All Products
Search
Document Center

DataWorks:Configure network connectivity

Last Updated:Nov 15, 2024

To ensure that a resource group can connect to a data source and access the data source as expected, you need to add the IP addresses or CIDR blocks that are used by the resource group to the whitelist of the data source. This topic describes how to configure network connectivity between different types of resource groups and a data source and the related precautions.

Configure network connectivity between the shared resource group for DataService Studio and a data source

Before you generate APIs for a data source in DataService Studio, you must configure the data source. To ensure that DataService Studio can access the data source, add the IP addresses or CIDR blocks that are used by the shared resource group for DataService Studio in the region where the data source resides to a whitelist of the data source.

Note

More CIDR blocks or IP addresses may be added to the whitelist if the configurations of shared resource groups are upgraded. DataWorks will notify you of the whitelist changes in advance. If your business is sensitive to whitelist changes, we recommend that you use exclusive resource groups.

Region

CIDR blocks or IP address

China (Hangzhou)

100.64.0.0/10,11.193.102.0/24,11.193.215.0/24,11.194.110.0/24,11.194.73.0/24,118.31.157.0/24,47.97.53.0/24,11.196.23.0/24,47.99.12.0/24,47.99.13.0/24,114.55.197.0/24,11.197.246.0/24,11.197.247.0/24,118.31.243.0/26,118.31.243.64/26,118.31.243.128/26,118.31.243.192/26,11.193.55.0/24,101.37.74.122,114.55.197.231,114.55.198.83,101.37.74.206

China (Shanghai)

11.193.109.0/24,11.193.252.0/24,47.101.107.0/24,47.100.129.0/24,106.15.14.0/24,10.117.28.203,10.143.32.0/24,10.152.69.0/24,10.153.136.0/24,10.27.63.15,10.27.63.38,10.27.63.41,10.27.63.60,10.46.64.81,10.46.67.156,11.192.97.0/24,11.192.98.0/24,11.193.102.0/24,11.218.89.0/24,11.218.96.0/24,11.219.217.0/24,11.219.218.0/24,11.219.219.0/24,11.219.233.0/24,11.219.234.0/24,118.178.142.154,118.178.56.228,118.178.59.233,118.178.84.74,120.27.160.26,120.27.160.81,121.43.110.160,121.43.112.137,100.64.0.0/10,10.117.39.238,11.193.96.0/24,11.193.48.0/24,11.193.108.0/24,101.132.31.146,106.15.14.240,106.15.14.75,101.132.31.221

China (Shenzhen)

100.106.46.0/24,100.106.49.0/24,10.152.27.0/24,10.152.28.0/24,11.192.91.0/24,11.192.96.0/24,11.193.103.0/24,100.64.0.0/10,120.76.104.0/24,120.76.91.0/24,120.78.45.0/24,47.106.63.0/26,47.106.63.128/26,47.106.63.192/26,47.106.63.64/26,11.193.94.0/24,120.78.45.154,120.78.46.137,120.78.46.107,120.78.45.140,172.26.131.130,172.26.131.129,172.26.131.128,172.26.131.127

China (Chengdu)

11.195.52.0/24,11.195.55.0/24,47.108.22.0/24,100.64.0.0/10

China (Beijing)

100.106.48.0/24,10.152.167.0/24,10.152.168.0/24,11.193.50.0/24,11.193.75.0/24,11.193.82.0/24,11.193.99.0/24,100.64.0.0/10,47.93.110.0/24,47.94.185.0/24,47.95.63.0/24,11.197.231.0/24,11.195.172.0/24,47.94.49.0/24,182.92.144.0/24,11.193.100.0/24,11.193.199.0/24,39.106.244.50,47.95.63.101,47.95.63.93,39.106.244.48,172.22.1.42,172.22.2.208,172.22.1.41,172.22.2.207

China (Zhangjiakou)

