DocsICP FilingConsole
官方文档
首页

Configure a whitelist

更新时间:
复制 MD 格式
产品详情
我的收藏

When DataWorks modules like Data Integration, Data Service, Metadata Collection, and Data Analysis access your data sources, some sources may restrict access with a whitelist. To ensure these modules function correctly, you must add the egress IP addresses or CIDR blocks of the corresponding modules to your data source's whitelist.

Background information

If a data source uses a whitelist for access control, you must grant permissions based on the module type:

  • Resource group-dependent modules (such as Data Integration and Data Service): These modules access data sources through the resource group's network. You must add the vSwitch CIDR block or public IP address of the resource group to the data source's whitelist.

  • Platform service modules (such as Metadata Collection and Data Analysis): These modules send access requests from service nodes managed by DataWorks outside the resource group's network. Therefore, you must also add the platform's predefined, dedicated IP CIDR blocks to the data source's whitelist. This prevents feature failures caused by incomplete authorization by ensuring all egress nodes are on the whitelist.

Prerequisites

A network connection must exist between your data source and the resource group. For more information, see Network connectivity solutions.

Obtain whitelist entries

Whitelist for Data Integration

Serverless resource groups

Obtain vSwitch CIDR block

This method is for data sources that connect to DataWorks over an internal network. You must add the vSwitch CIDR block associated with the resource group to your data source's whitelist.

  1. Go to the DataWorks resource groups page. In the top navigation bar, select the region where your target resource group is located. Then, find the target resource group in the list.

  2. In the Operation column of the target resource group, click Network Settings to open the VPC Binding page.

  3. Under Data Scheduling & Data Integration, view the corresponding vSwitch CIDR Block.

  4. Add the retrieved vSwitch CIDR block to your data source's whitelist.

Obtain public IP address

This method is for data sources that connect to DataWorks over the internet. You must add the EIP of the resource group to your data source's whitelist.

Note

Serverless resource groups do not have internet access by default. To enable public access to your data source, you must configure an internet NAT gateway and an EIP for the VPC that is bound to the resource group.

  1. Go to the DataWorks resource groups page. In the top navigation bar, select the region where your target resource group is located. Then, find the target resource group in the list.

  2. In the Operation column of the target resource group, click Network Settings to open the VPC Binding page.

  3. Under Data Scheduling & Data Integration, find the bound VPC and click the image icon next to the VPC name to open its Basic Information page.

  4. Click the Resource management tab. In the Public Access Service area, click the number under Internet NAT Gateway to view the list of internet NAT gateways created for the VPC.

  5. On the internet NAT gateway list page, view the bound EIPs.

  6. Add the retrieved EIP address to your data source's whitelist.

Legacy exclusive resource groups

Obtain vSwitch CIDR block

This method is for data sources that connect to DataWorks over an internal network. You must add the vSwitch CIDR block associated with the resource group to your data source's whitelist.

  1. Go to the DataWorks resource groups page. In the top navigation bar, select the region where your target resource group is located. Then, find the target resource group in the list.

  2. In the Operation column of the target resource group, click Network Settings to open the VPC Binding page.

  3. Find the VPC that is bound to the resource group and view its corresponding vSwitch CIDR Block.

  4. Add the retrieved vSwitch CIDR block to your data source's whitelist.

Obtain public IP address

This method is for data sources that connect to DataWorks over the internet. You must add the EIP of the resource group to your data source's whitelist.

  1. Go to the DataWorks resource groups page. In the top navigation bar, select the region where your target resource group is located. Then, find the target resource group in the list.

  2. In the Operation column of the target resource group, click Details to open the resource group details page.

  3. Obtain the EIP address.

    In the Basic Information section of the resource group, find the EIP address. If you need to transfer data over the internet, you must add this EIP to the whitelist of your data source.

  4. Add the retrieved EIP address to your data source's whitelist.

Shared resource groups

If you use a shared resource group for Data Integration, you must add the IP addresses from the whitelist for shared resource groups for Data Integration to your data source's whitelist.

Whitelist for Data Service

Serverless resource groups

Obtain vSwitch CIDR block

This method is for data sources that connect to DataWorks over an internal network. You must add the vSwitch CIDR block associated with the resource group to your data source's whitelist.

