tencent cloud

Feedback

Granting IP Range of DTS Access IP for Batch Tasks

Last updated: 2024-09-02 14:52:21

    Overview

    When performing batch DTS tasks, if you opt to method for granting access to individual DTS access addresses (first conducting a connectivity test to obtain the DTS access IP address, then adding it to the allowlist of the source and destination databases one by one), the efficiency is lower. This section provides you with a more efficient method, adding the DTS access IP range at once.
    Note:
    The range of accessible IP ranges provided in this section is relatively large. In addition to the DTS access IPs, other IPs within the range can also access the source/target database, and there might be a risk of data exposure, so choose carefully.

    Comparison of Access Methods

    The differences between granting a batch of task IPs at once and granting individual task IP are as follows. Consider method 2 carefully.
    Method
    Description
    Method 1 (Recommended): Granting access to individual DTS access IPs
    First, perform a connectivity test, and upon failure, grant access to the specific IP as indicated by the pop-up notification.
    Advantages: High Security, ensuring that only DTS access IPs can access the source/target database, and other IPs cannot access.
    Disadvantages: Requires separate connectivity testing for each task, followed by adding the respective IPs one by one. The process can be cumbersome when there are many tasks.
    Method 2: Granting access to the range where the DTS access IPs belong
    Grant access to the range of the DTS Task.
    Advantages: You can add the IP addresses at once and create multiple DTS tasks, which is convenient.
    Disadvantages: The granting IP range is relatively wide. Besides the DTS access IPs, other IPs in the range can also access the source/target database, and there may be a risk of data exposure, so choose carefully.

    Notes

    When using DTS for multiple synchronization tasks on the same database, in the DTS task configuration, select the same parameters for Access Type, VPC, and subnet. Failure to do so may cause issues with network connection, preventing DTS from connecting to the database.

    Operation Overview

    Different connection methods require different network security investigation rules as follows.
    Connection Method
    Network Access Troubleshooting
    Processing Description
    Public Network
    Check the network layer of the database to see if network ACL and security group rules have been set.
    Check the server layer of the database deployment to see if a firewall (such as iptables) has been set.
    Check the database layer to see if IP access restriction rules (e.g., only host addresses within authorization can access the database) have been set.
    If security rules have been set, grant access to the IP of the DTS service region in the corresponding rules.
    VPN Access/Direct Connect/CCN
    Check the network layer of the database to see if network ACL and security group rules have been set.
    Check the server layer of the database deployment to see if a firewall (such as iptables) has been set.
    Check the database layer to see if IP access restriction rules (e.g., only host addresses within authorization can access the database) have been set.
    If security rules have been set, grant access to a subnet under the VPC in the corresponding rules.
    Self-Build on CVM
    VPC (Self-built on CVM)
    Check the server layer of database deployment to see if a firewall (such as iptables) has been set.
    Check database layer to see if IP access restriction rules (e.g., only authorized host addresses can access the database) have been set.
    If security rules have been set, then grant access to 169.254.1.1/16, 11.163.1.1/16
    Database
    VPC (Database)
    Check if IP access restriction rules (e.g., restrict database access to host addresses within the authorization) have been set in the database layer.
    If security rules have been set, then grant access to 169.254.1.1/16, 11.163.1.1/16

    Directions

    Public Network Access

    When using public network access, users need to select the DTS region closest to the physical database when purchasing a DTS task, and then use DTS for the transfer task.
    1. Obtain the ranges that need to be granted.
    Locate the DTS IP address in the corresponding region according to your connection region.
    For example, if your source database region is in region M, then choose the nearest DTS region X for access. You need to grant the X region DTS service IP in the network that the source database belongs to. If the target database region is in region Y, choose the region N for access, and grant the Y region DTS IP address in the network that the target database belongs to.
    DTS Region
    DTS IP Address
    Guangzhou
    111.230.198.143,118.89.34.161,123.207.84.254,139.199.74.159
    Shanghai
    111.231.139.59,111.231.142.94,115.159.71.186,182.254.153.245
    Beijing
    123.207.145.84,211.159.157.165,211.159.160.104,58.87.92.66
    Chengdu
    111.231.225.99,118.24.42.158
    Chongqing
    139.186.122.1/24,129.28.12.1/24,129.28.14.1/24,139.186.77.242,139.186.109.1/24,
    139.186.131.1/23,94.191.102.144,94.191.98.210
    Hangzhou
    111.231.139.59,111.231.142.94,115.159.71.186,182.254.153.245
    Nanjing
    129.211.166.117,129.211.167.130
    Tianjin
    154.8.246.150,154.8.246.48
    Shenzhen
    118.126.124.6,118.126.124.83
    Hong Kong
    119.29.180.130,119.29.208.220,124.156.168.151,150.109.72.54
    Beijing Finance
    62.234.240.36,62.234.241.241
    Shenzhen Finance
    118.89.251.206,139.199.90.75
    Shanghai Finance
    115.159.237.246,211.159.242.74
    Singapore
    119.28.103.40,119.28.104.184,119.28.116.123,150.109.11.113
    Jakarta
    43.129.33.41,43.129.35.144
    Bangkok
    150.109.164.203,150.109.164.82
    Mumbai
    119.28.246.130,119.28.246.18
    Seoul
    119.28.150.71,119.28.157.173
    Tokyo
    150.109.195.201,150.109.196.137
    Silicon Valley
    49.51.38.216,49.51.39.189,170.106.177.233,170.106.81.114,170.106.81.79,170.106.98.28,170.106.98.49,170.106.101.94,170.106.98.140,49.51.250.101,170.106.64.252,49.51.245.168
    Virginia
    170.106.2.63,49.51.85.120
    Frankfurt
    49.51.132.38,49.51.133.85
    2. Troubleshoot database-related security settings. If there are settings like the ones described, you need to grant the DTS IP address in the corresponding rules.
    2.1 Check if network ACLs and security groups have been set in the network layer where the database belongs.
    If yes, add the DTS IP address to the ACL and security group rules of the database's network.
    2.2 Check if a firewall (such as iptables) has been set on the server where the self-built database is deployed.
    If yes, grant the DTS IP address in the firewall rules.
    2.3 Check if there are IP access restrictions (such as restricting access to the database to only host addresses within the authorization) set in the database layer.
    If yes, grant the DTS IP address in the access restrictions.