11.193.235.0/24,47.92.22.0/24,100.64.0.0/10,11.112.227.0/24

China (Hong Kong)

10.152.162.0/24,11.192.196.0/24,11.193.11.0/24,100.64.0.0/10,47.89.61.0/24,47.91.171.0/24,11.193.118.0/24,47.75.228.0/24,47.56.45.0/25,47.244.92.128/25,47.101.109.0/24,11.193.200.0/24,11.193.12.0/24,47.90.71.152,47.90.71.141,47.91.171.178,47.91.172.3

Singapore

100.106.10.0/24,100.106.35.0/24,10.151.234.0/24,10.151.238.0/24,10.152.248.0/24,11.192.153.0/24,11.192.40.0/24,11.193.8.0/24,100.64.0.0/10,47.88.147.0/24,47.88.235.0/24,11.193.162.0/24,11.193.163.0/24,11.193.220.0/24,11.193.158.0/24,47.74.162.0/24,47.74.203.0/24,47.74.161.0/24,11.197.188.0/24,11.197.227.0/24,47.74.161.218,47.74.161.181,161.117.140.83,47.88.143.36

US (Silicon Valley)

10.152.160.0/24,100.64.0.0/10,47.89.224.0/24,11.193.216.0/24,47.88.108.0/24,47.88.99.153,47.254.58.215,47.88.108.192,47.254.58.135

US (Virginia)

11.193.203.0/24,11.194.68.0/24,11.194.69.0/24,100.64.0.0/10,47.252.55.0/24,47.252.88.0/24,11.194.69.0/24,10.128.135.0/24,47.88.98.0/24

Malaysia (Kuala Lumpur)

11.193.188.0/24,11.221.205.0/24,11.221.206.0/24,11.221.207.0/24,100.64.0.0/10,11.214.81.0/24,47.254.212.0/24,11.193.189.0/24,47.250.29.0/26,47.250.29.128/26,47.250.29.192/26,47.250.29.64/26

Germany (Frankfurt)

11.192.116.0/24,11.192.168.0/24,11.192.169.0/24,11.192.170.0/24,11.193.106.0/24,100.64.0.0/10,11.192.116.14,11.192.116.142,11.192.116.160,11.192.116.75,11.192.170.27,47.91.82.22,47.91.83.74,47.91.83.93,47.91.84.11,47.91.84.110,47.91.84.82,11.193.167.0/24,47.254.138.0/24,11.194.61.0/24,47.254.185.0/24

Japan (Tokyo)

100.105.55.0/24,11.192.147.0/24,11.192.148.0/24,11.192.149.0/24,100.64.0.0/10,47.91.12.0/24,47.91.13.0/24,47.91.9.0/24,11.199.250.0/24,47.91.27.0/24,11.59.59.0/24,47.245.51.128/26,47.245.51.192/26,47.91.0.128/26,47.91.0.192/26

UK (London)

11.199.93.0/24,100.64.0.0/10,8.208.72.0/26,8.208.72.128/26,8.208.72.192/26,8.208.72.64/26

Indonesia (Jakarta)

11.194.49.0/24,11.200.93.0/24,11.200.95.0/24,11.200.97.0/24,100.64.0.0/10,149.129.228.0/24,10.143.32.0/24,11.194.50.0/24,11.59.135.0/24,147.139.156.0/26,147.139.156.128/26,147.139.156.64/26,149.129.230.192/26,149.129.229.0/26,149.129.229.64/26,149.129.229.128/26,149.129.229.192/26

Configure network connectivity between an exclusive resource group for DataService Studio and a data source

Exclusive resource groups for DataService Studio can access data sources that are deployed on the Internet, in Alibaba Cloud virtual private clouds (VPCs), or in data centers. The following table describes how to configure network connectivity in different network environments to ensure that an exclusive resource group for DataService Studio can access a data source.

Note

For information about how to use exclusive resource groups for DataService Studio, see Create and use an exclusive resource group for DataService Studio. Exclusive resource groups for DataService Studio are available only in the China (Shanghai) region.

