You can configure AccessKey pair-based policies for network access control to allow only specific IP addresses to call Alibaba Cloud API operations by using permanent AccessKey pairs. This way, API operations are called by using AccessKey pairs in a trusted network environment.
AccessKey pair-based policies for network access control take effect on all Alibaba Cloud services except ApsaraMQ for RocketMQ, ApsaraMQ for RabbitMQ, ApsaraMQ for MQTT, EventBridge, Simple Message Queue, CloudMonitor (limited to reporting event monitoring data over HTTP), and Hologres. The time when AccessKey pair-based policies for network access control take effect on the unsupported Alibaba Cloud services is subject to the announcement of each service.
Policy types
Resource Access Management (RAM) provides the following types of AccessKey pair-based policies for network access control:
Account-level AccessKey pair-based policies for network access control
This type of policy takes effect on all AccessKey pairs of an Alibaba Cloud account, including the AccessKey pairs of the Alibaba Cloud account and the AccessKey pairs of the RAM users that belong to the Alibaba Cloud account.
AccessKey pair-level policies for network access control
This type of policy takes effect on a single AccessKey pair of an Alibaba Cloud account or RAM user.
An AccessKey pair-level policy for network access control has a higher priority than an account-level AccessKey pair-based policy. If an AccessKey pair-level policy for network access control is configured for an AccessKey pair, no account-level AccessKey pair-based policies take effect on the AccessKey pair.
The following figure shows the policy evaluation process.
Limits
You can configure up to eight network access control policies for a single Alibaba Cloud account or a single AccessKey pair. You can configure only one public network access control policy for a single Alibaba Cloud account or a single AccessKey pair.
Each policy contains up to 50 IP addresses or CIDR blocks.
Configure policies
Policies for network access control take effect immediately after they are configured. We recommend that before you configure a policy for network access control, you view the AccessKey pair audit records and obtain trusted IP addresses based on enterprise network management information. This helps you specify accurate and complete source IP addresses in a policy for network access control.
Configure account-level AccessKey pair-based policies for network access control
Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, click Settings. In the Network Access Control section, click Modify next to Allowed source network address while calling APIs by AccessKey.
In the Account-level Network Access Control panel, configure account-level AccessKey pair-based policies for public network access control and Virtual Private Cloud (VPC) access control, set the Policy Status parameter to Enable, and then click Submit.
Policy Status: The configured policies take effect after you select Enable.
Public Network Policy: If you click Add Public Network Policy, you must enter public IP addresses or CIDR blocks. IPv4 and IPv6 addresses are supported. If no policies for public network access control are configured, access from all public IP addresses is denied. If you click Allow All Public Network Access, a policy in which the CIDR blocks
0.0.0.0/0and::/0are specified is automatically configured for public network access control. The policy allows access from all public IP addresses.VPC Network Policy: If you click Add VPC (Virtual Private Cloud) Policy, you must enter a VPC ID and IP addresses or CIDR blocks in the VPC. IPv4 and IPv6 addresses are supported. If no policies for VPC access control are configured, access from all IP addresses in the VPC is denied. If you click Allow All VPC Network Access, a policy in which the VPC ID
AllowAllVPCand the CIDR blocks0.0.0.0/0and::/0are specified is automatically configured for VPC network access control. The policy allows access from all IP addresses in the VPC.
You can enter multiple IP addresses or CIDR blocks in a single policy. Separate multiple IP addresses with spaces, commas (,), or semicolons (;).
Configure AccessKey pair-level policies for network access control for a RAM user
Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, choose .
On the Users page, click the username of the RAM user that you want to manage.
In the AccessKey section of the Authentication tab, find the AccessKey pair that you want to manage and click Network Access Control in the Actions column.
In the AccessKey-level Network Access Control panel, configure AccessKey pair-level policies for public network access control and VPC access control, set the Policy Status parameter to Enable, and then click Submit.
Policy Status: The configured policies take effect after you select Enable.
