You can configure a network access control list (ACL) for a Tablestore instance. This way, you can restrict the types of networks from which users can access the instance. This ensures network access security.
Background information
By default, Tablestore creates a public endpoint, a virtual private cloud (VPC) endpoint, and a classic network endpoint for each instance. For more information, see Endpoints.
Public endpoint: used for access over the Internet. Users can use the public endpoint to access resources in the Tablestore instance over the Internet.
ImportantIf you access Tablestore over the Internet, you are charged for outbound traffic over the Internet. For more information, see Billing overview.
Classic network endpoint: used for access from Elastic Compute Service (ECS) instances that reside in the same region as the Tablestore instance. When applications on ECS instances access a Tablestore instance in the same region over the classic network, the response latency is lower and no outbound traffic over the Internet is generated.
VPC endpoint: used for access from applications in a VPC. You must bind the required VPC to the instance in the Tablestore console. Then, applications in the VPC can access the instance by using the VPC endpoint. For more information, see What is a VPC?
Tablestore supports various combinations of network types to meet different network security requirements. The following table describes the network types.
Network Type | Description |
Custom | By default, a Tablestore instance does not allow access over the Internet. You can access a Tablestore instance only from the Tablestore console or by using a classic network or VPC endpoint. Important To access a Tablestore instance over the Internet, log on to the Tablestore console and manually allow access over the Internet. |
Tablestore Console or Bound VPCs | The Tablestore instance allows access from the Tablestore console or over the bound VPC. You cannot access the Tablestore instance over the Internet or classic network. This ensures network isolation. Important Before you select this network type for an instance, make sure that your business does not require access over the Internet or the classic network. |
Bound VPCs | The Tablestore instance allows access only over the bound VPC. You cannot access the Tablestore instance from the Tablestore console or over the Internet or classic network. You also cannot access resources in the instance from the Tablestore console. This ensures network isolation. Important Before you select this network type for an instance, make sure that your business does not require access over the Internet or classic network or from the Tablestore console. |
Usage notes
If you want to access a Tablestore instance over a specific VPC, make sure that the instance is bound to the VPC. For more information, see Bind a VPC to a Tablestore instance.
If you configure an instance policy and a network ACL for an instance, the instance can be accessed only if the access source meets the conditions of the instance policy and network ACL.
After you set the Access Type parameter to Bound VPCs for an instance, you can use only interfaces such as SDKs to access the instance over the bound VPCs. You cannot access the instance in the Tablestore console. If you want to access the instance from the Tablestore console, you can modify the Access Type parameter for the instance on the Network Management tab.
After you set the Access Type parameter to Bound VPCs for an instance, you can use only the features on the Instance Monitoring, Network Management, and Security Policy tabs of the Instance Management page in the Tablestore console for the instance. The features on the Instance Details, Deliver Data to OSS, and Query by Executing SQL Statement tabs are unavailable.
Procedure
Log on to the Tablestore console.
In the top navigation bar, select a resource group and a region.
In the instance list of the Overview page, click the name of the instance that you want to manage.
On the Network Management tab, modify the parameters related to network access control and then click Settings. The following table describes the parameters.
By default, Tablestore supports access over VPC, the classic network, and the Internet, and allows access from the Tablestore console. You can exclude specific network types or source types based on your business requirements.
Parameter
Description
Access Type
The type of network access. Valid values:
Custom: The instance can be accessed by using the selected network or source types.
A client can access the instance only if the network or source type of the client meets the requirements.
Tablestore Console or Bound VPCs: The instance can be accessed from the Tablestore console or over the bound VPCs.
Bound VPCs: The instance can be accessed only by using interfaces such as SDKs over the bound VPCs.
Allowed Network Type
The types of networks that can be used to access the resources in the instance. You can select multiple network types at the same time. This parameter is available only if you set the Access Type parameter to Custom. Valid values:
VPC: By default, VPC is selected, which indicates that the resources can be accessed over bound VPCs. If you do not require access over a VPC, clear VPC.
Internet: By default, Internet is not selected, which indicates that the resources cannot be accessed over the Internet. If you want to allow access over the Internet, select Internet.
ImportantBy default, you cannot access a new instance over the Internet.
Classic Network: By default, Classic Network is selected, which indicates that the resources can be accessed over the classic network. If you do not require access over the classic network, clear Classic Network.
Allowed Source Type
Specifies whether the resources in the instance can be accessed from the Tablestore console. This parameter is available only if you set the Access Type parameter to Custom.
By default, Trusted Gateway (Console) is selected, which indicates that the resources can be accessed from the Tablestore console. If you do not require access from the Tablestore console, clear Trusted Gateway (Console).
In the Warning dialog box, read the message, select the check box, and then click OK.