All Products
Search

This Product

    DataWorks:Connect to a data source in a different Alibaba Cloud account

    Document Center

    DataWorks:Connect to a data source in a different Alibaba Cloud account

    Last Updated:Mar 27, 2026

    Connect a DataWorks workspace to an Alibaba Cloud data source that belongs to a different Alibaba Cloud account by establishing cross-account virtual private cloud (VPC) connectivity. This topic uses ApsaraDB RDS for MySQL as an example.

    Use cases

    Apply this solution when both of the following conditions are true:

    • Different accounts: The data source and the DataWorks workspace belong to different Alibaba Cloud accounts.

    • Alibaba Cloud data source: The data source is an Alibaba Cloud product.

    Solution overview

    When the data source and the DataWorks workspace are in different Alibaba Cloud accounts, connect them over a VPC private network. Use a network connectivity tool — either Cloud Enterprise Network (CEN) or a VPC Peering Connection — to link the VPC of the data source in Account A to the VPC of the DataWorks resource group in Account B.

    Network connectivity diagram

    幻灯片4

    Prerequisites

    Before you begin, make sure that you have:

    Billing

    Charges depend on the networking product you choose. For pricing details, see the billing documentation for Cloud Enterprise Network (CEN) or VPC Peering Connection.

    Note

    If you use a VPC Peering Connection and the data source and the DataWorks resource group are in different accounts but in the same region, no fees are charged.

    Configure network connectivity

    Note

    The steps below describe the general configuration flow. For a complete walkthrough with specific values, see the Configuration example section.

    Step 1: Collect basic information

    Data source side

    • Account: Account A (in this example)

    • Region: The region where the data source is located. In this example, ApsaraDB RDS for MySQL is in the China (Hangzhou) region.

    • VPC and vSwitch information:

      1. Go to the ApsaraDB RDS console, find the target instance, and click the instance name to open the Basic Information page.

      2. In the left-side navigation pane, click Database Connection to view the VPC and vSwitch details. image

      Note

      The steps below apply to ApsaraDB RDS for MySQL. For other Alibaba Cloud products, refer to the respective product documentation to find VPC information.

    DataWorks side

    • Account: Account B (in this example)

    • Region: The region where the DataWorks workspace and resource group are located. In this example, China (Shanghai).

    • Resource group's bound VPC and vSwitch information:

      1. Go to the resource group list page in DataWorks, find the target resource group, and click Network Settings in the Actions column.

      2. In the relevant module, view the bound VPC and vSwitch information. For data synchronization scenarios, check the VPC and vSwitch under Data Scheduling & Data Integration. image

    Step 2: Establish the network connection

    Choose a connectivity method based on your environment:

    Method Best for
    Cloud Enterprise Network (CEN) Complex enterprise networks, interconnecting multiple VPCs
    VPC Peering Connection Point-to-point connectivity between two VPCs

    For configuration steps, see Cloud Enterprise Network (CEN) or VPC Peering Connection.

    Note

    If you encounter issues while establishing the connection, submit a ticketsubmit a ticket to contact technical support for the relevant cloud product.

    Step 3: Add a route to the resource group

    When DataWorks accesses a data source in a different account, add a route in the DataWorks resource group that points to the CIDR block of the data source's vSwitch.

    1. Go to the resource group list page in DataWorks, find the target resource group, and click Network Settings in the Actions column.

    2. In the relevant module, find the bound VPC and click Custom Route in the Actions column.

    3. Click Add Route, select CIDR Block as the connection method, and set Destination CIDR Block to the vSwitch CIDR block of the data source.

    Step 4: (Optional) Configure the whitelist

    If the data source is protected by an IP address whitelist, add the CIDR block of the vSwitch bound to the DataWorks resource group to the data source's whitelist.

    For ApsaraDB RDS for MySQL, go to the Whitelist and SecGroup tab and add the vSwitch CIDR block of the DataWorks resource group in Account B. For other Alibaba Cloud products, see the respective product documentation.

    image

    Verify network connectivity

    1. Log on to the DataWorks console. In the top navigation bar, select the target region. In the left-side navigation pane, choose Data Integration > Data Integration. Select the target workspace and click Go to Data Integration.

    2. In the left-side navigation pane, click Data Source. On the data source list page, click Add Data Source, select the data source type, and configure the connection parameters.

