All Products
Search

This Product

    MaxCompute:Manage IP address whitelists

    Document Center

    MaxCompute:Manage IP address whitelists

    Last Updated:Nov 15, 2024

    This topic describes how to configure, view, modify, and disable IP address whitelists for the cloud product interconnection network and a virtual private cloud (VPC) when the whitelist feature is enabled for a MaxCompute project. This topic also describes the scenarios in which IP address whitelists need to be configured. Only the project owner, the Super_Administrator role, and custom administrator roles that have the required permissions can manage IP address whitelists.

    Background information

    Multiple levels of access control, such as the multi-tenant model and security authentication mechanism, are used to ensure secure access to MaxCompute. You can pass the authentication and access and compute data based on the granted permissions only after you obtain an authorized AccessKey pair.

    MaxCompute also allows you to configure an IP address whitelist to control access requests. After you configure an IP address whitelist for a MaxCompute project, only the IP addresses in the whitelist can access the MaxCompute project. If you access the MaxCompute project from an IP address that is not in the whitelist, your access request is denied even if you have a valid AccessKey pair. You can configure an IP address whitelist for the cloud product interconnection network or a VPC in the following scenarios:

    Note

    When the whitelist feature is not enabled for a MaxCompute project, you can still access the MaxCompute project through various network types, which are subject to the following limitations:

    • Cloud product interconnection network: All IPs by using the cloud product interconnection network endpoint within the same account and region can access the MaxCompute project.

    • VPC: All IPs by using the VPC endpoint within the same VPC can access the MaxCompute project.

    • Public network: All IPs by using the public network endpoint can access the MaxCompute project.

    • Configure an IP address whitelist for the cloud product interconnection network

      • If you use the MaxCompute client to access a project, obtain the IP address of the device on which the MaxCompute client is deployed.

      • If you use an application system to access a project, obtain the IP address of the server on which the application system is deployed.

      • If you use a proxy server to access a project, obtain the IP address of the server. If you use multi-hop proxy servers to access a project, obtain the IP address of the last-hop proxy server.

      • If you access MaxCompute from an Elastic Compute Service (ECS) instance, obtain the network address translation (NAT) IP address. For more information about NAT IP addresses, see Elastic IP addresses.

      • If you are a DataWorks user, you need to add the IP addresses related to the DataWorks exclusive resource group to your whitelist.

    • Configure an IP address whitelist for a VPC

      To configure an IP address whitelist for a VPC, perform the following steps:

      • Obtain the ID of the VPC.

      • Configure the endpoint of the VPC. For more information, see Endpoints.

      • Add all the IP addresses of devices that need to access MaxCompute to the whitelist. For example, if you want to use services, such as Data Integration of DataWorks, Data Map of DataWorks, and Realtime Compute for Apache Flink, to access MaxCompute, you must add the IP addresses of the services to the IP address whitelist.

    MaxCompute supports only project-level IP address whitelists. You can specify IP addresses in the following formats:

    • IPv4 or IPv6 addresses. Example: 192.168.0.0 or 2001:db8::.

    • IP addresses with subnet masks. Example: 172.12.0.0/16 or 2001:db8::/32.

    • IP address ranges. Example: 192.168.10.0-192.168.255.255 or 2001:db8:1:1:1:1:1:1-2001:db8:4:4:4:4:4:4.

    Configure an IP address whitelist

    MaxCompute allows you to configure an IP address whitelist by using a command-line tool, such as the MaxCompute client. You can also configure an IP address whitelist in the MaxCompute console.

    Configure an IP address whitelist on the MaxCompute client

    The odps.security.ip.whitelist parameter specifies the IP address whitelist for the Internet and the cloud product interconnection network. The odps.security.vpc.whitelist parameter specifies the IP address whitelist for a VPC. For more information about the command syntax and parameters, see View the properties of a project.

    You can run a command on the MaxCompute client to add the required IP addresses to an IP address whitelist.

