This topic describes network access types and how to configure them for a secure and efficient network environment.
Network access types
StarRocks supports VPC access and public access.
-
VPC access: Lets you access a StarRocks instance from its local VPC or other VPCs.
-
Public access: Lets you access a StarRocks instance over the internet. When public access is enabled, you can still access the instance from its VPC.
Important-
Public access for StarRocks uses Alibaba Cloud Classic Load Balancer (CLB). The resulting network costs are billed according to the CLB Billing Overview.
-
When you enable public access for a StarRocks instance, multiple Classic Load Balancer (CLB) instances are automatically created in your Alibaba Cloud account. These instances have deletion protection enabled and cannot be deleted.
-
By default, enabling public access allows connections from any public IP address. You must configure an access control whitelist to secure your instance.
-
Network access settings
By default, new StarRocks instances use an internal endpoint. If you need public access, you can enable it for the appropriate nodes on the Instance Details page.
-
Frontend node (FE): On the Instance Details page, in the Gateway Information section, click Enable Access over Internet.
-
Backend (BE) or Compute Node (CN): On the Computing Group page, click Manage in the Actions column for the target warehouse, and then click Enable Access over Internet.
Endpoint types
There are two types of endpoints:
-
Internal endpoint (supports access within the same VPC and across vSwitches)
-
The format for an FE internal endpoint is:
fe-{srClusterId}-internal.starrocks.aliyuncs.com:{port}NoteExternal clients connect to the Server Load Balancer (SLB) endpoint, not directly to service instances. The SLB instance then distributes requests to provide load balancing.
-
The format for a BE internal endpoint is:
be-{srClusterId}-internal.starrocks.aliyuncs.com:{port}
-
-
Public endpoint
-
The format for an FE public endpoint is:
fe-{srClusterId}.starrocks.aliyuncs.com:{port} -
The format for a BE public endpoint is:
be-{srClusterId}.starrocks.aliyuncs.com:{port}
-
-
{srClusterId}: The ID of the StarRocks instance. -
{port}: The service port number. For FEs, the query port is 9030 and the HTTP port is 8030. For BEs, the HTTP port is 8040.
Network security settings
To protect your data, restrict access to your StarRocks instance by configuring network security whitelists. Network security settings consist of a security group whitelist for VPC access and an access control policy whitelist for public access.
To prevent security risks from external attacks, do not set the Authorization Object to 0.0.0.0/0.
-
Public access control policy whitelist
-
In the Gateway Information section on the Instance Details page of the target instance, and on the Manage Warehouse page of the target warehouse, click Enable Access over Internet next to Public Endpoint.
-
Click Public IP Address Whitelist next to the Public Endpoint.
-
On the Classic Load Balancer (CLB) Access Control page, click Add Entry to add access restriction rules.
For more information, see Access Control for CLB.
-
-
VPC access security group whitelist
On the Instance Details page for the target instance, in the Gateway Information section, check the Network Type to see if a Server Load Balancer (SLB) is enabled.
ImportantIf your instance switches from PrivateZone to SLB access, the existing security group VPC whitelist no longer takes effect. After SLB is enabled, VPC access is forwarded through SLB, and security group whitelists cannot restrict traffic routed through SLB. You must manually migrate entries from the security group VPC whitelist to the CLB access control to ensure your VPC access security policies remain effective.
-
If the Network Type is SLB, the instance uses a Server Load Balancer (SLB).
On the Instance Details page, in the Gateway Information section, click View SLB to go to the SLB console and configure access control settings. For details, see Access Control for CLB.
-
If the Network Type is PrivateZone, the instance does not use a Server Load Balancer (SLB).
-
On the Instance Details page, in the Security Configuration section, click Whitelist next to the Security Group ID.
-
In the Configure Whitelist panel, modify the default whitelist group, or click Add Whitelist and enter a name and the IP addresses or CIDR blocks.
-
Click OK.
-
-