All Products
Search

This Product

    DataWorks:Configure an IP address whitelist

    Document Center

    DataWorks:Configure an IP address whitelist

    最終更新日:Feb 26, 2024

    After you establish a network connection between a resource group and a data source, the resource group may still fail to access the data source because an IP address whitelist that allows access from only specific IP addresses is configured for the data source. In this case, you must add the IP address or CIDR block of the resource group to the IP address whitelist of the data source. This topic provides instructions on configuring an IP address whitelist.

    Prerequisites

    A network connection is established between your resource group for Data Integration and your data source. The following situations may exist:

    • If your data source and your resource group for Data Integration reside in different regions and belong to different Alibaba Cloud accounts, you must select an appropriate network connectivity solution based on the network environment of the resource group for Data Integration. For more information, see Establish a network connection between a resource group and a data source.

    • If you use an exclusive resource group for Data Integration to connect to a data source that resides in a virtual private cloud (VPC), resides in the same region, and belongs to the same Alibaba Cloud account as the resource group, you must configure network settings for the resource group and associate the resource group with the desired workspace. For more information, see Create and use an exclusive resource group for Data Integration.

    If a network connection is established between the resource group for Data Integration and the data source, but the resource group still cannot access the data source, the data source may be configured with an IP address whitelist that denies access from some IP addresses. In this case, you must add the IP address or CIDR block of the resource group to the IP address whitelist of the data source.

    Background information

    If a network connection is established between your resource group for Data Integration and your data source as described in Establish a network connection between a resource group and a data source, but the resource group still cannot access the data source, the data source may be configured with an IP address whitelist that denies access from some IP addresses. In this case, you must obtain and add the IP address or CIDR block of the resource group to the IP address whitelist of the data source.

    To ensure the security and stability of data sources, most data sources are configured with IP address whitelists. You must add the required IP addresses or CIDR blocks to the IP address whitelists of the data sources. For example, if you want a resource group to access an ApsaraDB RDS, ApsaraDB for MongoDB, or ApsaraDB for Redis data source, you must add the IP address or CIDR block of the resource group to the IP address whitelists of these data sources. When you add the IP address or CIDR block of a resource group to an IP address whitelist, take note of the following items:

    Add the EIP or CIDR block of an exclusive resource group for Data Integration to an IP address whitelist of a data source

    • If you want to use an exclusive resource group for Data Integration to run a task to synchronize data from a data source over a VPC, you must add the CIDR block of the vSwitch with which the exclusive resource group is associated to an IP address whitelist of the data source. To obtain and add the CIDR block of the vSwitch with which the resource group is associated to an IP address whitelist of the data source, perform the following operations:

      On the Exclusive Resource Groups tab of the Resource Groups page of the DataWorks console, find the desired exclusive resource group for Data Integration and click Network Settings in the Actions column to view the CIDR block of the vSwitch with which the resource group is associated. Then, add the CIDR block to the IP address whitelist of the data source.

    • If you want to use an exclusive resource group for Data Integration to run a task to synchronize data from a data source over the Internet, add the EIP of the exclusive resource group to the whitelist of the data source. To obtain and add the EIP of the exclusive resource group for Data Integration to an IP address whitelist of the data source, perform the following operations:

      On the Exclusive Resource Groups tab of the Resource Groups page of the DataWorks console, find the exclusive resource group for Data Integration whose EIP you want to view and click View Information in the Actions column. In the Exclusive Resource Groups dialog box, copy the EIP. Then, add the copied EIP to the IP address whitelist of the data source.查看独享资源组EIP

      Note

      If you upgrade the configuration of the exclusive resource group for Data Integration, you must check whether the EIP of the resource group changes. If the EIP of the resource group changes, add the new EIP to the IP address whitelist of the data source after the configuration upgrade. This ensures the normal running of your task.

    Add the IP addresses or CIDR blocks of the servers in the region where the DataWorks workspace resides to an IP address whitelist of a data source

    To allow the shared resource group for Data Integration to access a data source, you must add the IP addresses or CIDR blocks of the servers in the region where the DataWorks workspace resides to an IP address whitelist of the data source. To view and add the IP addresses or CIDR blocks of the servers in a region to an IP address whitelist of the data source, perform the following steps:

    1. Log on to the DataWorks console as a developer.

    2. In the left-side navigation pane, click Workspaces.

    3. In the top navigation bar, select the region where the desired workspace resides.

    4. View the IP addresses or CIDR blocks based on the selected region and add them to the IP address whitelist of the data source that you want to access.