    VPN Access/Direct Connect

    When using VPN for connection, users need to purchase a Tencent Cloud VPC and VPN gateway to connect their local IDC database to Tencent Cloud VPC via nearby access, then transfer tasks through DTS.
    1. Obtain the ranges that need to be granted.
    When configuring a DTS task, you will choose to access a subnet under the VPC, which indicates the IP address range that needs to be opened. The range of DTS access IP that needs to be granted for the source database is subnet1, and the range of DTS access IP that needs to be granted for the target database is subnet2.
    2. Investigate the database-related security setting rules. If there are such settings as follows, the DTS access IP range needs to be granted in the corresponding rules.
    2.1 Check if network ACLs and security groups have been set in database network layer.
    If yes, add the DTS access IP range to the ACL and security group rules of the database's network.
    2.2 Check if a firewall (such as iptables) has been set on the server where the self-built database is deployed.
    If yes, grant the DTS access IP range in the firewall rules.
    2.3 Check if there are IP access restrictions (such as restricting access to the database to only host addresses within the authorization) set in the database layer.
    If yes, grant the DTS access IP range in the access restrictions.

    CCN

    When using CCN for connection, users need to connect their local IDC database to the Tencent Cloud VPC (such as VPC1) via nearby access, and then use CCN to connect VPC1 and access VPC2.
    1. Obtain the ranges that need to be granted.
    When configuring a DTS task, you will choose CCN-Associated VPC (i.e., VPC2) under a subnet, which is the IP range that needs to be granted. The source database needs to grant access to the subnet subnet2.
    2. Investigate the database-related security setting rules. If there are such settings as follows, the DTS access IP range needs to be granted in the corresponding rules.
    2.1 Check if network ACLs and security groups have been set in the database network layer.
    If yes, add the DTS access IP range to the ACL and security group rules of the database's network.
    2.2 Check if a firewall (such as iptables) has been set on the server where the self-built database is deployed.
    If yes, grant the DTS access IP range in the firewall rules.
    2.3 Check if there are IP access restrictions (such as restricting access to the database to only host addresses within the authorization) set in the database layer.
    If yes, grant the DTS access IP range in the access restrictions.

    Self-Build on CVM

    If the source/target database is a self-built database on Tencent Cloud CVM, select Self-Build on CVM as access method. When a user initiates a DTS task, network ACLs and security groups can be automatically granted, and the user only need to check other security rules and grant them.
    1. Obtain the ranges that need to be granted.
    The connection between the Self-Build on CVM and DTS occurs within the Tencent Cloud private network, sharing common IP ranges of 169.254.1.1/16, 11.163.1.1/16.
    2. Investigate the database's security rules. If there are settings as follows, grant the DTS access IP range in the corresponding rules.
    2.1 Check if a firewall (such as iptables) is set on the server where the self-built database deployment is.
    If yes, grant the DTS access IP range in the firewall rules.

    Database

    The source/target database is a Tencent Cloud database instance, with the connection method selected as "cloud database". When a user initiates a DTS task, network ACLs and security groups can be automatically granted, and the user only needs to check other security rules and grant them.
    1. Obtain the ranges that need to be granted.
    The connectivity between cloud database and DTS occurs within the Tencent Cloud private network, sharing common IP ranges of 169.254.1.1/16, 11.163.1.1/16.
    2. Investigate the database's security rules. If there are settings as follows, grant the DTS access IP range in the corresponding rules.
    2.1 Check the database layer to see if IP access restriction rules have been set.
    For some TencentDB instances (like MySQL), there's support for limiting access IPs for accounts. Once set up, accounts can only access the database through host addresses within the authorization. For details on this MySQL feature, see Modifying Authorized Access Host Address.
    If there are similar settings, you need to grant the DTS access IP range.

    VPC

    For VPC access, depending on the database's deployment mode as either a self-built database on CVM (see above "Self-Build on CVM") or cloud database (see above "Database"), just follow the corresponding scenario operations.
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support