To ensure that a resource group can connect to a data source and access the data source as expected, you need to add the IP addresses or CIDR blocks that are used by the resource group to the whitelist of the data source. This topic describes how to configure network connectivity between different types of resource groups and a data source and the related precautions.
Configure network connectivity between the shared resource group for DataService Studio and a data source
Before you generate APIs for a data source in DataService Studio, you must configure the data source. To ensure that DataService Studio can access the data source, add the IP addresses or CIDR blocks that are used by the shared resource group for DataService Studio in the region where the data source resides to a whitelist of the data source.
More CIDR blocks or IP addresses may be added to the whitelist if the configurations of shared resource groups are upgraded. DataWorks will notify you of the whitelist changes in advance. If your business is sensitive to whitelist changes, we recommend that you use exclusive resource groups.
Region | CIDR blocks or IP address |
China (Hangzhou) | 100.64.0.0/10,11.193.102.0/24,11.193.215.0/24,11.194.110.0/24,11.194.73.0/24,118.31.157.0/24,47.97.53.0/24,11.196.23.0/24,47.99.12.0/24,47.99.13.0/24,114.55.197.0/24,11.197.246.0/24,11.197.247.0/24,118.31.243.0/26,118.31.243.64/26,118.31.243.128/26,118.31.243.192/26,11.193.55.0/24,101.37.74.122,114.55.197.231,114.55.198.83,101.37.74.206 |
China (Shanghai) | 11.193.109.0/24,11.193.252.0/24,47.101.107.0/24,47.100.129.0/24,106.15.14.0/24,10.117.28.203,10.143.32.0/24,10.152.69.0/24,10.153.136.0/24,10.27.63.15,10.27.63.38,10.27.63.41,10.27.63.60,10.46.64.81,10.46.67.156,11.192.97.0/24,11.192.98.0/24,11.193.102.0/24,11.218.89.0/24,11.218.96.0/24,11.219.217.0/24,11.219.218.0/24,11.219.219.0/24,11.219.233.0/24,11.219.234.0/24,118.178.142.154,118.178.56.228,118.178.59.233,118.178.84.74,120.27.160.26,120.27.160.81,121.43.110.160,121.43.112.137,100.64.0.0/10,10.117.39.238,11.193.96.0/24,11.193.48.0/24,11.193.108.0/24,101.132.31.146,106.15.14.240,106.15.14.75,101.132.31.221 |
China (Shenzhen) | 100.106.46.0/24,100.106.49.0/24,10.152.27.0/24,10.152.28.0/24,11.192.91.0/24,11.192.96.0/24,11.193.103.0/24,100.64.0.0/10,120.76.104.0/24,120.76.91.0/24,120.78.45.0/24,47.106.63.0/26,47.106.63.128/26,47.106.63.192/26,47.106.63.64/26,11.193.94.0/24,120.78.45.154,120.78.46.137,120.78.46.107,120.78.45.140,172.26.131.130,172.26.131.129,172.26.131.128,172.26.131.127 |
China (Chengdu) | 11.195.52.0/24,11.195.55.0/24,47.108.22.0/24,100.64.0.0/10 |
China (Beijing) | 100.106.48.0/24,10.152.167.0/24,10.152.168.0/24,11.193.50.0/24,11.193.75.0/24,11.193.82.0/24,11.193.99.0/24,100.64.0.0/10,47.93.110.0/24,47.94.185.0/24,47.95.63.0/24,11.197.231.0/24,11.195.172.0/24,47.94.49.0/24,182.92.144.0/24,11.193.100.0/24,11.193.199.0/24,39.106.244.50,47.95.63.101,47.95.63.93,39.106.244.48,172.22.1.42,172.22.2.208,172.22.1.41,172.22.2.207 |