    3. In the resource group list at the bottom, select the target resource group and click Test Network Connectivity.

      Note

      If the result is Cannot connect, use the Network Connectivity Diagnosis Tool to troubleshoot. If the connection still fails, submit a ticket.

      image

    Configuration example

    This example walks through establishing network connectivity between an ApsaraDB RDS for MySQL instance in Account A (China (Hangzhou) region) and a DataWorks workspace in Account B (China (Shanghai) region).

    1. Basic information

    Parameter

    Data source (ApsaraDB RDS for MySQL)

    DataWorks resource group

    Account

    Account A

    Account B

    Region

    China (Hangzhou)

    China (Shanghai)

    VPC

    • VPC name: Account_A_hangzhou_VPC

    • VPC CIDR block: 192.168.0.0/16

    • vSwitch name: Account_A_Switch_hz_h

    • vSwitch CIDR block: 192.168.6.0/24

    • VPC name: Account_B_shanghai_VPC

    • VPC CIDR block: 172.16.0.0/12

    • vSwitch name: Account_B_Switch_sh_e

    • vSwitch CIDR block: 172.16.66.0/24

    2. Establish the network connection

    Use either Cloud Enterprise Network (CEN) or a VPC Peering Connection to connect the two VPCs. Follow the steps for your chosen method.

    Note

    If you encounter issues while establishing the connection, submit a ticket to contact technical support for the relevant cloud product.

    Cloud Enterprise Network (CEN)

    1. Log on to Account B, go to the CEN console, and click Create CEN Instance. Set the instance Name and click Confirm.

      Note

      Create the CEN instance in the same account as DataWorks (Account B) for centralized management.

    2. In the dialog box, clickCreate Connectionand configure the network information for the DataWorks resource group. The following table lists the key parameters. Use the default values for parameters not listed.

      Parameter

      Description

      Instance type

      This solution describes cross-account VPC connectivity. Select VPC Interconnection.

      Region

      Select the region where the resource group is located. In this example, select China (Shanghai).

      Resource Owner UID

      Select Current Account.

      VPC

      Select the VPC where the DataWorks resource group is located.

      vSwitch

      Select the vSwitch where the resource group is located. In this example, select Account_B_Switch_sh_e.

      Note

      CEN connections require zone-level disaster recovery, so you must configure at least two vSwitches in different zones. After ensuring the resource group's vSwitch is included, add another vSwitch from any available zone. If you have fewer than two vSwitches, go to the vSwitch console to create one before proceeding.

    3. Click Create.

    4. Authorize the cross-account VPC.

      1. Log on to Account A, go to the VPC console, and find the data source's VPC (Account_A_hangzhou_VPC in this example). Click the VPC name to open the Basic Information page.

      2. Switch to theCross-account Authorizationtab, clickCEN, and configure the following parameters.

        Parameter

        Description

        Peer account UID

        The UID of the Alibaba Cloud account for Account B.

        Peer CEN instance ID

        The instance ID of the CEN instance that you created in step 1.

        Payer

        Select the party responsible for payment.

        • Peer Account UID (Default): The connection fee and data transfer fee are paid by the account that owns the CEN instance.

        • VPC Users: The connection fee and data transfer fee are paid by the account that owns the VPC.

        This example uses the default value.

        Important

        Choose the payer carefully. Changing the payer later may affect your services. For more information, see Authorize a network instance that belongs to another account.

      3. Click OK.

    5. Create a cross-account VPC connection.

      1. Log on to Account B, go to the CEN console, and click the CEN instance ID to open the Basic Information page.

      2. On theTransit Routertab, find the Transit Router and clickCreate Connectionin theActionscolumn. Configure the network information for the data source. The following table lists the key parameters. Use the default values for parameters not listed.

        Parameter

        Description

        Instance type

        This solution describes cross-account VPC connectivity. Select VPC Interconnection.

        Region

        Select the region where the data source is located. In this example, select China (Hangzhou).

        Resource Owner UID

        Select Cross-account and enter the UID of Account A in the UID field.

        VPC

        Select the VPC where the data source is located.

        vSwitch

        Select the vSwitch where the data source is located. In this example, select Account_A_Switch_hz_h.

        Note

        CEN connections require zone-level disaster recovery, so you must configure at least two vSwitches in different zones. After ensuring the data source's vSwitch is included, add another vSwitch from any available zone. If you have fewer than two vSwitches, go to the vSwitch console to create one before proceeding.