  1. Go to the DataWorks resource groups page. In the top navigation bar, select the region where your target resource group is located. Then, find the target resource group in the list.

  2. In the Operation column of the target resource group, click Network Settings to open the VPC Binding page.

  3. Under Data Services, view the corresponding vSwitch CIDR Block.

    Note

    If no VPC and vSwitch are bound under the Data Service section, click Add Binding. After the binding is complete, obtain the vSwitch CIDR block.

  4. Add the retrieved vSwitch CIDR block to your data source's whitelist.

Obtain public IP address

This method is for data sources that connect to DataWorks over the internet. You must add the EIP of the resource group to your data source's whitelist.

Note

Serverless resource groups do not have internet access by default. To enable public access to your data source, you must configure an internet NAT gateway and an EIP for the VPC that is bound to the resource group.

  1. Go to the DataWorks resource groups page. In the top navigation bar, select the region where your target resource group is located. Then, find the target resource group in the list.

  2. In the Operation column of the target resource group, click Network Settings to open the VPC Binding page.

  3. Under Data Services, find the bound VPC and click the image icon next to the VPC name to open its Basic Information page.

  4. Click the Resource management tab. In the Public Access Service area, click the number under Internet NAT Gateway to view the list of internet NAT gateways created for the VPC.

  5. On the internet NAT gateway list page, view the bound EIPs.

  6. Add the retrieved EIP address to your data source's whitelist.

Legacy exclusive resource groups

Obtain vSwitch CIDR block

This method is for data sources that connect to DataWorks over an internal network. You must add the vSwitch CIDR block associated with the resource group to your data source's whitelist.

  1. Go to the DataWorks resource groups page. In the top navigation bar, select the region where your target resource group is located. Then, find the target resource group in the list.

  2. In the Operation column of the target resource group, click Details to open the resource group details page.

  3. Obtain the name of the vSwitch that is bound to the resource group. Then, go to the VPC console, search for the vSwitch by its name, and obtain its IPv4 CIDR.

  4. Add the retrieved vSwitch CIDR block to your data source's whitelist.

Shared resource groups

If you use a shared resource group for Data Service, you must add the IP addresses from the whitelist for shared resource groups for Data Service to your data source's whitelist.

Whitelist for Metadata Collection

If whitelist-based access control is enabled for the data source used by Metadata Collection, you must add the IP addresses from the whitelist for Metadata Collection to the data source's whitelist.

Whitelist for Data Analysis

If whitelist-based access control is enabled for the target MaxCompute project used by Data Analysis, you must add the IP addresses from the whitelist for Data Analysis to the MaxCompute project's whitelist.

Add entries to a whitelist

After you obtain the required whitelist entries, add them to your data source's whitelist. For Alibaba Cloud data sources, see their respective documentation for instructions:

Note

  • The following links are for common Alibaba Cloud services. For other services, consult their official documentation.

  • For data sources from other providers, consult their official documentation for whitelist configuration.

Configure a whitelist for MaxCompute

Configure a whitelist for ApsaraDB RDS for MySQL

Configure a whitelist for AnalyticDB for MySQL

Configure a whitelist for AnalyticDB for PostgreSQL

Configure a whitelist for ApsaraDB for OceanBase

Configure a whitelist for ClickHouse

Configure a whitelist for PolarDB for MySQL

Configure a whitelist for PolarDB-X

Configure a whitelist for PolarDB for PostgreSQL

Configure a whitelist for Elasticsearch

Configure a whitelist for ApsaraDB for HBase

Configure a whitelist for Hologres

Configure a whitelist for ApsaraMQ for Kafka

Configure a whitelist for Lindorm

Configure a whitelist for ApsaraDB RDS for MariaDB

Configure a whitelist for ApsaraDB RDS for PostgreSQL

Configure a whitelist for ApsaraDB RDS for SQL Server

Configure a whitelist for ApsaraDB for Memcache

Configure a whitelist for ApsaraDB for MongoDB

Configure a public whitelist for OpenSearch Vector Search Edition

Configure a whitelist for Tair (Redis® OSS-Compatible)

Configure a whitelist for SelectDB

Related documents

Previous:OverviewNext:Connect to an Alibaba Cloud data source