      Region

      CIDR block or IP address

      China (Hangzhou)

      11.193.215.0/24,11.194.110.0/24,11.194.73.0/24,11.196.23.0/24,11.197.247.0/24,11.193.102.0/24,100.104.0.0/16,118.31.157.0/24,47.97.53.0/24,47.99.12.0/24,47.99.13.0/24,114.55.197.0/24,11.197.246.0/24

      China (Shanghai)

      10.152.69.0/24,10.153.136.0/24,11.115.106.0/24,11.192.97.0/24,11.192.98.0/24,11.193.102.0/24,11.193.109.0/24,11.193.252.0/24,11.218.89.0/24,11.218.96.0/24,11.219.217.0/24,11.219.218.0/24,11.219.219.0/24,11.219.233.0/24,11.219.234.0/24,10.117.28.203,10.117.39.238,10.27.63.15,10.27.63.38,10.27.63.41,10.27.63.60,10.46.64.81,10.46.67.156,100.104.0.0/16,118.178.142.154,118.178.56.228,118.178.59.233,118.178.84.74,120.27.160.26,120.27.160.81,121.43.110.160,121.43.112.137,47.100.129.0/24,47.101.107.0/24,47.102.181.128/26,47.102.181.192/26,47.102.234.0/26,47.102.234.64/26,106.15.14.0/24,10.143.32.0/22

      China (Shenzhen)

      100.106.46.0/24,100.106.49.0/24,10.152.27.0/24,10.152.28.0/24,11.192.96.0/24,11.193.103.0/24,11.193.104.0/24,11.196.76.0/24,11.192.91.0/24,100.104.0.0/16,120.76.104.0/24,120.76.91.0/24,120.78.45.0/24,47.106.63.0/26,47.106.63.128/26,47.106.63.192/26,47.106.63.64/26,120.77.195.128/26,120.77.195.192/26,120.77.195.64/26,47.112.86.0/26

      China (Chengdu)

      11.195.52.0/24,11.195.55.0/24,47.108.46.0/26,47.108.46.128/26,47.108.46.192/26,47.108.46.64/26,47.108.22.0/24,100.104.0.0/16

      China (Zhangjiakou)

      11.193.235.0/24,100.104.0.0/16,47.92.185.0/26,47.92.185.64/26,47.92.185.128/26,47.92.185.192/26,47.92.22.0/24

      China (Hong Kong)

      10.152.162.0/24,11.192.196.0/24,11.193.11.0/24,11.193.118.0/24,100.104.0.0/16,47.75.228.0/24,47.89.61.0/24,47.244.92.128/26,47.244.92.192/26,47.56.45.0/26,47.56.45.64/26,47.91.171.0/25,47.101.109.0/26,47.56.45.128/26,47.56.45.192/26,47.90.24.0/26,47.90.24.64/26,47.240.180.192/26,47.240.195.0/26,47.240.195.64/26,47.240.195.128/26

      Singapore

      11.193.162.0/24,11.193.163.0/24,11.193.8.0/24,11.197.188.0/24,11.193.158.0/24,11.193.220.0/24,11.192.152.0/23,11.192.40.0/26,10.151.234.0/26,10.151.238.0/26,10.152.248.0/26,100.106.10.0/26,100.106.35.0/26,100.104.0.0/16,47.74.161.0/24,47.74.162.0/24,47.88.235.0/25,47.88.147.0/24,47.74.203.0/24,161.117.146.128/26,161.117.146.192/26,161.117.164.0/26,161.117.164.64/26,47.74.206.0/26,47.74.206.128/26,47.74.206.192/26,47.74.206.64/26

      Australia (Sydney)

      11.192.100.0/24,11.192.134.0/24,11.192.135.0/24,11.192.184.0/24,11.192.99.0/24,11.193.165.0/24,100.104.0.0/16,47.91.60.0/24,47.91.50.0/25,47.91.49.128/25,47.91.49.0/25

      China (Beijing)

      11.193.75.0/24,100.106.48.0/24,11.193.82.0/24,11.193.99.0/24,11.197.231.0/24,10.152.167.0/24,10.152.168.0/24,11.193.50.0/24,11.195.172.0/22,100.104.0.0/16,47.93.110.0/24,47.94.185.0/24,47.95.63.0/24,47.94.49.0/24,182.92.144.0/24,182.92.32.128/26,39.107.7.0/26

      US (Silicon Valley)