      3. Click Create.

    6. Create an inter-region connection.

      1. Log on to Account B, go to the CEN console, and click the CEN instance ID to open the Basic Information page.

      2. On theTransit Routertab, find the Transit Router forChina (Hangzhou)(the data source's region) and clickCreate Connectionin theActionscolumn. Configure the inter-region connection.

        Parameter

        Description

        Region

        Select China (Hangzhou).

        Peer region

        Select China (Shanghai).

      3. Click OK.

      Note

      This step is required only when the data source and DataWorks are in different regions. If they are in different accounts but the same region, skip this step.

    After completing the CEN configuration, proceed to step 3 to add a route in the DataWorks resource group.

    VPC Peering Connection

    1. Log on to Account A, go to theVPC Peering Connection console, switch the region toChina (Hangzhou), and clickCreate Peering Connection. Configure the following parameters. The following table lists the key parameters. Use the default values for parameters not listed.

      Parameter

      Description

      Peering connection name

      Enter a custom name. In this example, enter Account_A to Account_B.

      Requester VPC instance

      Select the VPC where the data source (ApsaraDB RDS for MySQL) in Account A is located. In this example, select Account_A_hangzhou_VPC.

      Accepter account type

      Select Cross-account.

      Accepter Alibaba Cloud account UID

      Enter the UID of Account B.

      Accepter region type

      Select Inter-region.

      Accepter region

      Select the region of the DataWorks workspace and resource group in Account B. Select China (Shanghai).

      Accepter VPC instance

      Enter the VPC ID of the DataWorks resource group in Account B (Account_B_shanghai_VPC).

    2. Click OK. The peering connection's Status is Pending Acceptance.

    3. Log on to Account B, go to the VPC Peering Connection console, and switch the region to China (Shanghai). Find the pending peering connection and click Accept in the Actions column. The Status changes to Activated.

    4. Under Accepter VPC instance, click Configure Route Entry. Enter a name for the route entry and set Destination CIDR Block to the requester's vSwitch CIDR block. In this example, enter 192.168.6.0/24.

      image

    5. Log on to Account A, go to the VPC Peering Connection console, and switch the region to China (Hangzhou). Find the peering connection you created.

    6. Under Requester VPC instance, click Configure Route Entry. Enter a name for the route entry and set Destination CIDR Block to the accepter's vSwitch CIDR block. In this example, enter 172.16.66.0/24.

      image

    After completing the VPC Peering Connection configuration, proceed to step 3 to add a route in the DataWorks resource group.

    3. Add a route to the resource group

    1. Log on to Account B, go to the resource group list page in DataWorks, find the target resource group, and click Network Settings in the Actions column.

    2. In the relevant module, find the bound VPC and click Custom Route in the Actions column.

    3. Click Add Route, select CIDR Block as the connection method, and set Destination CIDR Block to the vSwitch CIDR block of the ApsaraDB RDS for MySQL instance in Account A. In this example, enter 192.168.6.0/24.

    4. Configure the whitelist

    Log on to Account A and add the vSwitch CIDR block of the DataWorks resource group to the Whitelist and SecGroup of the ApsaraDB RDS for MySQL instance. In this example, the CIDR block is 172.16.66.0/24.

    image

    5. Test connectivity

    Note

    Before testing, make sure cross-account authorization is configured in Account A (the data source's account).

    1. Log on to Account B.

    2. Log on to the DataWorks console. In the top navigation bar, select the target region. In the left-side navigation pane, choose Data Integration > Data Integration. Select the target workspace and click Go to Data Integration.

    3. In the left-side navigation pane, click Data Source. On the Data Source List page, click Add Data Source.

    4. Select the MySQL data source type and configure the data source information:

      • Configuration Mode: Select Alibaba Cloud Instance Mode.

      • Alibaba Cloud Account: Select Another Alibaba Cloud Account.

      • ID of Another Alibaba Cloud Account: Enter the UID of Account A.

      • Role Assigned to RAM User: Enter the RAM role name configured in Account A. For details, see Cross-account authorization.

      • Region: Select China (Hangzhou).

      • Instance: Select the ApsaraDB RDS for MySQL instance in Account A for which you configured network connectivity.

    5. In the Connection Configuration section, click Test Network Connectivity next to the resource group bound to the workspace. Verify the result is Connected.

      Note

      If the test fails, use the Network Connectivity Diagnosis Tool to troubleshoot. If the connection still fails, submit a ticket.

      image

    Related topics

    For frequently asked questions about network connectivity in DataWorks, see Resource group operations and network connectivity.