All Products
Search

This Product

    Resource Access Management:Control access based on IP address

    Document Center

    Resource Access Management:Control access based on IP address

    Last Updated:Mar 31, 2026

    You can enhance the security of your Alibaba Cloud resources by creating Resource Access Management (RAM) policies that allow access only from specific, trusted IP addresses. This is a common practice for ensuring that sensitive resources are only accessed from a corporate network or specific production environments.

    How it works

    You can control access by IP address by using the acs:SourceIp global condition key in the Condition block of a policy. When a RAM user makes a request to Alibaba Cloud, the service evaluates the policy attached to the user. If the policy includes an IP address condition, RAM compares the source IP address of the request to the IP addresses specified in the policy. If the source IP address matches an address in the Allow policy, or does not match an address in a Deny policy, the request is allowed to proceed, subject to other permissions.

    This tutorial demonstrates how to create a custom policy that allows a RAM user to perform any action on Elastic Compute Service (ECS) instances, but only if the request originates from the CIDR block 192.0.2.0/24 or the single IP address 203.0.113.2.

    Prerequisites

    You have permissions to create and manage RAM users and policies in the RAM console.

    Procedure

    Step 1: Create the IP-based policy

    First, create a custom RAM policy that includes the IP address condition.

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Permissions > Policies.

    3. Click Create Policy.

    4. On the Create Policy page, click the JSON Editor tab.

    5. Copy and paste the following policy document into the editor. Replace the example IP addresses with the trusted IP addresses or CIDR blocks for your environment.

    {
  "Statement": [
    {
      "Action": "ecs:*",
      "Effect": "Allow",
      "Resource": "*",
      "Condition": {
        "IpAddress": {
          "acs:SourceIp": [
            "192.0.2.0/24",
            "203.0.113.2"
          ]
        }
      }
    }
  ],
  "Version": "1"
}

    This policy grants full access (ecs:*) to all ECS resources (Resource: *), but only if the request's source IP matches one of the values specified in the acs:SourceIp condition.

    1. Click OK.

    2. Enter a Name for your policy (such as Allow-ECS-Access-From-Trusted-IPs) and click OK.

    For more information, see Create a custom policy.

    Step 2: Create a RAM user

    Next, create a RAM user who will be subject to this IP restriction.

    1. In the left-side navigation pane, choose Identities > Users.

    2. Click Create User.

    3. Enter a username and select an access mode (such as Console Access). Follow the prompts to complete user creation. For more information, see Create a RAM user.

    Step 3: Attach the policy and verify access

    Finally, attach the policy to the RAM user and test that the restriction works as expected.

    1. On the Users page, find the user you just created and click Attach Policy in the Actions column.

    2. On the Attach Policy panel, find and select the IP-based policy you created in Step 1 (such as Allow-ECS-Access-From-Trusted-IPs).

    3. Click OK, then click Close.

    4. Verify the policy:

      • Log on to the Alibaba Cloud Management Console as the new RAM user from a computer with an IP address that is on the allowed list (such as 192.0.2.10). Attempt to view your ECS instances. The request should succeed.

      • Log off, and then log on again as the same RAM user from a computer with an IP address that is not on the allowed list. Attempt to view your ECS instances. The request should be denied with a "permission denied" error.

    For more information, see Grant permissions to a RAM user.

    Troubleshoot policy errors

    If the policy does not work as expected, the most common reason is that the source IP address seen by Alibaba Cloud is different from what you expect. This can happen if you are behind a NAT gateway or a proxy.

    To find the actual source IP address of a failed request:

    1. As the RAM user, attempt the action that is being unexpectedly denied.

    2. As an administrator, log on to the ActionTrail console.

    3. Navigate to Event Query and find the event corresponding to the failed request. The Event Name will match the API action (such as DescribeInstances), and the Operator will match the RAM user.

    4. Click View Details in the Actions column to view the event's details. In the event details, locate the Source IP Address field. This is the IP address that Alibaba Cloud used to evaluate your policy.

    5. Update your RAM policy to include this correct source IP address.

    image

    image

    References