This topic uses an ApsaraDB RDS for MySQL instance as an example to describe how to establish network connectivity between DataWorks and a data source in a different Alibaba Cloud account.
Use cases
Use this solution if your data source and DataWorks workspace meet all the following conditions:
The data source is an Alibaba Cloud product.
The data source and the DataWorks workspace belong to different Alibaba Cloud accounts.
Solution overview
In a scenario where the data source and workspace are in different accounts, you can use a VPC (private network) connection. You can use a network connectivity tool, such as CEN or a VPC peering connection, to connect the VPC of the data source in Account A to the VPC of the DataWorks resource group in Account B. This enables network communication.
Prerequisites
An Alibaba Cloud data source that DataWorks supports is available.
The data source and the DataWorks workspace meet the requirements described in the Use cases section.
You have configured cross-account authorization in the data source's account.
Billing
Charges vary depending on the networking product you choose. For more information, see the billing details for Cloud Enterprise Network (CEN) or Peering Connection.
If you use a VPC Peering Connection and the data source and DataWorks resource group are in different accounts but in the same region, no fees are charged.
Configure network connectivity
The following section describes the general process for establishing network connectivity to explain the core configuration logic. For detailed instructions, see the Configuration example in this topic.
Step 1: Obtain basic information
On the data source side
Account information: This topic uses Account A as an example.
Region information: This topic uses an ApsaraDB RDS for MySQL instance in the China (Hangzhou) region as an example.
VPC and vSwitch information:
NoteThis topic uses ApsaraDB RDS for MySQL as an example. For other Alibaba Cloud instances, see the official documentation for that product to obtain VPC information.
Go to the ApsaraDB RDS console, find the target instance, and click the Instance Name to open the Basic Information page.
In the left-side navigation pane, click Database Connection to view the VPC and vSwitch information for the ApsaraDB RDS for MySQL instance.
On the DataWorks side
Account information: This topic uses Account B as an example.
Region information: This topic uses a DataWorks workspace and resource group in the China (Shanghai) region as an example.
Resource group's bound VPC and vSwitch information:
Go to the resource group list page in DataWorks, find the target resource group, and in the Actions column, click Network Settings.
In the relevant module, view the bound VPC and vSwitch information.
For example, if you need to connect ApsaraDB RDS for MySQL to DataWorks for data synchronization, view the VPC and vSwitch information under Data Scheduling & Data Integration.
Step 2: Establish the network connection
To establish cross-account VPC connectivity, use one of the following network connectivity tools based on your requirements:
Cloud Enterprise Network (CEN): Suitable for complex enterprise network environments and interconnecting multiple VPCs. For configuration details, see Connect VPCs across different accounts.
VPC Peering Connection: Suitable for point-to-point connectivity between two VPCs. For configuration details, see Use a VPC Peering Connection to achieve private network communication between VPCs.
If you encounter issues while establishing the network connection, submit a ticket to contact technical support for the relevant cloud product.
Step 3: Add a route to the resource group
When DataWorks accesses a data source in a different account, you must add a route in the DataWorks resource group to the CIDR block of the data source's vSwitch.
Go to the resource group list page in DataWorks, find the target resource group, and in the Actions column, click Network Settings.
In the relevant module, find the bound VPC and in the Actions column, click Custom Route.
Click Add Route, select Specify CIDR Block as the connection method, and set Destination CIDR Block to the vSwitch CIDR block of the data source.
Step 4: (Optional) Configure the whitelist
If the data source is protected by a whitelist, add the CIDR block of the vSwitch bound to the resource group to the data source's whitelist.
This topic uses Configure an IP address whitelist for ApsaraDB RDS for MySQL as an example. On the Whitelist And Security Group tab, add the vSwitch CIDR block that is bound to the DataWorks resource group in Account B.
For other Alibaba Cloud instances, see the product's official documentation for instructions on adding an IP address to a whitelist.
Verify network connectivity
Log on to the DataWorks console. In the top navigation bar, select the desired region. In the left-side navigation pane, choose . On the page that appears, select the desired workspace from the drop-down list and click Go to Data Integration.
In the left-side navigation pane, click Data Source. On the data source list page, click Add Data Source, select the data source type, and configure the connection parameters.
In the resource group list at the bottom, select the target resource group and click Test Connectivity.