China (Zhangjiakou) | 11.193.235.0/24,47.92.22.0/24,100.64.0.0/10,11.112.227.0/24 |
China (Hong Kong) | 10.152.162.0/24,11.192.196.0/24,11.193.11.0/24,100.64.0.0/10,47.89.61.0/24,47.91.171.0/24,11.193.118.0/24,47.75.228.0/24,47.56.45.0/25,47.244.92.128/25,47.101.109.0/24,11.193.200.0/24,11.193.12.0/24,47.90.71.152,47.90.71.141,47.91.171.178,47.91.172.3 |
Singapore | 100.106.10.0/24,100.106.35.0/24,10.151.234.0/24,10.151.238.0/24,10.152.248.0/24,11.192.153.0/24,11.192.40.0/24,11.193.8.0/24,100.64.0.0/10,47.88.147.0/24,47.88.235.0/24,11.193.162.0/24,11.193.163.0/24,11.193.220.0/24,11.193.158.0/24,47.74.162.0/24,47.74.203.0/24,47.74.161.0/24,11.197.188.0/24,11.197.227.0/24,47.74.161.218,47.74.161.181,161.117.140.83,47.88.143.36 |
US (Silicon Valley) | 10.152.160.0/24,100.64.0.0/10,47.89.224.0/24,11.193.216.0/24,47.88.108.0/24,47.88.99.153,47.254.58.215,47.88.108.192,47.254.58.135 |
US (Virginia) | 11.193.203.0/24,11.194.68.0/24,11.194.69.0/24,100.64.0.0/10,47.252.55.0/24,47.252.88.0/24,11.194.69.0/24,10.128.135.0/24,47.88.98.0/24 |
Malaysia (Kuala Lumpur) | 11.193.188.0/24,11.221.205.0/24,11.221.206.0/24,11.221.207.0/24,100.64.0.0/10,11.214.81.0/24,47.254.212.0/24,11.193.189.0/24,47.250.29.0/26,47.250.29.128/26,47.250.29.192/26,47.250.29.64/26 |
Germany (Frankfurt) | 11.192.116.0/24,11.192.168.0/24,11.192.169.0/24,11.192.170.0/24,11.193.106.0/24,100.64.0.0/10,11.192.116.14,11.192.116.142,11.192.116.160,11.192.116.75,11.192.170.27,47.91.82.22,47.91.83.74,47.91.83.93,47.91.84.11,47.91.84.110,47.91.84.82,11.193.167.0/24,47.254.138.0/24,11.194.61.0/24,47.254.185.0/24 |
Japan (Tokyo) | 100.105.55.0/24,11.192.147.0/24,11.192.148.0/24,11.192.149.0/24,100.64.0.0/10,47.91.12.0/24,47.91.13.0/24,47.91.9.0/24,11.199.250.0/24,47.91.27.0/24,11.59.59.0/24,47.245.51.128/26,47.245.51.192/26,47.91.0.128/26,47.91.0.192/26 |
UK (London) | 11.199.93.0/24,100.64.0.0/10,8.208.72.0/26,8.208.72.128/26,8.208.72.192/26,8.208.72.64/26 |
Indonesia (Jakarta) | 11.194.49.0/24,11.200.93.0/24,11.200.95.0/24,11.200.97.0/24,100.64.0.0/10,149.129.228.0/24,10.143.32.0/24,11.194.50.0/24,11.59.135.0/24,147.139.156.0/26,147.139.156.128/26,147.139.156.64/26,149.129.230.192/26,149.129.229.0/26,149.129.229.64/26,149.129.229.128/26,149.129.229.192/26 |
Configure network connectivity between an exclusive resource group for DataService Studio and a data source
Exclusive resource groups for DataService Studio can access data sources that are deployed on the Internet, in Alibaba Cloud virtual private clouds (VPCs), or in data centers. The following table describes how to configure network connectivity in different network environments to ensure that an exclusive resource group for DataService Studio can access a data source.
For information about how to use exclusive resource groups for DataService Studio, see Create and use an exclusive resource group for DataService Studio. Exclusive resource groups for DataService Studio are available only in the China (Shanghai) region.
