Granting IP Range of DTS Access IP for Batch Tasks

Recent Pages

Granting IP Range of DTS Access IP for Batch Tasks

Last updated: 2024-04-30 17:27:00

Overview
When performing batch DTS tasks, if you opt to method for granting access to individual DTS access addresses (first conducting a connectivity test to obtain the DTS access IP address, then adding it to the allowlist of the source and destination databases one by one), the efficiency is lower. This section provides you with a more efficient method, adding the DTS access IP range at once.
Note:
The range of accessible IP ranges provided in this section is relatively large. In addition to the DTS access IPs, other IPs within the range can also access the source/target database, and there might be a risk of data exposure, so choose carefully.
Comparison of Access Methods
The differences between granting a batch of task IPs at once and granting individual task IP are as follows. Consider method 2 carefully.
Method
Description
Method 1 (Recommended): Granting access to individual DTS access IPs
First, perform a connectivity test, and upon failure, grant access to the specific IP as indicated by the pop-up notification.
Advantages: High Security, ensuring that only DTS access IPs can access the source/target database, and other IPs cannot access.
Disadvantages: Requires separate connectivity testing for each task, followed by adding the respective IPs one by one. The process can be cumbersome when there are many tasks.
Method 2: Granting access to the range where the DTS access IPs belong
Grant access to the range of the DTS Task.
Advantages: You can add the IP addresses at once and create multiple DTS tasks, which is convenient.
Disadvantages: The granting IP range is relatively wide. Besides the DTS access IPs, other IPs in the range can also access the source/target database, and there may be a risk of data exposure, so choose carefully.
Notes
When using DTS for multiple synchronization tasks on the same database, in the DTS task configuration, select the same parameters for Access Type, VPC, and subnet. Failure to do so may cause issues with network connection, preventing DTS from connecting to the database.
Operation Overview
Different connection methods require different network security investigation rules as follows.
Connection Method
Network Access Troubleshooting
Processing Description
Public Network
Check the network layer of the database to see if network ACL and security group rules have been set.
Check the server layer of the database deployment to see if a firewall (such as iptables) has been set.
Check the database layer to see if IP access restriction rules (e.g., only host addresses within authorization can access the database) have been set.
If security rules have been set, grant access to the IP of the DTS service region in the corresponding rules.
VPN Access/Direct Connect/CCN
Check the network layer of the database to see if network ACL and security group rules have been set.
Check the server layer of the database deployment to see if a firewall (such as iptables) has been set.
Check the database layer to see if IP access restriction rules (e.g., only host addresses within authorization can access the database) have been set.
If security rules have been set, grant access to a subnet under the VPC in the corresponding rules.
Self-Build on CVM
VPC (Self-built on CVM)
Check the server layer of database deployment to see if a firewall (such as iptables) has been set.
Check database layer to see if IP access restriction rules (e.g., only authorized host addresses can access the database) have been set.
If security rules have been set, then grant access to 169.254.1.1/16, 11.163.1.1/16
Database
VPC (Database)
Check if IP access restriction rules (e.g., restrict database access to host addresses within the authorization) have been set in the database layer.
If security rules have been set, then grant access to 169.254.1.1/16, 11.163.1.1/16
Directions
Public Network Access
When using public network access, users need to select the DTS region closest to the physical database when purchasing a DTS task, and then use DTS for the transfer task.
1. Obtain the ranges that need to be granted.
Locate the DTS IP address in the corresponding region according to your connection region.
For example, if your source database region is in region M, then choose the nearest DTS region X for access. You need to grant the X region DTS service IP in the network that the source database belongs to. If the target database region is in region Y, choose the region N for access, and grant the Y region DTS IP address in the network that the target database belongs to.
DTS Region
DTS IP Address
Guangzhou
111.230.198.143,118.89.34.161,123.207.84.254,139.199.74.159
Shanghai
111.231.139.59,111.231.142.94,115.159.71.186,182.254.153.245
Beijing
123.207.145.84,211.159.157.165,211.159.160.104,58.87.92.66
Chengdu
111.231.225.99,118.24.42.158
Chongqing
139.186.122.1/24,129.28.12.1/24,129.28.14.1/24,139.186.77.242,139.186.109.1/24,
139.186.131.1/23,94.191.102.144,94.191.98.210
Hangzhou
111.231.139.59,111.231.142.94,115.159.71.186,182.254.153.245
Nanjing
129.211.166.117,129.211.167.130
Tianjin
154.8.246.150,154.8.246.48
Shenzhen
118.126.124.6,118.126.124.83
Hong Kong
119.29.180.130,119.29.208.220,124.156.168.151,150.109.72.54
Beijing Finance
62.234.240.36,62.234.241.241
Shenzhen Finance
118.89.251.206,139.199.90.75
Shanghai Finance
115.159.237.246,211.159.242.74
Singapore
119.28.103.40,119.28.104.184,119.28.116.123,150.109.11.113
Jakarta
43.129.33.41,43.129.35.144
Bangkok
150.109.164.203,150.109.164.82
Mumbai
119.28.246.130,119.28.246.18
Seoul
119.28.150.71,119.28.157.173
Tokyo
150.109.195.201,150.109.196.137
Silicon Valley
