This topic describes how to resolve errors when connecting a source or destination database instance to Data Transmission Service (DTS) using a VPN connection.
Notes
If your database instance uses a cloud VPN Gateway, contact VPN Gateway technical support for any VPN-related issues during troubleshooting. For more information about VPN Gateway, see What is VPN Gateway?.
Troubleshooting steps
Collect information about the source or destination instance.
First, gather the following details about your database instance:
Parameter
Description
Instance Region
The region where the self-managed database instance is located.
Connected VPC
The ID of the Virtual Private Cloud (VPC) to which the self-managed database instance is connected.
Domain Name or IP
The private IP address of the self-managed database instance.
Port Number
The service port of the self-managed database instance.
Get the IP address ranges for DTS servers.
Find the DTS server IP address ranges corresponding to your instance's region and connection method: Add the IP address ranges of DTS servers to the IP whitelist of a self-managed database. You will need this list for the next step.
Check the security settings of the self-managed database instance.
You must add all IP address ranges of the DTS servers that you obtained to your self-managed database instance's security settings to allow access from DTS servers. This includes, but is not limited to:
Security groups of the self-managed database.
Firewall of the self-managed database.
IP whitelist of the self-managed database.
Verify the route configuration.
Log on to the VPC Console and navigate to Route Tables in the left-side panel.
Filter the route tables by the VPC ID you collected in Step 1.
Click the ID of the target route table. On the Route Entry List page, go to the Custom Route tab and check the route for your on-premises network's CIDR block (Destination CIDR Block).
The next hop must be correctly configured to direct traffic to your VPN connection:
For a self-managed VPN on an ECS instance, the Next Hop must be the ID of the ECS instance acting as your VPN server.
For an Alibaba Cloud VPN Gateway, the Next Hop must be the VPN Gateway instance.
Validate the VPN IPsec tunnel configuration.
Self-managed VPN: You are responsible for verifying your IPsec tunnel configuration. Test the connection. If it fails, capture packets on both ends of the tunnel to see if traffic from the DTS service CIDR blocks is being correctly routed through the VPN.
Alibaba Cloud VPN Gateway: Follow these steps to check your IPsec connection settings.
Log on to the VPC Console.
In the left-side navigation pane, choose .
Ensure that the Routing Mode is set to Protected Data Flows.
Ensure that all DTS server IP address ranges (from Step 2) are added to the Local Network CIDR blocks.
Ensure that the CIDR block(s) for your on-premises IDC are added to the Remote Network.
Ensure that these updated IPsec and route configurations have been applied to your on-premises gateway device.
NoteFor more information, see Connect an on-premises IDC to a DTS service by using a VPN Gateway.
Test the connection again. If it still fails, contact VPN Gateway technical support and request a packet capture on the gateway. This can help verify whether traffic from DTS source IPs is passing through the tunnel.
Verify the on-premises-to-cloud route configuration.
Ensure that return traffic from your on-premises IDC is routed back through the VPN tunnel. If your database is hosted on a cloud platform other than Alibaba Cloud, contact the cloud provider's support for assistance.
Check for VPC route conflicts.
If the issue persists after you have completed all the preceding checks, contact VPC technical support to check if there are routing conflicts with the DTS service.