    • If you configure an IP address whitelist only for the Internet and the cloud product interconnection network, only the IP addresses in the IP address whitelist are allowed to access MaxCompute over the Internet and the cloud product interconnection network. Access requests over VPCs are denied. Sample command: 

      setproject odps.security.ip.whitelist=192.168.0.0 odps.security.vpc.whitelist=\N;

      When you configure an IP address whitelist for the Internet and the cloud product interconnection network, add the IP address of the device on which the MaxCompute client is installed to the whitelist. Otherwise, your access requests are denied.经典网络配置检查

    • If you configure an IP address whitelist only for a VPC, only the IP addresses in the IP address whitelist are allowed to access MaxCompute over the VPC. Access requests over the Internet and the cloud product interconnection network are denied. Sample command: 

      setproject odps.security.ip.whitelist=\N odps.security.vpc.whitelist=<ID of the VPC>[192.168.0.10,192.168.0.20];

    • If you configure IP address whitelists for the Internet, the cloud product interconnection network, and a VPC, the IP addresses in the IP address whitelist for the Internet, the cloud product interconnection network, and the VPC are allowed to access MaxCompute over the Internet, the cloud product interconnection network, and the VPC. Sample command: 

      setproject odps.security.ip.whitelist=192.168.0.0 odps.security.vpc.whitelist=<ID of the VPC>[192.168.0.10,192.168.0.20];

    • If you configure IP address whitelists for the Internet, the cloud product interconnection network, and a VPC, along with multiple IP addresses from the Internet, the cloud product interconnection network, and VPCs , run the following command: 

      ● setproject odps.security.ip.whitelist=192.168.0.0,192.168.0.10 odps.security.vpc.whitelist=<ID of the VPC1>[192.168.0.10,192.168.0.20],<ID of the VPC2>;

      Separate multiple IP addresses of the Internet and the cloud product interconnection network with commas (,). The IP address of a VPC is in the ID of the VPC[IP addresses] format. If you want to add all IP addresses of a VPC to an IP address whitelist, you can enter the ID of the VPC.

    Note

    An IP address whitelist takes effect 5 minutes after it is configured.

    Configure an IP address whitelist in the MaxCompute console

    You can log on to the MaxCompute console and select a region. In the left-side navigation pane, click Projects. On the Projects page, find the desired project and click Manage in the Actions column. On the Parameter Configuration tab of the project details page, click Edit in the IP Address Whitelist section.

    • IP addresses of the Internet and the cloud product interconnection network: Separate the IP addresses with commas (,). If you configure an IP address whitelist only for the Internet and the cloud product interconnection network, only the IP addresses in the IP address whitelist are allowed to access MaxCompute over the Internet and the cloud product interconnection network. Access requests over VPCs are denied.

    • IP addresses of a VPC: Separate the IP addresses of a VPC with commas (,). If you configure an IP address whitelist only for a VPC, only the IP addresses in the IP address whitelist are allowed to access MaxCompute over the VPC. Access requests over the Internet and the cloud product interconnection network are denied. Example: <ID of the VPC1>[192.168.0.10,192.168.0.20],<ID of the VPC2>.

    image

    View an IP address whitelist

    You can run the setproject; command to view IP address whitelists. The values of the odps.security.ip.whitelist and odps.security.vpc.whitelist parameters are the IP addresses in the whitelists. If the odps.security.ip.whitelist or odps.security.vpc.whitelist parameter is left empty, the whitelist that corresponds to the empty parameter is not configured. 

    setproject;

    The following result is returned: 

    odps.security.ip.whitelist=192.168.0.0
odps.security.vpc.whitelist=<ID of the VPC>[192.168.0.10,192.168.0.20]
    Note

    If you use the IP address whitelist that is configured for the VPC by using the ID of the region in which the VPC resides and the ID of the VPC, the following result is returned:

    odps.security.vpc.whitelist=cn-beijing_125179[192.168.0.10,192.168.0.20]

    Modify an IP address whitelist

    You can run the setproject command to modify an IP address whitelist. After the whitelist is modified, the original IP address whitelist becomes invalid. The system manages access requests based on the new IP address whitelist.