Network environment of the data source | Network connectivity | Configuration procedure |
The data source can be accessed over the Internet. | The exclusive resource group for DataService Studio can access the data source. |
|
The data source is deployed on the classic network. | The exclusive resource group for DataService Studio cannot access the data source. You can use only the shared resource group for DataService Studio to access the data source. | N/A |
The data source and the DataWorks workspace are deployed in the same region and VPC, and use the same vSwitch. | The exclusive resource group for DataService Studio can access the data source. |
|
The data source and the DataWorks workspace are deployed in the same region and VPC, but use different vSwitches. | The exclusive resource group for DataService Studio can access the data source. | |
The data source and the DataWorks workspace are deployed in the same region but in different VPCs. | The exclusive resource group for DataService Studio can access the data source. |
|
The data source and the DataWorks workspace are deployed in different regions. The data source is deployed in a VPC. | The exclusive resource group for DataService Studio can access the data source. |
|
The data source is deployed in a data center. | The exclusive resource group for DataService Studio can access the data source. |
|
Precautions for configuring network connectivity
To prevent a data source from being inaccessible to DataService Studio due to the whitelist configuration of the data source, you must add the IP addresses or CIDR blocks that are used by the resource group for DataService Studio to the whitelist of the data source. This section describes the precautions for configuring whitelists for data sources.
In this example, an ApsaraDB RDS instance is used as a data source. ApsaraDB RDS supports standard and enhanced IP address whitelists. The type of the whitelist that you configure may affect the network connectivity between DataService Studio and your ApsaraDB RDS instance.
If you configure a standard IP address whitelist, take note of the following items:
You can add IP addresses or CIDR blocks from the classic network and virtual private clouds (VPCs) to the same IP address whitelist.
You can add the IP addresses or CIDR blocks that are used by the shared resource group for DataService Studio to the same IP address whitelist.
NoteThe IP addresses or CIDR blocks in a standard IP address whitelist can be used to access the ApsaraDB RDS instance over both the classic network and VPCs.
If you configure an enhanced IP address whitelist, take note of the following items:
You must add IP addresses or CIDR blocks from the classic network and VPCs to different IP address whitelists.
NoteYou must specify the network isolation mode for an enhanced IP address whitelist. For example, if you set the Network Isolation Mode parameter to Classic Network for an IP address whitelist of your ApsaraDB RDS instance, the IP addresses or CIDR blocks in the IP address whitelist can be used to access the instance only over the classic network.
To allow an exclusive resource group for DataService Studio to access your ApsaraDB RDS instance over a VPC, add the IP addresses of the exclusive resource group to an IP address whitelist for which the network isolation mode is set to VPC.
To allow the shared resource group for DataService Studio to access your ApsaraDB RDS instance over a VPC, add the IP addresses or CIDR blocks that are used by the resource group to an IP address whitelist for which the Network Isolation Mode parameter is set to VPC. For example, you can allow DataService Studio to access an ApsaraDB RDS for MySQL instance that is deployed in a VPC.
To allow the shared resource group for DataService Studio to access your ApsaraDB RDS instance over the Internet or the classic network, add the IP addresses or CIDR blocks that are used by the resource group to an IP address whitelist for which the Network Isolation Mode parameter is set to Classic Network.
If you change a standard IP address whitelist to an enhanced IP address whitelist in your ApsaraDB RDS instance, take note of the following item:
The standard IP address whitelist is replicated into two enhanced IP address whitelists that contain the same IP addresses or CIDR blocks. The two enhanced IP address whitelists have different network isolation modes.
Other precautions:
If you configure IP address whitelists for your ApsaraDB RDS instance, the workloads on the instance are not affected.
The IP address whitelist labeled default can be cleared, but cannot be deleted.
Do not modify or delete the IP address whitelists that are automatically generated for other Alibaba Cloud services. If you delete these IP address whitelists, the related Alibaba Cloud services cannot connect to your ApsaraDB RDS instance. For example, if you delete the IP address whitelist ali_dms_group that is automatically generated for Data Management (DMS) or the IP address whitelist hdm_security_ips that is automatically generated for Database Autonomy Service (DAS), DMS or DAS cannot access your ApsaraDB RDS instance.
NoteWe recommend that you create an IP address whitelist that is independent of other whitelists for DataWorks.
The IP address whitelist labeled default contains only the IP address 127.0.0.1. This indicates that all IP addresses cannot be used to access your ApsaraDB RDS instance.
For more information about how to configure an IP address whitelist for an ApsaraDB RDS instance, see Use a database client or the CLI to connect to an ApsaraDB RDS for MySQL instance. You can use a similar method to configure IP address whitelists for other types of data sources. To configure IP address whitelists for other types of data sources, see the related instructions.