All Products
Search

This Product

    E-MapReduce:Network access and security settings

    Document Center

    E-MapReduce:Network access and security settings

    Last Updated:Mar 26, 2026

    EMR Serverless StarRocks supports two network access types: Virtual Private Cloud (VPC) internal access and internet (public) access. This topic explains how each type works, how to enable internet access, and how to configure whitelists to control which clients can reach your instance.

    Network access types

    VPC access

    Connect to your StarRocks instance from within the same VPC where the instance is deployed, or from another VPC. Internal endpoints are available by default for all new instances—no additional setup is required.

    Internet access

    Connect to your StarRocks instance from the public internet. Internet access uses the Alibaba Cloud Server Load Balancer (SLB) service. When you enable internet access, a set of SLB instances is automatically created under your Alibaba Cloud account. These SLB instances have deletion protection enabled and cannot be deleted manually.

    Important

    By default, if internet access is enabled for a StarRocks instance, the instance is accessible from any public IP address. You should use a whitelist in an access control policy to secure the StarRocks instance.

    Network fees for internet access are charged based on the CLB billing overview.

    Network endpoint types

    Two endpoint types are available:

    Internal endpoints (accessible within the current VPC and across vSwitches)

    Node type Endpoint format
    Frontend (FE) node fe-{srClusterId}-internal.starrocks.aliyuncs.com:{port}
    Backend (BE) node be-{srClusterId}-internal.starrocks.aliyuncs.com:{port}

    Public endpoints

    Node type Endpoint format
    Frontend (FE) node fe-{srClusterId}.starrocks.aliyuncs.com:{port}
    Backend (BE) node be-{srClusterId}.starrocks.aliyuncs.com:{port}

    Where:

    • {srClusterId}: The StarRocks instance ID.

    • {port}: The service port. FE query port is 9030, FE HTTP port is 8030, and BE HTTP port is 8040.

    Note

    When a client connects using an SLB-based endpoint, the request goes to the SLB domain name first, and SLB distributes it to the backend service instances for load balancing.

    Enable public access

    New StarRocks instances use internal same-region endpoints by default. To enable public access, follow the steps for each node type.

    For the Frontend (FE) node:

    On the Instance Details page, go to the Gateway Information area and click Enable Public Access.

    For Backend (BE) and Compute (CN) nodes:

    On the Compute Group page, click Manage in the Actions column of the target compute group, and then click Enable Public Access.

    Configure a network security whitelist

    Network security settings include security group whitelists for VPC access and access control policy whitelists for internet access. You can configure a network security whitelist to restrict access to your StarRocks instance and ensure the security of your service data.

    Important

    To prevent security issues caused by external attacks, do not set the Authorization Object to 0.0.0.0/0.

    Configure an internet access control policy whitelist

    1. On the Instance Details page, in the Gateway Information area, locate Public Endpoint and click Enable Public Endpoint. Alternatively, on the Manage Compute Group page of the target compute group, locate Public Endpoint and click Enable Public Endpoint.

    2. Click Public Whitelist next to Public IP Address.

    3. On the Access Control page of SLB, click Add Entry and add the appropriate access control rules.

    For more information, see Resource Access Management.

    Configure a VPC security group whitelist

    The configuration steps depend on whether SLB is enabled for your instance. Check the Network Type field in the Gateway Information section on the Instance Details page.

    If Network Type is SLB (SLB is enabled):

    Click View SLB on the Instance Details page. You are redirected to the SLB console to configure access control settings.

    For more information, see Resource Access Management.

    If Network Type is PrivateZone (SLB is not enabled):

    1. On the Instance Details page, in the Security Configuration section, click Internal Whitelist next to Security Group ID.

    2. In the Intranet Whitelist Configuration panel, modify the default whitelist group, or click Add Whitelist Group and enter a name and an IP address or IP segment.

    3. Click OK.