Network enablement process - MaxCompute - Alibaba Cloud Documentation Center

This topic describes the network structure between MaxCompute and target services and the supported network enablement solutions.

Function Introduction

By default, you cannot access a target service on the Internet or in a virtual private cloud (VPC) from MaxCompute. To access target services, such as specified IP addresses, domain names, RDS, HBase clusters, or Hadoop clusters, you must configure a whitelist or enable a network connection.

Network structure

The following figure shows the network structure between MaxCompute and target services.

Network enablement solutions

MaxCompute Internet access solution
- Scenarios
  This solution applies when you use a MaxCompute user-defined function (UDF), Spark, MapReduce (MR), or PyODPS/Mars to access a target IP address or domain name on the Internet.
- Operation overview
  - For public IP addresses or domain names, such as aliyun.com, you can directly add or delete them in the Project Management section of the MaxCompute console.
  - For public IP addresses or domain names that fail automatic validation, you must submit a ticket. The review is completed within three business days. If the request is approved, you can access the target IP address or domain name, provided it has no security restrictions.
  - If the target public IP address or domain name has access control restrictions, contact the service administrator to remove them. This ensures that MaxCompute can access the public IP address or domain name.
MaxCompute VPC access solution (dedicated connection)
- Scenarios
  This solution applies when you use MaxCompute SQL, a UDF, Spark, PyODPS/Mars, a foreign table, or a data lakehouse architecture to access services in a VPC, such as RDS, HBase clusters, and Hadoop clusters.
- Operation overview
  - Log on to the VPC console to grant permissions to MaxCompute. Then, create a connection between MaxCompute and the VPC in the MaxCompute console.
  - After the connection is created, you can view the elastic network interface (ENI) created by MaxCompute in the MaxCompute console. The access rules for this ENI are controlled by the security group that you provided when you created the VPC connection.
  - If the target service has access control enabled, add the ENI IP address or the vSwitch CIDR block to the service's whitelist.
  - When MaxCompute accesses a VPC, it establishes a network connection only to the specified VPC ID. To access other VPCs in the same or different regions, you can use other VPC solutions to connect them to the VPC that is configured in the dedicated connection.
Accessing specific Alibaba Cloud services
- Scenarios
  This solution applies when you use MaxCompute SQL, a UDF, Spark, PyODPS/Mars, a foreign table, or a data lakehouse architecture to access Alibaba Cloud services such as OSS, DLF, Tablestore, and Hologres. The connection uses the internal network addresses provided by Alibaba Cloud services.
- Operation overview
  - If you create an OSS or Tablestore foreign table, you can access the table only through the internal endpoint of OSS or Tablestore.
  - If you call a UDF to access OSS or Tablestore, you can access them only through their public endpoints.
  - To access Hologres using a foreign table, you must use a classic network domain name. For more information, see the Classic Network address in Endpoints.
Accessing MaxCompute over a VPC PrivateLink
VPC peering connection solution
This solution applies when you use a VPC in one region to access a MaxCompute service in another region.
Using a CEN solution to interconnect VPCs
This solution applies when you use Cloud Enterprise Network (CEN) to interconnect VPCs across regions.

Scope

The Internet and VPC access solutions for MaxCompute are supported only in the following regions.

Solution type	Supported regions	Supported targets
Internet access solution	China (Hangzhou), China (Shanghai), China (Beijing), China (Zhangjiakou), China (Ulanqab), China (Shenzhen), and China (Hong Kong) Japan (Tokyo), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Germany (Frankfurt), US (Silicon Valley), and US (Virginia)	Public IP addresses or domain names
VPC access solution (dedicated connection)	China (Hangzhou): Zones H, I, J, and K; China (Beijing): Zones F, G, H, I, and L; China (Shanghai): Zones B, E, G, M, and N; China (Zhangjiakou): Zones A, B, and C; China (Ulanqab): Zones B and C; China (Shenzhen): Zones C, D, E, and F; China (Hong Kong): Zones B and C China (Shanghai) Finance Cloud: Zone F Japan (Tokyo): Zones A and B; Singapore: Zones A, B, and C; Malaysia (Kuala Lumpur): Zones A and B; Indonesia (Jakarta): Zones A and B; Germany (Frankfurt): Zones A, B, and C; US (Silicon Valley): Zones A and B; US (Virginia): Zones A and B	VPC IP addresses or domain names RDS HBase clusters Hadoop clusters

Disclaimer

Accessing the Internet and VPCs from MaxCompute is a free service with the following limitations:

Network connectivity is guaranteed. However, the platform may rerun nodes due to failover for network operations triggered by your code. Ensure that your code is idempotent. We recommend that you perform only data read operations. If you perform write operations, you must prevent dirty data that can result from repeated writes.
Access requires a proxy that has limited forwarding capabilities. We recommend that you use persistent connections and limit the number of nodes. Excessive concurrency or too many connections can cause network requests to fail.
Bandwidth is not guaranteed, which may cause tasks to run slowly. Alibaba Cloud is not responsible for any performance degradation.
The number of egress IP addresses used by the proxy is limited. If you encounter abnormal connection behavior, contact Alibaba Cloud technical support for assistance.
Egress IP addresses may change. We recommend that you do not enable IP address-based access control on the target service. If you configure an IP address whitelist for the proxy egress, Alibaba Cloud cannot guarantee that the egress IP address will remain unchanged.

Important

After you establish a network connection for MaxCompute, you may still encounter access issues when you run MaxCompute jobs. These issues may be caused by network restrictions of the tool that you use to run the jobs. For example, if you use DataWorks for data synchronization or data cleaning, you must ensure that the DataWorks resource group can connect to the data source and that the DataWorks sandbox whitelist allows access to the data source. For more information about network connectivity for DataWorks resource groups and sandbox configuration, see Network connection solutions.

FAQ

High concurrency leads to DNS resolution failure

Problem description: During the execution of a UDF or Spark task, many concurrent requests are generated to access the target domain name. This causes DNS resolution to fail.

Solution: Resolve the domain name to an IP address during the task initialization phase. Then, use the resolved IP address for access during the execution phase. For more information, see High Concurrency Causes DNS Resolution Failures.

Accessing HTTPS services using an IP address

Problem description: When a Spark or UDF task accesses a remote service in a VPC, such as KMS or OSS, it must use HTTPS. If you directly access the target service using an IP address, an error is reported.

Solution: Add the domain name to the host of the request. This resolves the validation error that occurs when you directly access an HTTPS service using an IP address. For more information, see Use an IP address to access an HTTPS service.