This topic uses a sample policy to demonstrate how to authorize a RAM user to access Alibaba Cloud through a specified CIDR block.

The following policy indicates that the authorized RAM user can access ECS instances only from IP addresses in the 192.168.0.0/16 CIDR block.

In this case, the acs:SourceIp condition key in the Condition element is set to 192.168.0.0/16.

{
  "Statement": [
    {
      "Action": "ecs:*",
      "Effect": "Allow",
      "Resource": "*",
      "Condition": {
        "IpAddress": {
          "acs:SourceIp": "192.168.0.0/16"
        }
      }
    }
  ],
  "Version": "1"
}
Note The Condition element only applies to the actions specified for the current policy. You can replace the 192.168.0.0/16 CIDR block with the CIDR block of your private network.