add the following IP addresses and CIDR blocks: 11.194.116.160,11.194.116.161,11.194.116.162,11.194.116.163,11.194.116.164,11.194.116.165,11.194.116.167,11.194.116.169,11.194.116.170,11.194.116.171,11.194.116.172,11.194.116.173,11.194.116.174,11.194.116.175,39.107.188.0/24,100.104.0.0/16
   China East 2 Finance	140.205.46.128/25,140.205.48.0/25,140.205.48.128/25,140.205.49.0/25,140.205.49.128/25,11.192.156.0/25,11.192.157.0/25,11.192.164.0/25,11.192.165.0/25,11.192.166.0/25,11.192.167.0/25,106.11.245.0/26,106.11.245.128/26,106.11.245.192/26,106.11.245.64/26,140.205.39.0/24,106.11.225.0/24,106.11.226.0/24,106.11.227.0/24,106.11.242.0/24,100.104.0.0/16

Add the private or public IP addresses of the servers in the custom resource group for Data Integration to an IP address whitelist of a data source

To allow a custom resource group for Data Integration to access a data source, you must add the private or public IP addresses of the servers in the custom resource group to an IP address whitelist of the data source.

Precautions for configuring an IP address whitelist

In this section, ApsaraDB RDS is used to demonstrate the precautions for configuring an IP address whitelist. Before you add the IP address or CIDR block of a resource group for Data Integration to an IP address whitelist of an ApsaraDB RDS instance, you must have a command of the precautions described in this section.

ApsaraDB RDS supports standard IP address whitelists and enhanced IP address whitelists. The IP address whitelist that you configured for an ApsaraDB RDS instance may affect the connectivity between a resource group for Data Integration and the instance.

• If you configure a standard IP address whitelist for an ApsaraDB RDS instance, you must take note of the following items:
  • You can add IP addresses from both the classic network and VPCs to the same IP address whitelist.
  • We recommend that you add the IP addresses of different types of resource groups to different IP address whitelists.
    Note The IP addresses in a standard IP address whitelist can be used to access the ApsaraDB RDS instance over both the classic network and VPCs.
• If you configure an enhanced IP address whitelist for an ApsaraDB RDS instance, you must take note of the following items:
  • You must add IP addresses from the classic network and VPCs to different IP address whitelists.
    Note You must specify the network isolation mode of each enhanced IP address whitelist. For example, if the Network Type Allowed for Instance Access parameter is set to Classic Network/Public IP for an IP address whitelist, the IP addresses in the IP address whitelist can be used to access an ApsaraDB RDS instance only over the classic network. In this case, you cannot connect to the ApsaraDB RDS instance over VPCs from these IP addresses.
  • If you use an exclusive resource group for Data Integration to access an ApsaraDB RDS instance over a VPC, an IP address whitelist of the VPC type is used.
  • If the ApsaraDB RDS instance resides in a VPC and you use the shared resource group for Data Integration to access the instance, an IP address whitelist of the VPC type is used.
  • If you access the Apsara RDS instance over a public endpoint, an IP address whitelist of the classic network type is used.
• If you switch the network isolation mode of an ApsaraDB RDS instance from the standard whitelist mode to the enhanced whitelist mode, you must take note of the following item:

  The standard IP address whitelist is replicated into two enhanced IP address whitelists that contain the same CIDR blocks. The two enhanced IP address whitelists have different network isolation modes.

Other precautions:

• If you configure IP address whitelists for your ApsaraDB RDS instance, the workloads on the instance are not interrupted.
• The IP address whitelist labeled default can be cleared, but cannot be deleted.
• Do not modify or delete the IP address whitelists that are generated for other Alibaba Cloud services. If you delete these IP address whitelists, the related Alibaba Cloud services cannot connect to your ApsaraDB RDS instance. For example, if you delete the IP address whitelist ali_dms_group that is generated for Data Management (DMS) or the IP address whitelist hdm_security_ips that is generated for Database Autonomy Service (DAS), DMS and DAS cannot access your ApsaraDB RDS instance.
  Note We recommend that you create an IP address whitelist that is independent of other whitelists for DataWorks.
• The IP address whitelist labeled default contains only the IP address 127.0.0.1. This indicates that access from all IP addresses to your ApsaraDB RDS instance is denied.

For more information about how to configure an IP address whitelist for an ApsaraDB RDS instance, see Use a database client or the CLI to connect to an ApsaraDB RDS for MySQL instance. You can use a similar method to configure IP address whitelists for other types of data sources. To configure IP address whitelists for other types of data sources, see the related instructions.

What to do next

If you use a self-managed database that is deployed on an Elastic Compute Service (ECS) instance, you must configure a security group to ensure that the resource group can read data from and write data to the database. For more information, see Configure a security group for an ECS instance where a self-managed data store resides.