    • Modify the configuration of an IP address whitelist for the Internet and the cloud product interconnection network.

      setproject odps.security.ip.whitelist=192.168.0.10;

    • Modify the configuration of an IP address whitelist for a VPC.

      setproject odps.security.vpc.whitelist=<ID of the VPC>[192.168.10.10,192.168.0.20]

    Disable the IP address whitelist feature

    Run the following command to disable the IP address whitelist feature. If this feature is disabled, access requests over the Internet, the cloud product interconnection network, and the VPC are not limited. 

    setproject odps.security.ip.whitelist= odps.security.vpc.whitelist= ;
    Note

    To disable the feature, you must leave the IP address whitelists for the Internet, the cloud product interconnection network, and the VPC empty.

    Configure an IP address to allow access from Alibaba Cloud services to MaxCompute

    Run the following command to allow access from all Alibaba Cloud services to MaxCompute over VPCs: 

    setproject odps.security.ip.whitelist=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,11.0.x.x/8,33.0.x.x/8,100.64.0.0/10 odps.security.vpc.whitelist=<regionname>_*,cn_*;
    Note

    The character x in 11.0.x.x/8 and 33.0.x.x/8 in the preceding command is a placeholder, which indicates a number that ranges from 0 to 255.

    • odps.security.ip.whitelist: the IP address whitelist for the Internet and the cloud product interconnection network. You can refer to the configuration of this parameter in the preceding command. You can also add IP addresses based on your business requirements.

    • regionname: the ID of the region in which an Alibaba Cloud service resides.

    Region IDs

    The following table describes the region IDs of Alibaba Cloud.

    Region

    Region ID

    China (Hangzhou)

    cn-hangzhou

    China (Shanghai)

    cn-shanghai

    China (Beijing)

    cn-beijing

    China (Zhangjiakou)

    cn-zhangjiakou

    China (Ulanqab)

    cn-wulanchabu

    China (Shenzhen)

    cn-shenzhen

    China (Chengdu)

    cn-chengdu

    China (Hong Kong)

    cn-hongkong

    China East 2 Finance

    cn-shanghai-finance-1

    China North 2 Ali Gov 1

    cn-north-2-gov-1

    China South 1 Finance

    cn-shenzhen-finance-1

    Japan (Tokyo)

    ap-northeast-1

    Singapore

    ap-southeast-1

    Malaysia (Kuala Lumpur)

    ap-southeast-3

    Indonesia (Jakarta)

    ap-southeast-5

    Germany (Frankfurt)

    eu-central-1

    UK (London)

    eu-west-1

    US (Silicon Valley)

    us-west-1

    US (Virginia)

    us-east-1

    UAE (Dubai)

    me-east-1

    Examples of errors reported due to the whitelist feature

    • The following error message appears when an IP address whitelist is configured for the Internet and the cloud product interconnection network:

      FAILED:Accessdeniedbyprojectipwhitelist:sourceIP:'xxxxx'isnotinwhitelist.project:xxx

      The preceding error message is reported if the IP address from which an access request is sent is not in the IP address whitelist for the Internet and the cloud product interconnection network. In the error message, sourceIP indicates the IP address from which the access request is sent, and project: xxx indicates the project information.

      To resolve this issue, add the IP address specified by sourceIP to the IP address whitelist for the Internet and the cloud product interconnection network of your project.

    • The following error message is reported when an IP address whitelist is configured for a VPC:

      FAILED:Accessdeniedbyprojectipwhitelist:sourceIP:'xxxxx'isnotinwhitelist.project:xxxFAILED:Accessdeniedbyprojectvpcwhitelist:vpc:'vpc-xxx'notinvpcwhitelist,ip:'xxxx'.project:xxx

      The preceding error message is reported if the IP address from which an access request is sent is not in the IP address whitelist for a VPC. In the error message, project: xxx indicates the project information.

      To resolve this issue, add the IP address of the VPC to the IP address whitelist for the VPC of your project.