This topic describes how to configure IP address whitelists to authorize access to MaxCompute projects over the classic network or a virtual private cloud (VPC). Only the project owner and the Super_Administrator role have the permissions to perform this operation.

Prerequisites

  • The MaxCompute client is installed. For more information, see Install and configure the MaxCompute client.
  • The following information is obtained:
    • IP address whitelist for the classic network

      You must add the IP addresses of all the devices that are used to access MaxCompute projects to the whitelist. Then, you can access the projects from these devices.

      • If you use the MaxCompute client to access a project, obtain the IP address of the device on which the MaxCompute client is deployed.
      • If you use an application system to access a project, obtain the IP address of the server on which the application system is deployed.
      • If you use DataWorks to submit MaxCompute jobs, you do not need to obtain the IP address of the device where DataWorks is deployed. By default, the IP address is in the whitelist.
      • If you use a proxy server to access a project, obtain the IP address of the server. If you use multi-hop proxy servers to access a project, obtain the IP address of the last-hop proxy server.
      • If you access MaxCompute from an ECS instance, obtain the network address translation (NAT) IP address. For more information about NAT IP addresses, see Elastic IP Addresses.
    • Region ID, VPC ID, and IP address whitelist for a VPC

      For more information about region IDs and VPC IDs, see Obtain the region ID and VPC ID of a VPC. You must add the internal IP addresses of devices in the VPC to the whitelist so that these devices can be used to access MaxCompute projects.

Background information

Multiple levels of access control, such as the multi-tenant model and security authentication mechanism, are used to ensure secure access to MaxCompute. Only after you obtain an authorized AccessKey pair, you can pass the authentication, and then access and compute data based on the granted permissions.

MaxCompute also allows you to configure an IP address whitelist to control access requests. After a whitelist is configured, only the IP addresses in the whitelist are authorized to access MaxCompute projects. If you access MaxCompute projects from an IP address that is not in the whitelist, your access request is denied even if you have a valid AccessKey pair.

The odps.security.ip.whitelist parameter specifies the IP address whitelist for the classic network. The odps.security.vpc.whitelist parameter specifies the IP address whitelist for a VPC.

MaxCompute supports only project-level IP address whitelists. You can specify IP addresses in the following formats:
  • IPv4 or IPv6 addresses. Example: 192.168.0.0 or 2001:db8::.
  • IP addresses with subnet masks. Example: 172.12.0.0/16 or 2001:db8::/32.
  • CIDR blocks. Example: 192.168.10.0-192.168.255.255 or 2001:db8:1:1:1:1:1:1-2001:db8:4:4:4:4:4:4.

Configure an IP address whitelist

Run the MaxCompute client and run a command to add the required IP addresses to a whitelist.
  • If you configure an IP address whitelist only for the classic network, access requests over the classic network are limited, and access requests over a VPC are denied. Configuration command:
    setproject odps.security.ip.whitelist=192.168.0.0 odps.security.vpc.whitelist=\N;
    When you configure an IP address whitelist for the classic network, add the IP address of the device on which the MaxCompute client is installed to the whitelist. Otherwise, your access requests are denied.Classic network configuration check
  • If you configure an IP address whitelist only for a VPC, access requests over the VPC are limited, and access requests over the classic network are denied. Configuration command:
    setproject odps.security.ip.whitelist=\N odps.security.vpc.whitelist=cn-beijing_125179[192.168.0.10,192.168.0.20];
  • If you configure IP address whitelists for both the classic network and a VPC, access requests over the classic network and VPC are limited. Configuration command:
    setproject odps.security.ip.whitelist=192.168.0.0 odps.security.vpc.whitelist=cn-beijing_125179[192.168.0.10,192.168.0.20];
Note
  • An IP address whitelist takes effect 5 minutes after it is configured.
  • If your access requests are denied due to misoperations, submit a ticket to Alibaba Cloud for technical support.

View an IP address whitelist

You can run the setproject; command to view IP address whitelists. The values of the odps.security.ip.whitelist and odps.security.vpc.whitelist parameters indicate the IP addresses in the whitelists. If the odps.security.ip.whitelist or odps.security.vpc.whitelist parameter is left empty, the whitelist that corresponds to the empty parameter is not configured.
setproject;
The following information is returned:
odps.security.ip.whitelist=192.168.0.0
odps.security.vpc.whitelist=cn-beijing_125179[192.168.0.10,192.168.0.20]

Modify an IP address whitelist

You can run the setproject command to modify an IP address whitelist. After the whitelist is modified, the original IP address whitelist becomes invalid. The system controls access requests based on the new IP address whitelist.
  • Modify the configuration of an IP address whitelist for the classic network.
    setproject odps.security.ip.whitelist=192.168.0.10;
  • Modify the configuration of an IP address whitelist for a VPC.
    setproject odps.security.vpc.whitelist=cn-beijing_125179[192.168.10.10,192.168.0.20];

Disable the IP address whitelist feature

Run the following command to disable the IP address whitelist feature. If this feature is disabled, access requests over the classic network and VPC are not limited.
setproject odps.security.ip.whitelist= odps.security.vpc.whitelist= ;
Note To disable the feature, you must leave the IP address whitelists for both the classic network and VPC empty.

Obtain the region ID and VPC ID of a VPC

The following table lists the region IDs of VPCs.

Region Region ID
China (Zhangjiakou) cn-zhangjiakou
China (Beijing) cn-beijing
China (Shenzhen) cn-shenzhen
China (Chengdu) cn-chengdu
China (Shanghai) cn-shanghai
China (Hangzhou) cn-hangzhou
Shanghai Tower cn
China (Hong Kong) cn-hongkong
Singapore (Singapore) ap-southeast-1
Australia (Sydney) ap-southeast-2
Malaysia (Kuala Lumpur) ap-southeast-3
Indonesia (Jakarta) ap-southeast-5
Japan (Tokyo) ap-northeast-1
Germany (Frankfurt) eu-central-1
US (Silicon Valley) us-west-1
US (Virginia) us-east-1
India (Mumbai) ap-south-1
UAE (Dubai) me-east-1
UK (London) eu-west-1
You can use one of the following methods to obtain a VPC ID:
  • If this is your first time to configure an IP address whitelist for a VPC, log on to the MaxCompute client and run the following command to obtain the VPC ID:
    whoami;

    The following information is returned:

    VPC ID
    Note This command can be used only if the version of the MaxCompute client is V0.31.2 or later.
  • If you want to add an IP address to an established whitelist for a VPC, obtain the region ID from the error message returned when you use the IP address to access MaxCompute for the first time. The error message is returned because the new IP address is not authorized.Error message