This topic describes how to configure, view, modify, and disable IP address whitelists for the classic network and a virtual private cloud (VPC) when the whitelist feature is enabled for a MaxCompute project. This topic also describes the scenarios in which IP address whitelists are configured. Only the project owner and the Super_Administrator role have the permissions to manage IP address whitelists.
Background information
Multiple levels of access control, such as the multi-tenant model and security authentication mechanism, are used to ensure secure access to MaxCompute. You can pass the authentication and access and compute data based on the granted permissions only after you obtain an authorized AccessKey pair.
- Configure an IP address whitelist for the classic network
- If you use the MaxCompute client to access a project, obtain the IP address of the device on which the MaxCompute client is deployed.
- If you use an application system to access a project, obtain the IP address of the server on which the application system is deployed.
- If you use a proxy server to access a project, obtain the IP address of the server. If you use multi-hop proxy servers to access a project, obtain the IP address of the last-hop proxy server.
- If you access MaxCompute from an Elastic Compute Service (ECS) instance, obtain the network address translation (NAT) IP address. For more information about NAT IP addresses, see Elastic IP addresses.
- If you use DataWorks to submit MaxCompute jobs, you do not need to obtain the IP address of the device where DataWorks is deployed. By default, the IP address is in the whitelist.
- Configure an IP address whitelist for a VPC
To configure an IP address whitelist for a VPC, perform the following steps:
- Obtain the ID of the region to which the VPC belongs and the ID of the VPC. For more information about how to obtain the region IDs and VPC IDs, see Obtain the ID of the region to which the VPC belongs and the ID of the VPC.
- Configure the endpoint of the VPC. For more information, see Endpoints.
- Add all the IP addresses of devices that need to access MaxCompute to the whitelist. For example, if you want to use services, such as Data Integration of DataWorks, Data Map of DataWorks, and Realtime Compute for Apache Flink, to access MaxCompute, you must add the IP addresses of the services to the IP address whitelist.
- IPv4 or IPv6 addresses. Example: 192.168.0.0 or 2001:db8::.
- IP addresses with subnet masks. Example: 172.12.0.0/16 or 2001:db8::/32.
- CIDR blocks. Example: 192.168.10.0-192.168.255.255 or 2001:db8:1:1:1:1:1:1-2001:db8:4:4:4:4:4:4.
Configure an IP address whitelist
The odps.security.ip.whitelist parameter specifies the IP address whitelist for the classic network. The odps.security.vpc.whitelist parameter specifies the IP address whitelist for a VPC. For more information about the command syntax and parameters, see View the properties of a project.
- If you configure an IP address whitelist only for the classic network, only the IP addresses in the IP address whitelist are allowed to access MaxCompute over the classic network. Access requests over VPCs are denied. Sample command:
setproject odps.security.ip.whitelist=192.168.0.0 odps.security.vpc.whitelist=\N;
When you configure an IP address whitelist for the classic network, add the IP address of the device on which the MaxCompute client is installed to the whitelist. Otherwise, your access requests are denied. - If you configure an IP address whitelist only for a VPC, only the IP addresses in the IP address whitelist are allowed to access MaxCompute over the VPC. Access requests over the classic network are denied. Sample command:
setproject odps.security.ip.whitelist=\N odps.security.vpc.whitelist=cn-beijing_125179[192.168.0.10,192.168.0.20];
- If you configure IP address whitelists for both the classic network and a VPC, only the IP addresses in the IP address whitelist for the VPC are allowed to access MaxCompute over the VPC and the IP addresses in the IP address whitelist for the classic network are allowed to access MaxCompute over the classic network. Sample command:
setproject odps.security.ip.whitelist=192.168.0.0 odps.security.vpc.whitelist=cn-beijing_125179[192.168.0.10,192.168.0.20];
View an IP address whitelist
setproject;
command to view IP address whitelists. The values of the
odps.security.ip.whitelist
and
odps.security.vpc.whitelist
parameters indicate the IP addresses in the whitelists. If the
odps.security.ip.whitelist
or
odps.security.vpc.whitelist
parameter is left empty, the whitelist that corresponds to the empty parameter is not configured.
setproject;
The following result is returned:
odps.security.ip.whitelist=192.168.0.0
odps.security.vpc.whitelist=cn-beijing_125179[192.168.0.10,192.168.0.20]
Modify an IP address whitelist
setproject
command to modify an IP address whitelist. After the whitelist is modified, the original IP address whitelist becomes invalid. The system controls access requests based on the new IP address whitelist.
