Overview
When performing batch DTS tasks, if you opt to method for granting access to individual DTS access addresses (first conducting a connectivity test to obtain the DTS access IP address, then adding it to the allowlist of the source and destination databases one by one), the efficiency is lower. This section provides you with a more efficient method, adding the DTS access IP range at once.
Note:
The range of accessible IP ranges provided in this section is relatively large. In addition to the DTS access IPs, other IPs within the range can also access the source/target database, and there might be a risk of data exposure, so choose carefully.
Comparison of Access Methods
The differences between granting a batch of task IPs at once and granting individual task IP are as follows. Consider method 2 carefully.
|
Method 1 (Recommended): Granting access to individual DTS access IPs | First, perform a connectivity test, and upon failure, grant access to the specific IP as indicated by the pop-up notification. Advantages: High Security, ensuring that only DTS access IPs can access the source/target database, and other IPs cannot access. Disadvantages: Requires separate connectivity testing for each task, followed by adding the respective IPs one by one. The process can be cumbersome when there are many tasks. |
Method 2: Granting access to the range where the DTS access IPs belong | Grant access to the range of the DTS Task. Advantages: You can add the IP addresses at once and create multiple DTS tasks, which is convenient. Disadvantages: The granting IP range is relatively wide. Besides the DTS access IPs, other IPs in the range can also access the source/target database, and there may be a risk of data exposure, so choose carefully. |
Notes
When using DTS for multiple synchronization tasks on the same database, in the DTS task configuration, select the same parameters for Access Type, VPC, and subnet. Failure to do so may cause issues with network connection, preventing DTS from connecting to the database.
Operation Overview
Different connection methods require different network security investigation rules as follows.
|
Public Network | Check the network layer of the database to see if network ACL and security group rules have been set. Check the server layer of the database deployment to see if a firewall (such as iptables) has been set. Check the database layer to see if IP access restriction rules (e.g., only host addresses within authorization can access the database) have been set. | If security rules have been set, grant access to the IP of the DTS service region in the corresponding rules. |
VPN Access/Direct Connect/CCN | Check the network layer of the database to see if network ACL and security group rules have been set. Check the server layer of the database deployment to see if a firewall (such as iptables) has been set. Check the database layer to see if IP access restriction rules (e.g., only host addresses within authorization can access the database) have been set. | If security rules have been set, grant access to a subnet under the VPC in the corresponding rules. |
Self-Build on CVM VPC (Self-built on CVM) | Check the server layer of database deployment to see if a firewall (such as iptables) has been set. | If security rules have been set, then grant access to 169.254.1.1/16, 11.163.1.1/16 |
Database VPC (Database) | | If security rules have been set, then grant access to 169.254.1.1/16, 11.163.1.1/16 |
Directions
Public Network Access
When using public network access, users need to select the DTS region closest to the physical database when purchasing a DTS task, and then use DTS for the transfer task.
1. Obtain the ranges that need to be granted.
Locate the DTS IP address in the corresponding region according to your connection region.
For example, if your source database region is in region M, then choose the nearest DTS region X for access. You need to grant the X region DTS service IP in the network that the source database belongs to. If the target database region is in region Y, choose the region N for access, and grant the Y region DTS IP address in the network that the target database belongs to.
|
Guangzhou | 111.230.198.143,118.89.34.161,123.207.84.254,139.199.74.159 |
Shanghai | 111.231.139.59,111.231.142.94,115.159.71.186,182.254.153.245 |
Beijing | 123.207.145.84,211.159.157.165,211.159.160.104,58.87.92.66 |
Chengdu | 111.231.225.99,118.24.42.158 |
Chongqing | 139.186.122.1/24,129.28.12.1/24,129.28.14.1/24,139.186.77.242,139.186.109.1/24, 139.186.131.1/23,94.191.102.144,94.191.98.210 |
Hangzhou | 111.231.139.59,111.231.142.94,115.159.71.186,182.254.153.245 |
Nanjing | 129.211.166.117,129.211.167.130 |
Tianjin | 154.8.246.150,154.8.246.48 |
Shenzhen | 118.126.124.6,118.126.124.83 |
Hong Kong | 119.29.180.130,119.29.208.220,124.156.168.151,150.109.72.54 |
Beijing Finance | 62.234.240.36,62.234.241.241 |
Shenzhen Finance | 118.89.251.206,139.199.90.75 |
Shanghai Finance | 115.159.237.246,211.159.242.74 |
Singapore | 119.28.103.40,119.28.104.184,119.28.116.123,150.109.11.113 |
Jakarta | 43.129.33.41,43.129.35.144 |
Bangkok | 150.109.164.203,150.109.164.82 |
Mumbai | 119.28.246.130,119.28.246.18 |
Seoul | 119.28.150.71,119.28.157.173 |
Tokyo | 150.109.195.201,150.109.196.137 |
Silicon Valley | 49.51.38.216,49.51.39.189,170.106.177.233,170.106.81.114,170.106.81.79,170.106.98.28,170.106.98.49,170.106.101.94,170.106.98.140,49.51.250.101,170.106.64.252,49.51.245.168 |
Virginia | 170.106.2.63,49.51.85.120 |
Frankfurt | 49.51.132.38,49.51.133.85 |
2. Troubleshoot database-related security settings. If there are settings like the ones described, you need to grant the DTS IP address in the corresponding rules.