49.51.38.216,49.51.39.189,170.106.177.233,170.106.81.114,170.106.81.79,170.106.98.28,170.106.98.49,170.106.101.94,170.106.98.140,49.51.250.101,170.106.64.252,49.51.245.168
Virginia
170.106.2.63,49.51.85.120
Toronto
45.113.70.156,45.113.70.6,49.51.10.104,49.51.9.221
Frankfurt
49.51.132.38,49.51.133.85
2. Troubleshoot database-related security settings. If there are settings like the ones described, you need to grant the DTS IP address in the corresponding rules.
2.1 Check if network ACLs and security groups have been set in the network layer where the database belongs.
If yes, add the DTS IP address to the ACL and security group rules of the database's network.
2.2 Check if a firewall (such as iptables) has been set on the server where the self-built database is deployed.
If yes, grant the DTS IP address in the firewall rules.
2.3 Check if there are IP access restrictions (such as restricting access to the database to only host addresses within the authorization) set in the database layer.
If yes, grant the DTS IP address in the access restrictions.
VPN Access/Direct Connect
When using VPN for connection, users need to purchase a Tencent Cloud VPC and VPN gateway to connect their local IDC database to Tencent Cloud VPC via nearby access, then transfer tasks through DTS.
1. Obtain the ranges that need to be granted.
When configuring a DTS task, you will choose to access a subnet under the VPC, which indicates the IP address range that needs to be opened. The range of DTS access IP that needs to be granted for the source database is subnet1, and the range of DTS access IP that needs to be granted for the target database is subnet2.
2. Investigate the database-related security setting rules. If there are such settings as follows, the DTS access IP range needs to be granted in the corresponding rules.
2.1 Check if network ACLs and security groups have been set in database network layer.
If yes, add the DTS access IP range to the ACL and security group rules of the database's network.
2.2 Check if a firewall (such as iptables) has been set on the server where the self-built database is deployed.
If yes, grant the DTS access IP range in the firewall rules.
2.3 Check if there are IP access restrictions (such as restricting access to the database to only host addresses within the authorization) set in the database layer.
If yes, grant the DTS access IP range in the access restrictions.
CCN
When using CCN for connection, users need to connect their local IDC database to the Tencent Cloud VPC (such as VPC1) via nearby access, and then use CCN to connect VPC1 and access VPC2.
1. Obtain the ranges that need to be granted.
When configuring a DTS task, you will choose CCN-Associated VPC (i.e., VPC2) under a subnet, which is the IP range that needs to be granted. The source database needs to grant access to the subnet subnet2.
2. Investigate the database-related security setting rules. If there are such settings as follows, the DTS access IP range needs to be granted in the corresponding rules.
2.1 Check if network ACLs and security groups have been set in the database network layer.
If yes, add the DTS access IP range to the ACL and security group rules of the database's network.
2.2 Check if a firewall (such as iptables) has been set on the server where the self-built database is deployed.
If yes, grant the DTS access IP range in the firewall rules.
2.3 Check if there are IP access restrictions (such as restricting access to the database to only host addresses within the authorization) set in the database layer.
If yes, grant the DTS access IP range in the access restrictions.
Self-Build on CVM
If the source/target database is a self-built database on Tencent Cloud CVM, select Self-Build on CVM as access method. When a user initiates a DTS task, network ACLs and security groups can be automatically granted, and the user only need to check other security rules and grant them.
1. Obtain the ranges that need to be granted.
The connection between the Self-Build on CVM and DTS occurs within the Tencent Cloud private network, sharing common IP ranges of 169.254.1.1/16, 11.163.1.1/16.
2. Investigate the database's security rules. If there are settings as follows, grant the DTS access IP range in the corresponding rules.
2.1 Check if a firewall (such as iptables) is set on the server where the self-built database deployment is.
If yes, grant the DTS access IP range in the firewall rules.
Database
The source/target database is a Tencent Cloud database instance, with the connection method selected as "cloud database". When a user initiates a DTS task, network ACLs and security groups can be automatically granted, and the user only needs to check other security rules and grant them.
1. Obtain the ranges that need to be granted.
The connectivity between cloud database and DTS occurs within the Tencent Cloud private network, sharing common IP ranges of 169.254.1.1/16, 11.163.1.1/16.
2. Investigate the database's security rules. If there are settings as follows, grant the DTS access IP range in the corresponding rules.
2.1 Check the database layer to see if IP access restriction rules have been set.
For some TencentDB instances (like MySQL), there's support for limiting access IPs for accounts. Once set up, accounts can only access the database through host addresses within the authorization. For details on this MySQL feature, see Modifying Authorized Access Host Address.
If there are similar settings, you need to grant the DTS access IP range.
VPC
For VPC access, depending on the database's deployment mode as either a self-built database on CVM (see above "Self-Build on CVM") or cloud database (see above "Database"), just follow the corresponding scenario operations.