Public Network Policy: If you click Add Public Network Policy, you must enter public IP addresses or CIDR blocks. IPv4 and IPv6 addresses are supported. If no policies for public network access control are configured, access from all public IP addresses is denied. If you click Allow All Public Network Access, a policy in which the CIDR blocks
0.0.0.0/0and::/0are specified is automatically configured for public network access control. The policy allows access from all public IP addresses.VPC Network Policy: If you click Add VPC (Virtual Private Cloud) Policy, you must enter a VPC ID and IP addresses or CIDR blocks in the VPC. IPv4 and IPv6 addresses are supported. If no policies for VPC access control are configured, access from all IP addresses in the VPC is denied. If you click Allow All VPC Network Access, a policy in which the VPC ID
AllowAllVPCand the CIDR blocks0.0.0.0/0and::/0are specified is automatically configured for VPC network access control. The policy allows access from all IP addresses in the VPC.
You can enter multiple IP addresses or CIDR blocks in a single policy. Separate multiple IP addresses with spaces, commas (,), or semicolons (;).
Configure AccessKey pair-level policies for network access control for an Alibaba Cloud account
Log on to the Alibaba Cloud Management Console with an Alibaba Cloud account.
Move the pointer over the profile picture in the upper-right corner of the page that appears and click AccessKey.
In the Main Account AccessKey is not recommended dialog box, confirm and select I am aware of the security risks of using a main account AccessKey and click use Main Account AccessKey.
On the page that appears, find the AccessKey pair that you want to manage and click Network Access Control in the Actions column.
In the AccessKey-level Network Access Control panel, configure AccessKey pair-level policies for public network access control and VPC access control, set the Policy Status parameter to Enable, and then click Submit.
Policy Status: The configured policies take effect after you select Enable.
Public Network Policy: If you click Add Public Network Policy, you must enter public IP addresses or CIDR blocks. IPv4 and IPv6 addresses are supported. If no policies for public network access control are configured, access from all public IP addresses is denied. If you click Allow All Public Network Access, a policy in which the CIDR blocks
0.0.0.0/0and::/0are specified is automatically configured for public network access control. The policy allows access from all public IP addresses.VPC Network Policy: If you click Add VPC (Virtual Private Cloud) Policy, you must enter a VPC ID and IP addresses or CIDR blocks in the VPC. IPv4 and IPv6 addresses are supported. If no policies for VPC access control are configured, access from all IP addresses in the VPC is denied. If you click Allow All VPC Network Access, a policy in which the VPC ID
AllowAllVPCand the CIDR blocks0.0.0.0/0and::/0are specified is automatically configured for VPC network access control. The policy allows access from all IP addresses in the VPC.
You can enter multiple IP addresses or CIDR blocks in a single policy. Separate multiple IP addresses with spaces, commas (,), or semicolons (;).
Configuration example
Scenario | Policy configuration |
Scenario | Policy configuration |
No network access control is implemented over all AccessKey pairs. | Set the Policy Status parameter to Disable for account-level and AccessKey pair-level policies for network access control. |
Calls initiated by all public IP addresses need to be allowed. | Configure an account-level or AccessKey pair-level policy for public network access control in which the CIDR blocks |
Calls initiated by all IP addresses in a VPC need to be allowed. | Configure an account-level or AccessKey pair-level policy for VPC network access control in which the VPC ID |
Calls initiated by all public IP addresses need to be denied. | Set the Policy Status parameter to Enable for account-level and AccessKey pair-level policies for network access control and make sure that no policies are configured for public network access control. |
Calls initiated by all IP addresses in a VPC need to be denied. | Set the Policy Status parameter to Enable for account-level and AccessKey pair-level policies for network access control and make sure that no policies are configured for VPC network access control. |
Account-level network access control is configured. A specific AccessKey pair can be used by all public and VPC IP addresses to initiate calls. | Configure the following AccessKey pair-level policies for network access control:
|
For all AccessKey pairs in an Alibaba Cloud account, a specific public IP address such as | Configure the following account-level AccessKey pair-based policies for network access control:
For more information, see Configure account-level AccessKey pair-based policies for network access control. |
For a specific AccessKey pair, a specific public IP address such as | Configure the following AccessKey pair-level policies for network access control:
After the AccessKey pair-level policies for network access control are enabled for the AccessKey pair, an account-level AccessKey pair-based policy for network access control does not take effect on the AccessKey pair. For more information, see Configure AccessKey pair-level policies for network access control for a RAM user and Configure AccessKey pair-level policies for network access control for an Alibaba Cloud account. |