      10.152.160.0/24,11.193.216.0/24,100.104.0.0/16,47.89.224.0/24,47.88.108.0/24,47.89.124.0/26,47.89.124.128/26,47.89.124.192/26,47.89.124.64/26,10.60.92.128/26,10.60.120.0/26, 47.88.98.0/26,47.88.98.64/26,47.88.98.128/26,47.88.98.192/26,47.252.91.0/26,47.252.91.64/26,47.252.91.128/26,47.252.91.192/26

      US (Virginia)

      47.88.98.0/26,47.88.98.64/26,47.88.98.128/26,47.88.98.192/26,47.252.91.0/26,47.252.91.128/26,47.252.91.192/26,47.252.91.64/26,47.252.71.128/26,47.252.71.192/26,47.252.90.0/26,47.252.90.64/26,10.128.134.0/24,11.193.203.0/24,11.194.68.0/24,11.194.69.0/24,100.104.0.0/16

      Malaysia (Kuala Lumpur)

      11.193.188.0/24,11.193.189.0/24,11.214.81.0/24,11.221.206.0/24,11.221.205.0/24,11.221.207.0/24,100.104.0.0/16,47.254.212.0/24,47.250.29.0/26,47.250.29.128/26,47.250.29.192/26,47.250.29.64/26

      Germany (Frankfurt)

      11.192.116.0/24,11.192.170.0/24,11.193.167.0/24,11.192.169.0/24,11.193.106.0/24,11.192.168.0/24,100.104.0.0/16,47.91.82.0/24,47.91.83.0/24,47.91.84.0/24,47.254.138.0/24,47.254.180.0/26,47.254.180.128/26,47.254.180.192/26,47.254.180.64/26

      Japan (Tokyo)

      100.105.55.0/24,11.192.147.0/24,11.192.149.0/24,11.199.250.0/24,11.59.59.0/24,11.192.148.0/24,100.104.0.0/16,47.91.0.128/26,47.91.0.192/26,47.91.27.128/26,47.91.12.0/24,47.91.13.0/24,47.91.9.0/24,47.91.27.0/26,47.245.18.128/26,47.245.18.192/26,47.245.51.0/26,47.245.51.64/26,47.245.51.128/26,47.245.51.192/26

      UAE (Dubai)

      11.192.107.0/24,11.192.127.0/24,11.192.88.0/24,11.193.246.0/24,100.104.0.0/16,47.91.116.0/24

      India (Mumbai)

      11.194.10.0/24,11.246.70.0/24,11.246.71.0/24,11.246.73.0/24,11.246.74.0/24,11.59.62.0/24,11.194.11.0/24,100.104.0.0/16,149.129.164.0/24,149.129.165.192/26,147.139.23.0/26,147.139.23.128/26,147.139.23.64/26,147.139.21.0/26,147.139.21.128/26,147.139.21.192/26,147.139.21.64/26

      UK (London)

      11.199.93.0/24,100.104.0.0/16,8.208.17.0/24,8.208.72.0/26,8.208.72.128/26,8.208.72.192/26,8.208.72.64/26

      Indonesia (Jakarta)

      11.194.49.0/24,11.194.50.0/24,11.200.93.0/24,11.200.97.0/24,11.59.135.0/24,11.200.95.0/26,10.143.32.0/22,100.104.0.0/16,149.129.228.0/24,47.89.94.128/27,47.89.94.160/27,47.89.94.192/27,47.89.94.224/27,47.89.95.128/26,149.129.229.0/26,149.129.229.128/26,149.129.229.192/26,149.129.229.64/26,147.139.156.0/26,147.139.156.128/26,147.139.156.64/26,149.129.230.192/26

      China North 2 Ali Gov

      11.194.116.0/24,100.104.0.0/16,39.107.188.0/24

      If access is still denied after the preceding IP addresses and CIDR blocks are added, add the following IP addresses and CIDR blocks: 11.194.116.160,11.194.116.161,11.194.116.162,11.194.116.163,11.194.116.164,11.194.116.165,11.194.116.167,11.194.116.169,11.194.116.170,11.194.116.171,11.194.116.172,11.194.116.173,11.194.116.174,11.194.116.175,39.107.188.0/24,100.104.0.0/16

      China East 2 Finance

      140.205.46.128/25,140.205.48.0/25,140.205.48.128/25,140.205.49.0/25,140.205.49.128/25,11.192.156.0/25,11.192.157.0/25,11.192.164.0/25,11.192.165.0/25,11.192.166.0/25,11.192.167.0/25,106.11.245.0/26,106.11.245.128/26,106.11.245.192/26,106.11.245.64/26,140.205.39.0/24,106.11.225.0/24,106.11.226.0/24,106.11.227.0/24,106.11.242.0/24,100.104.0.0/16

    Add the private or public IP addresses of the servers in the custom resource group for Data Integration to an IP address whitelist of a data source

    To allow a custom resource group for Data Integration to access a data source, you must add the private or public IP addresses of the servers in the custom resource group to an IP address whitelist of the data source.

