This topic provides answers to some frequently asked questions about network connectivity.

How does a fully managed Flink service access the Internet?

  • Background information
    By default, the fully managed Flink service cannot access the Internet. Therefore, Alibaba Cloud provides NAT gateways to enable communications between virtual private clouds (VPCs) and the Internet. This way, users of the fully managed Flink service can access the Internet by using user-defined functions (UDFs) or DataStream code. Background information
  • Solution
    Create a NAT gateway in the VPC. Then, create a source network address translation (SNAT) entry to bind the vSwitch that is associated with the fully managed Flink service to an elastic IP address (EIP). This way, the service can access the Internet by using the EIP. To access the Internet by using the EIP, perform the following steps:
    1. Create a NAT gateway. For more information, see Create a NAT gateway.
    2. Create an SNAT entry. For more information, see Create an SNAT entry.
    3. Bind the vSwitch that is associated with the fully managed Flink service to an EIP. For more information, see Associate an EIP with an Internet NAT gateway.

How does fully managed Flink access a service across VPCs?

You can use one of the following methods to allow fully managed Flink to access a service across VPCs:
  • Submit a ticket. When you create the ticket, select VPC as the product name. Express Connect or other products are required to establish connections between VPCs. You are charged when you use this method.
  • Connect a network instance to Cloud Enterprise Network (CEN) to set up a network connection. For more information, see Overview.
  • Use a VPN gateway to establish a VPN connection between VPCs. For more information, see Establish IPsec-VPN connections between two VPCs.
  • Unsubscribe to the service that resides in a different VPC from fully managed Flink. Then, purchase the same type of service that resides in the same VPC as fully managed Flink.
  • Release the fully managed Flink service. Then, purchase another fully managed Flink service that is in the same VPC as the service that you want the fully managed Flink service to access.
  • Enable Internet access for fully managed Flink. This way, fully managed Flink can access other services over the Internet. By default, the fully managed Flink service cannot access the Internet. For more information about how to allow fully managed Flink to access the Internet, see How does a fully managed Flink service access the Internet? .
    Note The Internet has a longer latency than internal networks. If you have high performance requirements, we recommend that you do not enable Internet access for fully managed Flink.

How do I configure a whitelist?

In most cases, the upstream and downstream storage that is supported by fully managed Flink does not allow access from external systems. Therefore, you need to add the CIDR block of the vSwitch of fully managed Flink to the whitelist of the storage system that fully managed Flink needs to access. To add the CIDR block of the vSwitch of fully managed Flink to the whitelist of the storage system that fully managed Flink needs to access, perform the following steps:
  1. Log on to the Realtime Compute for Apache Flink console.
  2. On the Fully Managed Flink tab, find the workspace that you want to manage, and choose More > Workspace Details in the Actions column.
  3. In the Workspace Details dialog box, view the CIDR block about the vSwitch of fully managed Flink. CIDR Block
  4. Add the CIDR block of the vSwitch of fully managed Flink to the whitelist of the storage system that fully managed Flink needs to access.
    For example, you must configure a whitelist for an ApsaraDB RDS for MySQL database. For more information, see Configure an IP address whitelist for an ApsaraDB RDS for MySQL instance.
    Note
    • If you add a vSwitch later, you must also add the CIDR block of the new vSwitch to the whitelist of the storage system that fully managed Flink needs to access.
    • If your vSwitch is not in the same zone as the upstream and downstream storage, the network can be connected after you add the CIDR block of the vSwitch to the whitelist.

How do I troubleshoot network issues?

Realtime Compute for Apache Flink is deployed in a virtual private cloud (VPC). After you purchase Realtime Compute for Apache Flink, you cannot change the VPC that you selected. If the source or the sink is not in the same VPC as Realtime Compute for Apache Flink, the source or the sink is disconnected from Realtime Compute for Apache Flink and data cannot be read from the source or written to the sink. If data cannot be read from the source or written to the sink, perform the following steps to check whether a network issue exists:
  1. Check the network connectivity between the upstream storage service and Realtime Compute for Apache Flink.
    Realtime Compute for Apache Flink can access only storage services that are deployed in the same VPC and the same region as Realtime Compute for Apache Flink. If you want to access storage resources across VPCs or access Realtime Compute for Apache Flink over the Internet, use the following methods:
  2. Check whether the CIDR blocks of the vSwitch to which the fully managed Flink workspace belongs are added to the whitelists of the upstream storage services Message Queue for Apache Kafka and Elasticsearch.
    If the CIDR blocks are not added to the whitelists of the upstream storage services, perform the following steps:
    1. In the Workspace Details dialog box of the Realtime Compute for Apache Flink console, view the CIDR blocks of the vSwitch to which the fully managed Flink workspace belongs.
    2. Add the CIDR blocks to the whitelists of the upstream storage services. For more information about how to add the CIDR blocks to the whitelists of the upstream storage services, see the topics that are linked in the prerequisites of the related DDL documentation, such as the topic that is linked in the prerequisites of Create a Message Queue for Apache Kafka source table.
  3. If a network timeout error persists, the network issue may be caused by a connection timeout. In this case, increase the value of the connect.timeout parameter in the WITH clause. The default value of this parameter is 30, in seconds.

How do I view the public bandwidth?

If the metric values of the deployment are normal and no backpressure exists in the deployment during data reading or writing over the Internet, you can view the public bandwidth to check whether a bottleneck issue occurs. To view the public bandwidth, perform the following steps:
  1. In the Workspace Details dialog box of the Realtime Compute for Apache Flink console, view the ID of the VPC in which the fully managed Flink workspace resides.
  2. Log on to the VPC console. In the left-side navigation pane, click VPCs. On the VPCs page, find the desired VPC and click the ID of the VPC.
  3. On the Resources tab of the details page of the VPC, click the value of Internet NAT Gateway in the Access to Internet section.
    Note If the value of Internet NAT Gateway in the Access to Internet section is 0, you must create an Internet NAT gateway. For more information, see Create and manage Internet NAT gateways.
  4. On the Internet NAT Gateway page, click the instance ID of the Internet NAT gateway in the Instance ID/Name column.
  5. On the Associated EIP tab, click the instance name in the Instance ID/Name column.
  6. On the Elastic IP Addresses page, click the Monitoring and O&M tab to view the public bandwidth.