Public network connectivity for DLF now available - Data Lake Formation

Starting February 5, 2026, Data Lake Formation (DLF) supports public network access via the Paimon REST Catalog API. This feature is currently in public preview.

Public network access lets you connect to DLF from outside an Alibaba Cloud Virtual Private Cloud (VPC) — for example, from a local development machine, an on-premises cluster, or a cross-cloud client.

Prerequisites

Before you begin, ensure that you have:

A supported Apache Paimon client version (see Client version requirements)
A DLF administrator account, or access to an administrator who can enable public network access on the target catalog

Client version requirements

Use one of the following Paimon client versions:

Client	Minimum version
Paimon Java 1.4-SNAPSHOT	Built on or after January 30, 2026
PyPaimon	Built on or after February 10, 2026
Paimon Java/Python 1.4	Or later (upcoming release)

Enable public network access

Public network access is disabled by default for security reasons. A DLF administrator must enable it for each catalog:

Log on to the DLF console and go to Catalogs.
Click the target catalog, then select the Catalog Configuration tab.
Under Advanced Settings, set enable.openapi to true.

Connect to DLF over the public network

The following examples show how to configure a Paimon client to connect to DLF over the public network. Both examples require a DLF OpenAPI public endpoint and an Object Storage Service (OSS) public endpoint.

Important

The uri parameter must be a DLF public endpoint (for example, https://dlfnext.cn-hangzhou.aliyuncs.com). Do not use a VPC endpoint. For regional public endpoints, see Endpoint.

Java

Add the paimon-rest-client dependency to your project, then configure the catalog:

Options options = new Options();
// DLF public endpoint — replace with the endpoint for your region
options.set("uri", "https://dlfnext.cn-hangzhou.aliyuncs.com");
// Name of your DLF data catalog
options.set("warehouse", "paimon_test");
options.set("dlf.region", "cn-hangzhou");
options.set("dlf.access-key-id", "<your-access-key-id>");
options.set("dlf.access-key-secret", "<your-access-key-secret>");
// OSS public endpoint — must match the region of your OSS bucket
options.set("dlf.oss-endpoint", "oss-cn-hangzhou.aliyuncs.com");
options.set("token.provider", "dlf");

Catalog restCatalog = new RESTCatalog(CatalogContext.create(options));

Replace the following placeholders:

Placeholder	What to use
`<your-access-key-id>`	AccessKey ID of your Alibaba Cloud account or RAM user (for example, `LTAI5tXxx`)
`<your-access-key-secret>`	AccessKey secret of your Alibaba Cloud account or RAM user

Configuration reference:

Parameter	Description	Example
`uri`	DLF OpenAPI public endpoint. See Endpoint for regional values.	`https://dlfnext.cn-hangzhou.aliyuncs.com`
`warehouse`	Name of the DLF data catalog.	`paimon_test`
`dlf.region`	Region ID where DLF is deployed.	`cn-hangzhou`
`dlf.access-key-id`	AccessKey ID of your Alibaba Cloud account or RAM user.	—
`dlf.access-key-secret`	AccessKey secret of your Alibaba Cloud account or RAM user.	—
`dlf.oss-endpoint`	OSS public endpoint. See Regions and endpoints for regional values.	`oss-cn-hangzhou.aliyuncs.com`
`token.provider`	Authentication provider. Always set to `dlf`.	`dlf`

Python

Install PyPaimon (built on or after February 10, 2026):

pip install pypaimon

Then configure the catalog:

from pypaimon import CatalogFactory

options = {
    # Python clients must set metastore to rest
    'metastore': 'rest',
    # DLF public endpoint — replace with the endpoint for your region
    'uri': 'https://dlfnext.cn-hangzhou.aliyuncs.com',
    # Name of your DLF data catalog
    'warehouse': 'paimon_test',
    'dlf.region': 'cn-hangzhou',
    'dlf.access-key-id': '<your-access-key-id>',
    'dlf.access-key-secret': '<your-access-key-secret>',
    # Include dlf.security-token only if using STS temporary credentials
    # 'dlf.security-token': '<your-sts-token>',
    # OSS public endpoint — must match the region of your OSS bucket
    'dlf.oss-endpoint': 'oss-cn-hangzhou.aliyuncs.com',
    'token.provider': 'dlf',
}

rest_catalog = CatalogFactory.create(options)

Replace the following placeholders:

Placeholder	What to use
`<your-access-key-id>`	AccessKey ID of your Alibaba Cloud account or RAM user (for example, `LTAI5tXxx`)
`<your-access-key-secret>`	AccessKey secret of your Alibaba Cloud account or RAM user
`<your-sts-token>`	STS (Security Token Service) token. Required only when using temporary credentials instead of long-term AccessKeys.

Python-specific parameters:

Parameter	Description	Example
`metastore`	Metastore type. Always set to `rest` for Python clients.	`rest`
`dlf.security-token`	STS token. Omit if using long-term AccessKeys.	—

The remaining parameters (uri, warehouse, dlf.region, dlf.access-key-id, dlf.access-key-secret, dlf.oss-endpoint, token.provider) are identical to the Java configuration. See the Java configuration reference above for descriptions.

Limitations

SLA: No SLA is provided during public preview. Core service functionality remains fully available.
Performance: Throughput (QPS) and response latency depend on Internet connectivity. Public network access has lower QPS and higher latency than VPC internal access. This access method is not suitable for large-scale, high-concurrency production workloads.

Billing

This feature is free during the public preview period. Pricing after public preview will be announced separately.