Contact Us

Contact our sales team or business advisors to help your business.

Technical Support

Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

7x24 Phone Support

tencent cloud

Recent Pages

Granting IP Range of DTS Access IP for Batch Tasks

Overview

Comparison of Access Methods

Notes

Operation Overview

Directions

Public Network Access

VPN Access/Direct Connect

CCN

Self-Build on CVM

Database

VPC

Was this page helpful?

Was this page helpful?

Method	Description
Method 1 (Recommended): Granting access to individual DTS access IPs	First, perform a connectivity test, and upon failure, grant access to the specific IP as indicated by the pop-up notification. Advantages: High Security, ensuring that only DTS access IPs can access the source/target database, and other IPs cannot access. Disadvantages: Requires separate connectivity testing for each task, followed by adding the respective IPs one by one. The process can be cumbersome when there are many tasks.
Method 2: Granting access to the range where the DTS access IPs belong	Grant access to the range of the DTS Task. Advantages: You can add the IP addresses at once and create multiple DTS tasks, which is convenient. Disadvantages: The granting IP range is relatively wide. Besides the DTS access IPs, other IPs in the range can also access the source/target database, and there may be a risk of data exposure, so choose carefully.

Connection Method	Network Access Troubleshooting	Processing Description
Public Network	Check the network layer of the database to see if network ACL and security group rules have been set. Check the server layer of the database deployment to see if a firewall (such as iptables) has been set. Check the database layer to see if IP access restriction rules (e.g., only host addresses within authorization can access the database) have been set.	If security rules have been set, grant access to the IP of the DTS service region in the corresponding rules.
VPN Access/Direct Connect/CCN	Check the network layer of the database to see if network ACL and security group rules have been set. Check the server layer of the database deployment to see if a firewall (such as iptables) has been set. Check the database layer to see if IP access restriction rules (e.g., only host addresses within authorization can access the database) have been set.	If security rules have been set, grant access to a subnet under the VPC in the corresponding rules.
Self-Build on CVM VPC (Self-built on CVM)	Check the server layer of database deployment to see if a firewall (such as iptables) has been set. Check database layer to see if IP access restriction rules (e.g., only authorized host addresses can access the database) have been set.	If security rules have been set, then grant access to 169.254.1.1/16, 11.163.1.1/16
Database VPC (Database)	Check if IP access restriction rules (e.g., restrict database access to host addresses within the authorization) have been set in the database layer.	If security rules have been set, then grant access to 169.254.1.1/16, 11.163.1.1/16

DTS Region	DTS IP Address
Guangzhou	111.230.198.143,118.89.34.161,123.207.84.254,139.199.74.159
Shanghai	111.231.139.59,111.231.142.94,115.159.71.186,182.254.153.245
Beijing	123.207.145.84,211.159.157.165,211.159.160.104,58.87.92.66
Chengdu	111.231.225.99,118.24.42.158
Chongqing	139.186.122.1/24,129.28.12.1/24,129.28.14.1/24,139.186.77.242,139.186.109.1/24, 139.186.131.1/23,94.191.102.144,94.191.98.210
Hangzhou	111.231.139.59,111.231.142.94,115.159.71.186,182.254.153.245
Nanjing	129.211.166.117,129.211.167.130
Tianjin	154.8.246.150,154.8.246.48
Shenzhen	118.126.124.6,118.126.124.83
Hong Kong	119.29.180.130,119.29.208.220,124.156.168.151,150.109.72.54
Beijing Finance	62.234.240.36,62.234.241.241
Shenzhen Finance	118.89.251.206,139.199.90.75
Shanghai Finance	115.159.237.246,211.159.242.74
Singapore	119.28.103.40,119.28.104.184,119.28.116.123,150.109.11.113
Jakarta	43.129.33.41,43.129.35.144
Bangkok	150.109.164.203,150.109.164.82
Mumbai	119.28.246.130,119.28.246.18
Seoul	119.28.150.71,119.28.157.173
Tokyo	150.109.195.201,150.109.196.137
Silicon Valley	49.51.38.216,49.51.39.189,170.106.177.233,170.106.81.114,170.106.81.79,170.106.98.28,170.106.98.49,170.106.101.94,170.106.98.140,49.51.250.101,170.106.64.252,49.51.245.168
Virginia	170.106.2.63,49.51.85.120
Toronto	45.113.70.156,45.113.70.6,49.51.10.104,49.51.9.221
Frankfurt	49.51.132.38,49.51.133.85

tencent cloud

Sign Up

Log in

Recent Pages

Granting IP Range of DTS Access IP for Batch Tasks

Overview

Comparison of Access Methods

Notes

Operation Overview

Directions

Public Network Access

VPN Access/Direct Connect

CCN

Self-Build on CVM

Database

VPC

Was this page helpful?

Was this page helpful?