Network environment of the data source

Network connectivity

Configuration procedure

The data source can be accessed over the Internet.

The exclusive resource group for DataService Studio can access the data source.

  1. Log on to the VPC console. In the left-side navigation pane, choose Access to Internet > Elastic IP Addresses. On the Elastic IP Addresses page, click Create EIP.

    Note

    For more information about how to create an elastic IP address (EIP), see Apply for an EIP.

    The region of the EIP must be the same as the region of the exclusive resource group for DataService Studio.

  2. In the left-side navigation pane of the VPC console, choose NAT Gateway > Internet NAT Gateway. On the Internet NAT Gateway page, click Create NAT Gateway.

    Note

    For more information about how to create a Network Address Translation (NAT) gateway, see Purchase an Internet NAT gateway.

    The region of the NAT gateway must be the same as the region of the exclusive resource group for DataService Studio.

  3. Click Manage in the Actions column of the NAT gateway. The details page of the NAT gateway appears. On the Associated Elastic IP Address tab, click Bind Elastic IP Address. In the dialog box that appears, select an existing EIP and click OK.

  4. On the SNAT Management tab, click Create SNAT Entry. On the Create SNAT Entry page, select Specify vSwitch for SNAT Entry, select a vSwitch from the Select vSwitch drop-down list, and then select an existing EIP from the EIP drop-down list. Then, enter a name in the Entry Name field and click OK.

    Note

    The vSwitch that you selected for the SNAT entry must be the same as the vSwitch of the exclusive resource group for DataService Studio.

  5. Copy the public IP address of the SNAT entry that you created and add the IP address to an IP address whitelist of the data source. For more information, see Add a data source.

The data source is deployed on the classic network.

The exclusive resource group for DataService Studio cannot access the data source. You can use only the shared resource group for DataService Studio to access the data source.

N/A

The data source and the DataWorks workspace are deployed in the same region and VPC, and use the same vSwitch.

The exclusive resource group for DataService Studio can access the data source.

  1. Log on to the VPC console. In the left-side navigation pane, click vSwitch. Find the vSwitch of the exclusive resource group for DataService Studio and copy the IPv4 CIDR block of the vSwitch.

  2. Add the IPv4 CIDR block of the vSwitch to an IP address whitelist of the data source.

The data source and the DataWorks workspace are deployed in the same region and VPC, but use different vSwitches.

The exclusive resource group for DataService Studio can access the data source.

The data source and the DataWorks workspace are deployed in the same region but in different VPCs.

The exclusive resource group for DataService Studio can access the data source.

  1. Log on to the VPC console.

  2. Create a VPN gateway, a customer gateway, and an IPsec connection. Configure routes for the VPN gateway. Test communications over a private network. For more information, see Enable communication between two VPCs by using an IPsec-VPN connection in dual-tunnel mode.

  3. Add the CIDR block of the vSwitch of the exclusive resource group for DataService Studio to an IP address whitelist of the data source.

    Note

    Create two sets of VPN gateways, customer gateways, and IPsec connections in the same region.

The data source and the DataWorks workspace are deployed in different regions. The data source is deployed in a VPC.

The exclusive resource group for DataService Studio can access the data source.

  1. Log on to the Cloud Enterprise Network (CEN) console.

  2. Create a CEN instance, attach a network instance to the CEN instance, and purchase a bandwidth plan. Then, configure region connections and check network connectivity. Fore more information, see Use Basic Edition transit routers to connect VPCs in the same region or Connect network instances created by different accounts and in different regions.

  3. Add the CIDR block of the vSwitch of the exclusive resource group for DataService Studio to an IP address whitelist of the data source.

The data source is deployed in a data center.

The exclusive resource group for DataService Studio can access the data source.

  1. Use Express Connect and CEN to connect the VPC of the exclusive resource group for DataService Studio to the data center.