2.1 Check if network ACLs and security groups have been set in the network layer where the database belongs.
If yes, add the DTS IP address to the ACL and security group rules of the database's network.
2.2 Check if a firewall (such as iptables) has been set on the server where the self-built database is deployed.
If yes, grant the DTS IP address in the firewall rules.
2.3 Check if there are IP access restrictions (such as restricting access to the database to only host addresses within the authorization) set in the database layer.
If yes, grant the DTS IP address in the access restrictions.
VPN Access/Direct Connect
When using VPN for connection, users need to purchase a Tencent Cloud VPC and VPN gateway to connect their local IDC database to Tencent Cloud VPC via nearby access, then transfer tasks through DTS.
1. Obtain the ranges that need to be granted.
When configuring a DTS task, you will choose to access a subnet under the VPC, which indicates the IP address range that needs to be opened. The range of DTS access IP that needs to be granted for the source database is subnet1, and the range of DTS access IP that needs to be granted for the target database is subnet2.
2. Investigate the database-related security setting rules. If there are such settings as follows, the DTS access IP range needs to be granted in the corresponding rules.
2.1 Check if network ACLs and security groups have been set in database network layer.
If yes, add the DTS access IP range to the ACL and security group rules of the database's network.
2.2 Check if a firewall (such as iptables) has been set on the server where the self-built database is deployed.
If yes, grant the DTS access IP range in the firewall rules.
2.3 Check if there are IP access restrictions (such as restricting access to the database to only host addresses within the authorization) set in the database layer.
If yes, grant the DTS access IP range in the access restrictions.
CCN
When using CCN for connection, users need to connect their local IDC database to the Tencent Cloud VPC (such as VPC1) via nearby access, and then use CCN to connect VPC1 and access VPC2.
1. Obtain the ranges that need to be granted.
When configuring a DTS task, you will choose CCN-Associated VPC (i.e., VPC2) under a subnet, which is the IP range that needs to be granted. The source database needs to grant access to the subnet subnet2.
2. Investigate the database-related security setting rules. If there are such settings as follows, the DTS access IP range needs to be granted in the corresponding rules.
2.1 Check if network ACLs and security groups have been set in the database network layer.
If yes, add the DTS access IP range to the ACL and security group rules of the database's network.
2.2 Check if a firewall (such as iptables) has been set on the server where the self-built database is deployed.
If yes, grant the DTS access IP range in the firewall rules.
2.3 Check if there are IP access restrictions (such as restricting access to the database to only host addresses within the authorization) set in the database layer.
If yes, grant the DTS access IP range in the access restrictions.
Self-Build on CVM
If the source/target database is a self-built database on Tencent Cloud CVM, select Self-Build on CVM as access method. When a user initiates a DTS task, network ACLs and security groups can be automatically granted, and the user only need to check other security rules and grant them.
1. Obtain the ranges that need to be granted.
The connection between the Self-Build on CVM and DTS occurs within the Tencent Cloud private network, sharing common IP ranges of 169.254.1.1/16, 11.163.1.1/16.
2. Investigate the database's security rules. If there are settings as follows, grant the DTS access IP range in the corresponding rules.
2.1 Check if a firewall (such as iptables) is set on the server where the self-built database deployment is. If yes, grant the DTS access IP range in the firewall rules.
Database
The source/target database is a Tencent Cloud database instance, with the connection method selected as "cloud database". When a user initiates a DTS task, network ACLs and security groups can be automatically granted, and the user only needs to check other security rules and grant them.
1. Obtain the ranges that need to be granted.
The connectivity between cloud database and DTS occurs within the Tencent Cloud private network, sharing common IP ranges of 169.254.1.1/16, 11.163.1.1/16.
2. Investigate the database's security rules. If there are settings as follows, grant the DTS access IP range in the corresponding rules.
2.1 Check the database layer to see if IP access restriction rules have been set.
For some TencentDB instances (like MySQL), there's support for limiting access IPs for accounts. Once set up, accounts can only access the database through host addresses within the authorization. For details on this MySQL feature, see Modifying Authorized Access Host Address. If there are similar settings, you need to grant the DTS access IP range.
VPC
For VPC access, depending on the database's deployment mode as either a self-built database on CVM (see above "Self-Build on CVM") or cloud database (see above "Database"), just follow the corresponding scenario operations.
Was this page helpful?