NoteIf the connectivity test shows Cannot connect, you can use the Connectivity Diagnosis Tool to resolve the issue. If the connection still fails, submit a ticket.
Configuration example
This example describes how to configure network connectivity between an ApsaraDB RDS for MySQL instance in the China (Hangzhou) region under Account A and a DataWorks workspace in the China (Shanghai) region under Account B.
1. Basic information
Parameter | Data source (ApsaraDB RDS for MySQL) | DataWorks resource group |
Account | Account A | Account B |
Region | China (Hangzhou) | China (Shanghai) |
VPC |
|
|
2. Establish the network connection
You can use either Cloud Enterprise Network (CEN) or a VPC Peering Connection to establish network connectivity between the data source and DataWorks. Choose the method that best suits your needs.
If you encounter issues while establishing the network connection, submit a ticket to contact technical support for the relevant cloud product.
Cloud Enterprise Network (CEN)
Log on to Account B, go to the CEN console, and click Create CEN Instance. In the dialog box, set the instance Name and click Confirm.
NoteFor centralized management, we recommend creating the CEN instance in the same account as DataWorks.
In the dialog box, click Create Network Instance Connection and configure the network information for the DataWorks resource group.
The following table describes the key parameters for this example. Use the default values for any parameters not mentioned.
Parameter
Description
Instance type
This solution describes cross-account VPC connectivity. Select Virtual Private Cloud (VPC).
Region
Select the region where the resource group is located. In this example, select China (Shanghai).
Resource ownership UID
Select Same Account.
Network instance
Select the VPC instance where the DataWorks resource group is located.
vSwitch
Select the vSwitch where the resource group is located. In this example, select
Account_B_Switch_sh_e.NoteCEN connections require zone-level disaster recovery, so you must configure at least two vSwitches in different zones. After ensuring the resource group's vSwitch is included, add another vSwitch from any available zone. If you have fewer than two vSwitches, go to the vSwitch console to create one before proceeding.
Click Create.
Authorize the cross-account VPC instance.
Log on to Account A, go to the VPC console, and find the data source's VPC instance,
Account_A_hangzhou_VPCin this example. Click the instance name to open the Basic Information page.Switch to the Cross-account Authorization tab, click CEN Authorization, and configure the following parameters.
Parameter
Description
Peer account UID
The UID of the Alibaba Cloud account for Account B.
Peer CEN instance ID
The instance ID of the CEN instance that you created in Step 1.
Payer
Select the party responsible for payment.
CEN Instance Owner Pays Bills (Default): The connection fee and data transfer fee for the VPC instance are paid by the account that owns the CEN instance.
VPC User Pays Bills: The connection fee and data transfer fee for the VPC instance are paid by the account that owns the VPC instance.
This example uses the default value.
ImportantChoose the payer carefully. Changing the payer later may affect your services. For more information, see Authorize a network instance that belongs to another account.
Click OK.
Create a cross-account VPC connection.
Log on to Account B, go to the CEN console, and click the ID of the CEN instance that you created to go to the Basic Information page.
On the Transit Router tab, find the created Transit Router and in the Actions column, click Create Network Instance Connection. Configure the network information for the data source.
The following table describes the key parameters for this example. Use the default values for any parameters not mentioned.
Parameter
Description
Instance type
This solution describes cross-account VPC connectivity. Select Virtual Private Cloud (VPC).
Region
Select the region where the data source is located. In this example, select China (Hangzhou).
Resource ownership UID
Select Cross-account and enter the UID of the Alibaba Cloud account for Account A in the UID field.
Network instance
Select the VPC instance where the data source is located.
vSwitch
Select the vSwitch where the data source is located. In this example, select
Account_A_Switch_hz_h.NoteCEN connections require zone-level disaster recovery, so you must configure at least two vSwitches in different zones. After ensuring the data source's vSwitch is included, add another vSwitch from any available zone. If you have fewer than two vSwitches, go to the vSwitch console to create one before proceeding.
Click Create.
Create an inter-region connection.
NoteIn this example, the data source and DataWorks are in different accounts and different regions, so you must configure an inter-region connection. If your data source and DataWorks are in different accounts but in the same region, skip this step.
Log on to Account B, go to the CEN console, and click the ID of the CEN instance that you created to go to the Basic Information page.
