All Products
Search

This Product

    MaxCompute:Access the public network

    Document Center

    MaxCompute:Access the public network

    Last Updated:Mar 26, 2026

    MaxCompute jobs—including SQL user-defined functions (UDFs), Spark on MaxCompute, MaxFrame, MaxCompute MapReduce (MR), PyODPS, and Mars—can make outbound calls to public IP addresses and domain names after you configure external network access.

    How it works

    Enabling public network access requires two actions:

    1. Allowlist the target endpoint in MaxCompute. Add the public IP address or domain name (with port) to the MaxCompute External Network configuration in the console. For addresses outside the supported top-level domains, submit a request form for manual review.

    2. Set the access parameter in your job. Each job type uses a specific configuration parameter to declare which endpoints the job can reach: odps.internet.access.list for SQL UDFs and MaxFrame; dedicated Spark parameters for Spark jobs.

    Optionally, if the target server enforces access control, add MaxCompute's egress IP addresses to its allowlist so it accepts inbound connections from MaxCompute.

    Prerequisites

    Before you begin, ensure that you have:

    • A MaxCompute project. In a data lakehouse scenario, set the data type to a Hive-compatible type

    • (VPC targets only) Confirmed that the VPC owner account, the Alibaba Cloud account used to access the MaxCompute project, and the administrator account of the target service environment or cluster all belong to the same root account

    Step 1: Add external network addresses in the console

    For frequently used public IP addresses or domain names (for example, aliyun.com), add them directly in the MaxCompute console.

    1. Log on to the MaxCompute console and select a region in the upper-left corner.MaxCompute console

    2. In the navigation pane on the left, choose Manage Configurations > Projects.

    3. On the Projects page, find the target project and click Manage in the Actions column.

    4. On the Project Settings page, click the Parameter Configuration tab.

    5. In the MaxCompute External Network section, click Edit and enter the external network addresses that MaxCompute is allowed to access.

    6. Click Submit.

    If an address fails automatic verification:

    1. Delete the address and resubmit it. If the failure persists, submit a request form to add the IP address or domain name and port to the allowlist.

    2. The MaxCompute technical support team reviews the request and completes the configuration, typically within three business days. If you have any objections to the review result, you can submit a ticket.

    3. After the request is approved, proceed to Step 2.

    For more information, see Network activation process.

    Step 2: Configure your job

    Add the external network configuration to your job before running it. The configuration syntax depends on the job type.

    SQL UDF jobs

    Add a SET statement before your UDF call to specify which public endpoints the job can access. To access multiple endpoints, separate them with commas.

    -- Specify the public IP address (or domain name) and port to access.
-- To access multiple endpoints, separate entries with commas.
SET odps.internet.access.list=<ip_address:port|domain_name:port>;

-- Call the UDF.
SELECT <UDF_name>("<http://ip_address|domain_name>");

    Example: The following UDF fetches content from a URL. The job is configured to access www.aliyun.com on port 80.

    UDF implementation (Java):

    package com.aliyun.odps.test.udf;
import com.aliyun.odps.udf.UDF;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.URL;

public class url_fetch extends UDF {
    public String evaluate(String urlStr) throws IOException {
        URL url = new URL(urlStr);
        StringBuilder sb = new StringBuilder();
        try (BufferedReader reader = new BufferedReader(new InputStreamReader(url.openStream()))) {
            String line;
            while ((line = reader.readLine()) != null) {
                sb.append(line).append('\n');
            }
        }
        return sb.toString();
    }
}

    SQL execution:

    SET odps.internet.access.list=www.aliyun.com:80;
SELECT url_fetch("http://www.aliyun.com");

    Spark on MaxCompute jobs

    Add the following properties to the conf file of the Spark client, or include them in the job configuration when submitting a Spark job in DataWorks.

    spark.hadoop.odps.cupid.smartnat.enable = true
spark.hadoop.odps.cupid.internet.access.list=<ip_address:port>

    MaxFrame jobs

    Set odps.internet.access.list in options.sql.settings before running your MaxFrame job.

    from maxframe import options

options.sql.settings = {
    "odps.internet.access.list": "<host>:80,<host>:443",
}

    (Optional) Step 3: Add MaxCompute egress IP addresses to the target server

    If the target server enforces its own access control (for example, a firewall allowlist), add MaxCompute's egress IP addresses to the server's allowlist so it accepts inbound connections from MaxCompute jobs.

    To get the current list of MaxCompute egress IP addresses, refer to the Project Management documentation or contact MaxCompute technical support.

    Limitations

    Limitation Details
    IPv6 support IPv6 addresses cannot be configured
    IP address count No limit
    Supported top-level domains for direct addition aliyun.com, amap.com, dingtalk.com, alicloudapi.com, cainiao.com, alicdn.com, taobao.com, alibaba.com, alipaydev.com, alibabadns.com
    Addresses outside supported domains Submit a request form for manual review; typically processed within three business days