    Note

    If you upgrade the configuration of the custom resource group for Data Integration, you must add the new private or public IP addresses of the servers in the resource group to the IP address whitelist of the data source after the configuration upgrade. This ensures the normal running of your task.

    Precautions for configuring an IP address whitelist

    In this section, an ApsaraDB RDS instance is used to demonstrate the precautions for configuring an IP address whitelist. Before you add the IP address or CIDR block of a resource group for Data Integration to an IP address whitelist of an ApsaraDB RDS instance, you must have a command of the precautions described in this section.

    ApsaraDB RDS supports standard IP address whitelists and enhanced IP address whitelists. The IP address whitelist that you configured for an ApsaraDB RDS instance may affect the connectivity between a resource group for Data Integration and the instance.

    • If you configure a standard IP address whitelist for an ApsaraDB RDS instance, you must take note of the following items:

      • You can add IP addresses from both the classic network and VPCs to the same IP address whitelist.

      • We recommend that you add the IP addresses of different types of resource groups to different IP address whitelists.

        Note

        The IP addresses in a standard IP address whitelist can be used to access the ApsaraDB RDS instance over both the classic network and VPCs.

    • If you configure an enhanced IP address whitelist for an ApsaraDB RDS instance, you must take note of the following items:

      • You must add IP addresses from the classic network and VPCs to different IP address whitelists.

        Note

        You must specify the network isolation mode of each enhanced IP address whitelist. For example, you can configure settings to deny access from the IP addresses of the classic network in an enhanced IP address whitelist to an ApsaraDB RDS instance over a VPC. You can also configure settings to deny access from VPC IP addresses in an enhanced IP address whitelist to an ApsaraDB RDS instance over the classic network.

      • If you use an exclusive resource group for Data Integration to access an ApsaraDB RDS instance over a VPC, an IP address whitelist of the VPC type is used.

      • If the ApsaraDB RDS instance resides in a VPC and you use the shared resource group for Data Integration to access the instance, an IP address whitelist of the VPC type is used.

      • If you access the Apsara RDS instance over the Internet, an IP address whitelist of the classic network type is used.

    • If you switch the network isolation mode of an ApsaraDB RDS instance from the standard whitelist mode to the enhanced whitelist mode, you must take note of the following item:

      The standard IP address whitelist is replicated into two enhanced IP address whitelists that contain the same CIDR blocks. The two enhanced IP address whitelists have different network isolation modes.

    Other precautions:

    • If you configure IP address whitelists for your ApsaraDB RDS instance, the workloads on the instance are not interrupted.

    • The IP address whitelist labeled default can be cleared, but cannot be deleted.

    • Do not modify or delete the IP address whitelists that are generated for other Alibaba Cloud services. If you delete these IP address whitelists, the related Alibaba Cloud services cannot connect to your ApsaraDB RDS instance. For example, if you delete the IP address whitelist ali_dms_group that is automatically generated for Data Management (DMS) or the IP address whitelist hdm_security_ips that is automatically generated for Database Autonomy Service (DAS), DMS or DAS cannot access your ApsaraDB RDS instance.

      Note

      We recommend that you create an IP address whitelist that is independent of other whitelists for DataWorks.

    • The IP address whitelist labeled default contains only the IP address 127.0.0.1. This indicates that all IP addresses cannot be used to access your ApsaraDB RDS instance.

    For more information about how to configure an IP address whitelist for an ApsaraDB RDS instance, see Use a database client or the CLI to connect to an ApsaraDB RDS for MySQL instance. You can use a similar method to configure IP address whitelists for other types of data sources. To configure IP address whitelists for other types of data sources, see the related instructions.

    What to do next

    If you use a self-managed database that is deployed on an Elastic Compute Service (ECS) instance, you must configure a security group to ensure that the resource group can read data from and write data to the database. For more information, see Configure a security group for an ECS instance where a self-managed data source resides.