On the Transit Router tab, find the Transit Router for China (Hangzhou) (the data source's region), and in the Actions column, click Create Network Instance Connection to configure the inter-region connection.
Parameter
Description
Region
Select China (Hangzhou).
Peer region
Select China (Shanghai).
Click Create.
VPC Peering Connection
Log on to Account A, go to the VPC Peering Connection console, switch the region to China (Hangzhou) at the top of the page, and then click Create Peering Connection. Configure the parameters.
The following table describes the key parameters for this example. Use the default values for any parameters not mentioned.
Parameter
Description
Peering connection name
Enter a custom name. In this example, enter
Account_A to Account_B.Requester VPC instance
Select the VPC where the data source (ApsaraDB RDS for MySQL) in Account A is located. In this example, select
Account_A_hangzhou_VPC.Accepter account type
In this example, select
Cross-account.Accepter Alibaba Cloud account UID
Enter the UID of the Alibaba Cloud account for Account B.
Accepter region type
In this example, select
Inter-region.Accepter region
Select the region where the DataWorks workspace and resource group in Account B are located. Select
China (Shanghai).Accepter VPC instance
Manually enter the VPC ID of the VPC where the DataWorks resource group in Account B is located (
Account_B_shanghai_VPC).Click OK. You are taken to the peering connection's basic information page, where the Status is Pending Acceptance.
Log on to Account B, go to the VPC Peering Connection console, and switch the region to China (Shanghai) at the top of the page. The console displays a peering connection identical to the one in Account A. In the Actions column, click Accept. The peering connection Status changes to Activated.
Under Accepter VPC instance, click Configure Route Entry. In the Configure Route Entry dialog box, enter a custom name for the route entry and set the Target CIDR Block to the requester's vSwitch CIDR block. In this example, set it to
192.168.6.0/24.
Log on to Account A, go to the VPC Peering Connection console, and switch the region to China (Hangzhou) at the top of the page. Find the peering connection that you created.
Under Requester VPC instance, click Configure Route Entry. In the Configure Route Entry dialog box, enter a custom name for the route entry and set the Target CIDR Block to the accepter's vSwitch CIDR block. In this example, set it to
172.16.66.0/24.
3. Add a route to the resource group
Log on to Account B, go to the resource group list page in DataWorks, find the target resource group, and in the Actions column, click Network Settings.
In the relevant module, find the bound VPC and in the Actions column, click Custom Route.
Click Add Route, select Specify CIDR Block as the connection method, and set Destination CIDR Block to the vSwitch CIDR block of the ApsaraDB RDS for MySQL instance in Account A. In this example, it is
192.168.6.0/24.
4. Configure the whitelist
Log on to Account A and add the vSwitch CIDR block bound to the DataWorks resource group to the Whitelist And Security Group of the ApsaraDB RDS for MySQL instance. In this example, the CIDR block is 172.16.66.0/24.
5. Test the connectivity
Before proceeding, configure cross-account authorization in the data source's account. In this example, this is Account A.
Log on to Account B.
Log on to the DataWorks console. In the top navigation bar, select the desired region. In the left-side navigation pane, choose . On the page that appears, select the desired workspace from the drop-down list and click Go to Data Integration.
In the left-side navigation pane, click Data Source. On the Data Source List page, click Add Data Source.
Select the MySQL data source type and configure the data source information.
For Configuration Mode, select Alibaba Cloud Instance Mode.
For Owner Account, select Other Alibaba Cloud Account.
For Other Alibaba Cloud Account UID, enter the UID of Account A.
For RAM Role Name For Authorization, enter the name of the RAM role that you have configured in Account A. For more information, see Cross-account authorization.
For Region, select China (Hangzhou).
For Instance, select the ApsaraDB RDS for MySQL instance in the China (Hangzhou) region of Account A for which you have configured network connectivity.
In the Connection Configuration section, click Test Connectivity next to the resource group bound to the workspace. Verify the result is Connected.
NoteIf the connectivity test Fails, you can use the Connectivity Diagnosis Tool to troubleshoot the issue. If you still cannot connect the Resource Group to the data source, submit a ticket for assistance.
Related documents
For frequently asked questions about network connectivity, see Resource group operations and network connectivity.