  2. Add the CIDR block of the vSwitch of the exclusive resource group for DataService Studio to an IP address whitelist of the data source.

Precautions for configuring network connectivity

To prevent a data source from being inaccessible to DataService Studio due to the whitelist configuration of the data source, you must add the IP addresses or CIDR blocks that are used by the resource group for DataService Studio to the whitelist of the data source. This section describes the precautions for configuring whitelists for data sources.

In this example, an ApsaraDB RDS instance is used as a data source. ApsaraDB RDS supports standard and enhanced IP address whitelists. The type of the whitelist that you configure may affect the network connectivity between DataService Studio and your ApsaraDB RDS instance.

  • If you configure a standard IP address whitelist, take note of the following items:

    • You can add IP addresses or CIDR blocks from the classic network and virtual private clouds (VPCs) to the same IP address whitelist.

    • You can add the IP addresses or CIDR blocks that are used by the shared resource group for DataService Studio to the same IP address whitelist.

      Note

      The IP addresses or CIDR blocks in a standard IP address whitelist can be used to access the ApsaraDB RDS instance over both the classic network and VPCs.

  • If you configure an enhanced IP address whitelist, take note of the following items:

    • You must add IP addresses or CIDR blocks from the classic network and VPCs to different IP address whitelists.

      Note

      You must specify the network isolation mode for an enhanced IP address whitelist. For example, if you set the Network Isolation Mode parameter to Classic Network for an IP address whitelist of your ApsaraDB RDS instance, the IP addresses or CIDR blocks in the IP address whitelist can be used to access the instance only over the classic network.

    • To allow an exclusive resource group for DataService Studio to access your ApsaraDB RDS instance over a VPC, add the IP addresses of the exclusive resource group to an IP address whitelist for which the network isolation mode is set to VPC.

    • To allow the shared resource group for DataService Studio to access your ApsaraDB RDS instance over a VPC, add the IP addresses or CIDR blocks that are used by the resource group to an IP address whitelist for which the Network Isolation Mode parameter is set to VPC. For example, you can allow DataService Studio to access an ApsaraDB RDS for MySQL instance that is deployed in a VPC.

    • To allow the shared resource group for DataService Studio to access your ApsaraDB RDS instance over the Internet or the classic network, add the IP addresses or CIDR blocks that are used by the resource group to an IP address whitelist for which the Network Isolation Mode parameter is set to Classic Network.

  • If you change a standard IP address whitelist to an enhanced IP address whitelist in your ApsaraDB RDS instance, take note of the following item:

    The standard IP address whitelist is replicated into two enhanced IP address whitelists that contain the same IP addresses or CIDR blocks. The two enhanced IP address whitelists have different network isolation modes.

Other precautions:

  • If you configure IP address whitelists for your ApsaraDB RDS instance, the workloads on the instance are not affected.

  • The IP address whitelist labeled default can be cleared, but cannot be deleted.

  • Do not modify or delete the IP address whitelists that are automatically generated for other Alibaba Cloud services. If you delete these IP address whitelists, the related Alibaba Cloud services cannot connect to your ApsaraDB RDS instance. For example, if you delete the IP address whitelist ali_dms_group that is automatically generated for Data Management (DMS) or the IP address whitelist hdm_security_ips that is automatically generated for Database Autonomy Service (DAS), DMS or DAS cannot access your ApsaraDB RDS instance.

    Note

    We recommend that you create an IP address whitelist that is independent of other whitelists for DataWorks.

  • The IP address whitelist labeled default contains only the IP address 127.0.0.1. This indicates that all IP addresses cannot be used to access your ApsaraDB RDS instance.

For more information about how to configure an IP address whitelist for an ApsaraDB RDS instance, see Use a database client or the CLI to connect to an ApsaraDB RDS for MySQL instance. You can use a similar method to configure IP address whitelists for other types of data sources. To configure IP address whitelists for other types of data sources, see the related instructions.