After an on-premises database is connected to Alibaba Cloud over Express Connect or Smart Access Gateway, the on-premises database can be connected to Data Transmission Service (DTS) in a virtual private cloud (VPC) by using Cloud Enterprise Network (CEN).
Background information
The cloud services discussed in this topic refer to the Alibaba Cloud services that use the 100.64.0.0/10 CIDR block to provide services, such as Object Storage Service (OSS), Log Service, and Data Transmission Service (DTS). If an on-premises network needs to access a cloud service, you must attach the VBR or CCN instance associated with the on-premises network to a CEN instance, and then attach a virtual private cloud (VPC) to the CEN instance. The VPC and the cloud resource must belong to the same region. This way, your on-premises network can access the VPC and access the cloud service through the VPC.
Prerequisites
The on-premises network to which the self-managed database belongs is connected to Alibaba Cloud over Express Connect or Smart Access Gateway. For more information, see Connect a data center to a VPC.
NoteSuppose that you have three VPCs in a region: VPC1, VPC2, and VPC3. The VPCs are attached to a CEN instance in the same region. If VPC1 is used to access other cloud services, such as Object Storage Service (OSS) and Server Load Balancer (SLB), you must also use VPC1 to access DTS when you perform the following operations.
A CEN instance is created. For more information, see Create a CEN instance.
The VPC to which the self-managed database belongs is connected to the transit router of the CEN instance. For more information, see Create a VPC connection.
Procedure
Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
On the tab, click the ID of the transit router that resides in the region of the DTS server.
Configure the transit router based on your business requirements.
Enterprise Edition transit router
On the details page of the transit router, click the Route Table tab.
On the Route Table tab, click the ID of the route table that you want to manage. On the Route Table Details page, click the Route Entry tab and click Add Route Entry.
In the Add Route Entry dialog box, configure the parameters and click OK. The following table describes the parameters.
Parameter
Description
Route Table
The route table to which you want to add a route entry. By default, the current route table is selected.
Transit Router
The transit router for which you want to add a route entry. By default, the current transit router is selected.
Name
The name of the route entry.
Destination CIDR
The IP addresses or CIDR blocks of DTS server. The IP addresses or CIDR blocks must belong to 100.64.0.0/10. For example, if the DTS server resides in the China (Hangzhou) region, specify the following CIDR blocks:
100.104.52.0/24, 100.104.61.128/26, 100.104.244.64/26, 100.104.216.192/26, 100.104.85.0/26, 100.104.221.128/26, 100.104.2.0/26, 100.104.251.192/26, 100.104.159.64/26, 100.104.216.128/26, 100.104.148.192/26, 100.104.239.64/26, 100.104.114.0/26, 100.104.0.192/26, and 100.104.13.192/26
. For information about the IP addresses or CIDR blocks of DTS servers in other regions, see Add the CIDR blocks of DTS servers.NoteYou can enter only one IP address or CIDR block at a time. To add multiple IP addresses or CIDR blocks, repeat the preceding steps.
If you do not update the whitelist of the self-managed database at the earliest opportunity when new DTS servers are added, DTS may fail to connect to the database. To resolve this issue, we recommend that you set this parameter to 100.104.0.0/16.
Blackhole Route
Specifies whether the route is a blackhole route. In this example, No is selected.
Next Hop
The ID of the VPC that is attached to the transit router.
Description
The description of the route entry.
NoteFor more information, see the Enable access to a cloud service from an Enterprise Edition transit router section of the Manage access to cloud services topic.
Basic Edition transit router
On the details page of the transit router, click the Cloud Services tab.
On the Cloud Services tab, click Configure AnyTunnel.
In the Configure AnyTunnel dialog box, configure the parameters and click OK. The following table describes the parameters.
Parameter
Description
Service IP Address
The IP addresses or CIDR blocks of DTS server. The IP addresses or CIDR blocks must belong to 100.64.0.0/10. For example, if the DTS server resides in the China (Hangzhou) region, specify the following CIDR blocks:
100.104.52.0/24, 100.104.61.128/26, 100.104.244.64/26, 100.104.216.192/26, 100.104.85.0/26, 100.104.221.128/26, 100.104.2.0/26, 100.104.251.192/26, 100.104.159.64/26, 100.104.216.128/26, 100.104.148.192/26, 100.104.239.64/26, 100.104.114.0/26, 100.104.0.192/26, and 100.104.13.192/26
. For information about the IP addresses or CIDR blocks of DTS servers in other regions, see Add the CIDR blocks of DTS servers.NoteYou can enter only one IP address or CIDR block at a time. To add multiple IP addresses or CIDR blocks, repeat the preceding steps.
If you do not update the whitelist of the self-managed database at the earliest opportunity when new DTS servers are added, DTS may fail to connect to the database. To resolve this issue, we recommend that you set this parameter to 100.104.0.0/16.
