All Products
Search

This Product

    Data Lake Formation:Trusted VPC configuration

    Document Center

    Data Lake Formation:Trusted VPC configuration

    Last Updated:Mar 26, 2026

    Data Lake Formation (DLF) restricts REST API access by maintaining a trusted list of Virtual Private Clouds (VPCs). Only requests from VPCs on the trusted list are allowed; all others are rejected.

    Default behavior: When you first enable DLF, the system automatically adds all existing VPCs for your Alibaba Cloud account in the current region to the Region-level trusted list.

    How it works

    DLF evaluates trusted VPCs at two levels:

    Level Scope
    Region level Applies to all Catalogs in the region
    Catalog level Applies to a single Catalog

    During authentication, DLF merges the trusted VPC lists from both levels. A request is allowed if its source VPC appears in either list.

    If the source VPC is not in either list, DLF rejects the request and returns:

    Source vpc vpc-xxxxxx is not trusted, please add this vpc to trusted list on the dlf console.

    Choose a configuration level

    Goal Configuration
    Allow a VPC to access all Catalogs in the region Add the VPC at the Region level
    Restrict a VPC to a specific Catalog only Remove the VPC from the Region level, then add it at the Catalog level

    Configure Region-level trusted VPCs

    Region-level configuration applies to all Catalogs in the current region. For fine-grained control over VPC access permissions, you can manually add or delete trusted VPCs.

    1. Log on to the Data Lake Formation console.

    2. In the navigation pane on the left, click System and Security > System Security > Add VPC ID.

    3. In the dialog box, select one or more VPCs to trust, and then click OK.

    Configure Catalog-level trusted VPCs

    Catalog-level configuration applies only to the target Catalog.

    Important

    To restrict a VPC to a specific Catalog only, first remove it from the Region-level trusted list. Otherwise, the VPC retains access to all Catalogs through the Region-level list.

    1. Log on to the Data Lake Formation console.

    2. In the navigation pane on the left, click Data Catalog.

    3. Find the target Catalog, click its name to open the details page, and then click the Catalog Configuration tab.

    4. Add the following configuration item:

      Field Value
      Key catalog.rest.api.trusted.vpcs
      Value Comma-separated VPC IDs, for example: vpc-1,vpc-2

    5. Save the configuration.