- Modify the configuration of an IP address whitelist for the classic network.
setproject odps.security.ip.whitelist=192.168.0.10;
- Modify the configuration of an IP address whitelist for a VPC.
setproject odps.security.vpc.whitelist=cn-beijing_125179[192.168.10.10,192.168.0.20];
Disable the IP address whitelist feature
setproject odps.security.ip.whitelist= odps.security.vpc.whitelist= ;
Configure an IP address to allow access from Alibaba Cloud services to MaxCompute
setproject odps.security.ip.whitelist=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,11.0.0.0/8,33.0.0.0/8,100.64.0.0/10 odps.security.vpc.whitelist=<regionname>_*,cn_*;
odps.security.ip.whitelist
: the IP address whitelist for the classic network. You do not need to change the value of this parameter in the preceding command. You can add IP addresses based on your business requirements.regionname
: the ID of the region in which an Alibaba Cloud service resides.
Obtain the ID of the region to which the VPC belongs and the ID of the VPC
The following table lists the region IDs of VPCs.
Region | RegionID |
---|---|
China (Zhangjiakou) | cn-zhangjiakou |
China (Beijing) | cn-beijing |
China (Shenzhen) | cn-shenzhen |
China (Chengdu) | cn-chengdu |
China (Shanghai) | cn-shanghai |
China (Hangzhou) | cn-hangzhou |
Shanghai Tower | cn |
China (Hong Kong) | cn-hongkong |
Singapore | ap-southeast-1 |
Australia (Sydney) | ap-southeast-2 |
Malaysia (Kuala Lumpur) | ap-southeast-3 |
Indonesia (Jakarta) | ap-southeast-5 |
Japan (Tokyo) | ap-northeast-1 |
Germany (Frankfurt) | eu-central-1 |
US (Silicon Valley) | us-west-1 |
US (Virginia) | us-east-1 |
India (Mumbai) | ap-south-1 |
UAE (Dubai) | me-east-1 |
UK (London) | eu-west-1 |
- If this is your first time to configure an IP address whitelist for a VPC, log on to the MaxCompute client and run the following command to obtain the VPC ID:
Note
- You can run this command only on a host that resides in the VPC to obtain the VPC ID.
- This command can be used only when the version of the MaxCompute client is V0.31.2 or later.
whoami;
The following result is returned:
- If you want to add an IP address to an established whitelist for a VPC, obtain the region ID from the error message returned when you use the IP address to access MaxCompute for the first time. The error message is returned because the new IP address is not allowed to access MaxCompute.
Examples of errors reported due to the whitelist feature
- The following error message appears when an IP address whitelist of the classic network is configured:
The preceding error message is reported if the IP address from which an access request is sent is not in the IP address whitelist for the classic network. In the error message, sourceIP indicates the IP address from which the access request is sent, andFAILED: Access denied by project ip white list: sourceIP:'xxxxx' is not in white list. project: xxx
project: xxx
indicates the project information.To resolve this issue, you must add the IP address specified by
sourceIP
to the IP address whitelist for the classic network of your project. - The following error message appears when an IP address whitelist of the VPC network is configured:
The preceding error message is reported if the IP address from which an access request is sent is not in the IP address whitelist for the VPC network. In the error message,FAILED: Access denied by project ip white list: sourceIP:'xxxxx' is not in white list. project: xxxFAILED: Access denied by project vpc white list: vpc:'vpc-xxx' not in vpc white list, ip: 'xxxx'. project: xxx
project: xxx
indicates the project information.To resolve this issue, you must add the VPC IP address to the IP address whitelist for the VPC network of your project.