This topic describes how to configure IP addresses that are authorized to access MaxCompute over the Internet or a Virtual Private Cloud (VPC).

Prerequisites

Only the project owner and Super_Administrator role have the permissions to perform this operation.

Background information

Multiple levels of access control are adopted to ensure that MaxCompute is secure. For example, in the multi-tenant data security system and security authentication mechanism of a project, only users who have acquired the AccessKey ID and AccessKey secret can pass the authentication and access and compute data based on the granted permissions. In addition to access authentication, MaxCompute allows users to configure an IP address whitelist for access control. After a whitelist is configured, only the IP addresses in the whitelist are allowed to access MaxCompute. If you access MaxCompute from an IP address not in a whitelist, your access request is denied even if you have the authorized AccessKey ID and AccessKey secret. You can set odps.security.ip.whitelist to configure a whitelist of IP addresses to access MaxCompute over the Internet and odps.security.vpc.whitelist for a VPC.
MaxCompute only supports project-level IP address whitelists. The following IP address formats are supported:
  • Separate IP addresses, for example, 101.132.236.134 and FE80:0202:B3FF:FE1E:8329
  • CIDR blocks, for example, 100.116.0.0/16 and FE80:0101:4567:F456:0202:B3FF:1111:1111/126
  • IP addresses with subnet masks, for example, 101.132.236.134-101.132.236.144 and FE80:0101:4567:F456:0202:B3FF:FE1E:8330-FE80:0101:4567:F456:0202:B3FF:FE1E:8331

Configure an IP address whitelist to access MaxCompute over the Internet

To configure an IP address whitelist to access MaxCompute over the Internet, follow these steps:

  1. Obtain the IP address you want to add to the whitelist.
    • If you use a MaxCompute client to access project data, obtain the IP address of the local client.
    • If you use an application system to access project data, obtain the IP address of the server on which the application system is deployed.
    • The IP address you use to log on to DataWorks is in the whitelist by default. Therefore, if you use DataWorks to submit MaxCompute jobs, you do not need to configure an IP address whitelist.
    • If you use a proxy server to access MaxCompute, obtain the IP address of the server. If you use proxy servers of multiple hops to access MaxCompute, obtain the IP address of the last-hop proxy server.
    • If you access MaxCompute from an ECS instance, obtain the NAT IP address.
  2. Configure the IP address whitelist. Specifically, log on to the MaxCompute client and run the required command to add the IP address to a whitelist. For example, if you want to add 101.132.236.134, run the following command:
    setproject odps.security.ip.whitelist=101.132.236.134;

    MaxCompute allows you to add IP addresses of three different formats in one command. The IP addresses need to be separated with commas (,).

    setproject odps.security.ip.whitelist=101.132.236.134,100.116.0.0/16,101.132.236.134-101.132.236.144;
    Note
    • The whitelist takes effect five minutes after it is configured.
    • When you configure a whitelist, add the IP address of the in-use client to the whitelist. Otherwise, your access request will be denied. If you are blocked from MaxCompute due to misoperations, submit a ticket to Alibaba Cloud for technical support.
  3. Check whether the IP address is added to the whitelist. Specifically, run the following command to check the value after the equal sign (=) in odps.security.ip.whitelist= in the command output:
     setproject;

    If it is empty, the IP address is not added to the whitelist.

  4. Run the following command to clear the IP address whitelist if you no longer need it:
    setproject odps.security.ip.whitelist=; 

    If a whitelist for a project is cleared, the whitelist feature is disabled for the project in MaxCompute.

Configure an IP address whitelist to access MaxCompute over a VPC

To configure an IP address whitelist to access MaxCompute over a VPC, follow these steps:

  1. Obtain the region ID based on the following table.
    Region Region ID
    China (Zhangjiakou-Beijing Winter Olympics) cn-zhangjiakou
    China (Beijing) cn-beijing
    China (Shenzhen) cn-shenzhen
    China (Chengdu) cn-chengdu
    China (Shanghai) cn-shanghai
    China (Hangzhou) cn-hangzhou
    Shanghai Tower cn
    China (Hong Kong) cn-hongkong
    Singapore (Singapore) ap-southeast-1
    Australia (Sydney) ap-southeast-2
    Malaysia (Kuala Lumpur) ap-southeast-3
    Indonesia (Jakarta) ap-southeast-5
    Japan (Tokyo) ap-northeast-1
    Germany (Frankfurt) eu-central-1
    US (Silicon Valley) us-west-1
    US (Virginia) us-east-1
    India (Mumbai) ap-south-1
    UAE (Dubai) me-east-1
    UK (London) eu-west-1
  2. Obtain the VPC ID.
    • If this is your first time to configure a VPC IP address, log on to the MaxCompute client and run the following command to obtain the VPC ID:
      whoami;

      The following information is returned.

      VPC ID
      Note This command can be used only if the version of the MaxCompute client is V0.31.2 and later.
    • If you want to add a VPC IP address to an established whitelist, obtain the region and region ID from the error message returned when you use the IP address to access MaxCompute for the first time. An error message is returned because the new IP address is not authorized.
  3. Run the following command to configure the whitelist:
    setproject odps.security.vpc.whitelist=cn-beijing_125179[192.168.10.102,192.168.0.10];

    where, cn-beijing indicates the ID of the region where the user is located, 125179 indicates the VPC ID, and 192.168.10.102 and 192.168.0.10 are the private IP addresses in the VPC.

    MaxCompute allows you to add IP addresses of different formats in one command. The IP addresses must be separated with commas (,).
    setproject odps.security.vpc.whitelist=cn-beijing_125179[192.168.10.102,192.168.0.10],cn-chengdu_461230[172.16.1.100,172.16.30.200];
    Note
    • The whitelist takes effect five minutes after it is configured.
    • When you configure a whitelist, add the IP address of the in-use client to the whitelist. Otherwise, your access request will be denied. If you are blocked from MaxCompute due to misoperations, submit a ticket to Alibaba Cloud for technical support.
  4. Check whether the IP address is added to the whitelist. Specifically, run the following command to check the value after the equal sign (=) in odps.security.vpc.whitelist= in the command output:
     setproject;

    If it is empty, the IP address is not added to the whitelist.

  5. Run the following command to clear the IP address whitelist if you no longer need it:
    setproject odps.security.ip.whitelist=; 

    If a whitelist for a project is cleared, the whitelist feature is disabled for the project in MaxCompute.