Updated on 2024-11-08 GMT+08:00

Establishing a Network Connection Between DLI and Resources in a Shared VPC

VPC Sharing Overview

VPC sharing allows sharing VPC resources created in one account with other accounts using Resource Access Manager (RAM). For example, account A can share its VPC and subnets with account B. After accepting the share, account B can view the shared VPC and subnets and use them to create resources.

For more information about VPC sharing, see VPC Sharing in Virtual Private Cloud User Guide.

DLI Use Cases

An enterprise IT management account creates a VPC and subnets and shares them with other service accounts to facilitate centralized configuration of VPC security policies and orderly resource management.

Service accounts use the shared VPC and subnets to create resources and want to use DLI to submit jobs and access resources in the shared VPC. To do this, they need to establish a network connection between DLI and the resources in the shared VPC.

For example, account A is the enterprise IT management account and the owner of VPC resources. It creates the VPC and subnets and shares them with service account B.

Account B is a service account that uses the shared VPC and subnets to create resources and uses DLI to access them.

Prerequisites

  • Account A has been configured with a DLI agency, which includes the DLI Datasource Connections Agency Access permission. This will grant the necessary permissions to access and use VPCs, subnets, routes, and VPC peering connections. For details, see Configuring DLI Agency Permissions.
  • Account A, as the resource owner, has created a VPC and subnets and designated account B as the principal.

    For details, see Creating a Resource Share.

Establishing a Network Connection Between DLI and Resources in a Shared VPC

  1. Account A creates an enhanced datasource connection.

    1. Log in to the DLI management console using account A.
    2. In the navigation pane on the left, choose Datasource Connections.
    3. On the displayed Enhanced tab, click Create.

      Set parameters based on Table 1.

      Table 1 Parameters for creating an enhanced datasource connection

      Parameter

      Description

      Connection Name

      Name of the datasource connection to be created

      Resource Pool

      You do not need to set this parameter in this scenario.

      VPC

      VPC shared by account A to account B

      Subnet

      Subnet shared by account A to account B

      Route Table

      You do not need to set this parameter in this scenario.

      Host Information

      You do not need to set this parameter in this scenario.

      Tags

      Tags used to identify cloud resources. A tag includes the tag key and tag value.

    4. Click OK.

  2. Account A grants account B access to the enhanced datasource connection created in 1.

    1. In the enhanced datasource connection list, locate the row containing the newly created one, click More in the Operation column, and select Manage Permission from the drop-down list.
    2. In the displayed Permissions dialog box, select Grant Permission for Set Permission, enter the ID of the project account B belongs to in Project ID, and click OK.

  3. Account B binds a DLI elastic resource pool to the shared enhanced datasource connection.

    1. Log in to the DLI management console using account B.
    2. In the navigation pane on the left, choose Datasource Connections.
    3. On the displayed Enhanced tab, locate the row containing the enhanced datasource connection shared by account A, click More in the Operation column, and select Bind Resource Pool from the drop-down list.
    4. In the displayed Bind Resource Pool dialog box, select the created elastic resource pool for Resource Pool and click OK.

      If there is no elastic resource pool available, create one by referring to Creating an Elastic Resource Pool and Creating Queues Within It.

  4. Account B tests the network connectivity between the elastic resource pool and resources in the VPC.

    If there are resources in the shared VPC, ensure that the security group the resources belong to has allowed access to the elastic resource pool's CIDR block.

    1. Obtain the private IP address and port number of the data source in the shared VPC.

      Take the RDS data source as an example. On the Instances page, click the target DB instance. On the displayed page, locate the Connection Information pane and view the private IP address. In the Connection Information pane, locate the Database Port to view the port number of the RDS DB instance.

    2. In the navigation pane of the DLI management console, choose Resources > Queue Management.
    3. Locate the queue under the elastic resource pool bound with the enhanced datasource connection, click More in the Operation column, and select Test Address Connectivity.
    4. Enter the data source connection address and port number to test the network connectivity.

      If the address is reachable, it means that account B has established a network connection between the DLI resource and the resources in the shared VPC. Account B can then submit jobs to the elastic resource pool's queue and access the resources in the shared VPC.