Service Region
The region in which the DTS instance resides.
ImportantYou must set Service Region to the destination region regardless of whether you migrate or synchronize data within the same region or across different regions. For example, if you use DTS to migrate or synchronize data from a self-managed database in the China (Hangzhou) or China (Beijing) region to an ApsaraDB RDS for MySQL instance in the China (Hangzhou) region, you must set Service Region to China (Hangzhou). In addition, you must set Service VPC to a VPC that belongs to the China (Hangzhou) region.
Service VPC
The VPC that is attached to the CEN instance. After you configure all the parameters described in this table, the on-premises network that is connected to the virtual border router (VBR) or cloud connect network (CCN) instance can access DTS over the VPC.
NoteIf you use DTS to synchronize data across regions, you must set Service VPC to a VPC that belongs to the destination region. For example, if you synchronize data from a self-managed database in the China (Beijing) region to an ApsaraDB RDS for MySQL instance in the China (Hangzhou) region, you must set Service VPC to a VPC that belongs to the China (Hangzhou) region. The VPC must be attached to the CEN instance to ensure that the self-managed database can access DTS over the VPC.
Suppose that you have three VPCs in a region: VPC1, VPC2, and VPC3. The VPCs are attached to a CEN instance in the same region. If VPC1 is used to access other cloud services, such as OSS and SLB, you must also use VPC1 to access DTS when you perform the following operations.
Access Region
The region in which the VBR or CCN instance that is used to access DTS resides.
ImportantIf the self-managed database is connected to Alibaba Cloud by using a VBR instance, you can use CEN to access DTS only in the region of the VBR instance.
Description
The description of DTS.
The description can be empty or 2 to 256 characters in length. It must start with a letter, and can contain letters, digits, hyphens (-), periods (.), and underscores (_). It cannot start with
http://
orhttps://
.
Connect databases to DTS across Alibaba Cloud accounts or regions
You can connect databases to DTS across Alibaba Cloud accounts or regions by using CEN. This way, you can configure DTS tasks across Alibaba Cloud accounts or regions. For more information, see Use Enterprise Edition transit routers to connect VPCs in different regions and accounts or Use CEN and Basic Edition transit routers to connect VPCs in different regions and Alibaba Cloud accounts.
You can configure connections across Alibaba Cloud accounts or regions based on your business requirements.
What to do next
When you configure a data migration, data synchronization, change tracking, or data verification task, you can configure specific parameters to use a self-managed database in an on-premises data center as the source or destination database. The following table describes the parameters.
Parameter | Description |
Database Type | The type of the self-managed database. |
Access Method | The access method of the self-managed database. Select Cloud Enterprise Network (CEN). |
Instance Region | The region in which the CEN instance resides. |
CEN Instance ID | The CEN instance ID. |
Connected VPC | The VPC that is configured for the Service VPC parameter. |
Domain Name or IP | The IP address of the server on which the self-managed database is deployed. |
Port Number | The port number of the server on which the self-managed database is deployed. |
Database Account | The username of the account that is used to log on to the self-managed database. |
Database Password | The password of the account that is used to log on to the self-managed database. |
FAQ
Q: Why am I unable to connect an on-premises database to DTS over Express Connect even after I have configured an access control list (ACL) in the firewall settings of the VPC to allow all access?
A: You can perform the following operations to troubleshoot the issue:
Check whether all the CIDR blocks of DTS servers are added when you set the Service IP Address parameter in the CEN console. Add a route to allow the on-premises database to access DTS, and then configure the DTS task again. For more information, see the Procedure section of this topic.
Check whether the routes to all the required CIDR blocks of DTS servers are configured on your on-premises network. Point the CIDR blocks of DTS servers to the customer-premises equipment (CPE) on the on-premises network.
Check whether an ACL is configured in the firewall settings of the VPC to allow access from DTS. DTS fails to establish a connection with the on-premises database if the packets of DTS servers are blocked. When you configure the ACL, you must set the source IP addresses to the CIDR blocks of DTS servers and the destination IP addresses to the CIDR blocks of the on-premises database. Then, the DTS servers can connect to the on-premises database as expected at Layer 4.
Q: What do I do when I receive a notification indicating that the new CIDR blocks of DTS servers need to be added to the whitelist?
A: You must perform the following operations:
Add the new CIDR blocks of DTS servers by configuring the Service IP Address parameter in the CEN console. For more information, see the Procedure section of this topic.
Point the new CIDR blocks of DTS servers to the CPE on the on-premises network.
Add the new CIDR blocks of DTS servers to the ACL of the on-premises database. If other ACLs apply to the network connection, configure the ACLs by setting the source IP addresses to the CIDR blocks of DTS servers and the destination IP addresses to the CIDR blocks of the on-premises database.