All Products
Search

This Product

    MaxCompute:Network connection process

    Document Center

    MaxCompute:Network connection process

    Last Updated:Jun 02, 2026

    MaxCompute runs in an isolated network by default. To access public endpoints, VPC resources, or other Alibaba Cloud services — or to reach MaxCompute from your VPC — you must configure a network connection.

    Six network solutions are available. This page covers their scenarios, supported regions, and limitations.

    How it works

    MaxCompute connects to external services through a proxy layer. The following diagram shows the network architecture.

    Network structure between MaxCompute and target services

    Six network solutions are available in two categories:

    • Outbound access (MaxCompute reaching external services): Internet access, VPC dedicated connection, and Alibaba Cloud service access.

    • Inbound access (external services reaching MaxCompute): VPC PrivateLink, VPC peering, and Cloud Enterprise Network (CEN).

    Choose a network solution

    The following table summarizes each solution.

    Solution

    Direction

    When to use

    Supported compute engines

    Internet access

    Outbound

    Access a public IP address or domain name from MaxCompute

    UDF, Spark, MapReduce (MR), PyODPS/Mars

    VPC dedicated connection

    Outbound

    Access VPC resources such as RDS, HBase clusters, or Hadoop clusters from MaxCompute

    SQL, UDF, Spark, PyODPS/Mars, foreign table, data lakehouse architecture

    Alibaba Cloud service access

    Outbound

    Access OSS, DLF, Tablestore, or Hologres through internal network addresses

    SQL, UDF, Spark, PyODPS/Mars, foreign table, data lakehouse architecture

    VPC PrivateLink

    Inbound

    Connect to MaxCompute over a private endpoint from your VPC

    --

    VPC peering

    Inbound

    Access MaxCompute from a VPC in a different region

    --

    CEN interconnection

    Inbound

    Interconnect VPCs across regions using Cloud Enterprise Network (CEN)

    --

    Outbound access solutions

    Internet access

    Access a public IP address or domain name from a user-defined function (UDF), Spark, MapReduce (MR), or PyODPS/Mars task.

    Setup overview:

    1. For standard public IPs or domain names (such as aliyun.com), add or remove them directly in the Project Management section of the MaxCompute console.

    2. If automatic validation fails, submit a ticket. The review takes up to three business days. After approval, MaxCompute can access the target IP address or domain name, provided it has no security restrictions.

    3. If the target has access control restrictions, contact the service administrator to remove them so MaxCompute can reach the endpoint.

    VPC dedicated connection

    Access VPC resources — such as RDS, HBase clusters, and Hadoop clusters — from MaxCompute SQL, UDF, Spark, PyODPS/Mars, foreign table, or data lakehouse architecture workloads.

    Setup overview:

    1. Log on to the VPC console and grant permissions to MaxCompute.

    2. Create a connection between MaxCompute and the VPC in the MaxCompute console.

    3. After the connection is created, an elastic network interface (ENI) appears in the console. The security group you specified controls access rules for this ENI.

    4. If the target service has access control enabled, add the ENI IP address or the vSwitch CIDR block to its whitelist.

    Important

    MaxCompute connects to one VPC only. To reach other VPCs in the same or different regions, connect them to the configured VPC through VPC peering, CEN, or other interconnection methods.

    Alibaba Cloud service access

    Access Alibaba Cloud services such as OSS, DLF, Tablestore, and Hologres through internal network addresses from MaxCompute SQL, UDF, Spark, PyODPS/Mars, foreign table, or data lakehouse architecture workloads.

    Endpoint rules:

    Access method

    Required endpoint type

    OSS or Tablestore foreign table

    Internal endpoint only

    UDF calling OSS or Tablestore

    Public endpoint only

    Hologres foreign table

    Classic network domain name (see the Classic Network address in Endpoints)

    Inbound access solutions

    Solution

    When to use

    Details

    VPC PrivateLink

    Connect to MaxCompute over a private endpoint from your VPC

    Linked topic

    VPC peering

    Access MaxCompute from a VPC in a different region

    Linked topic

    CEN interconnection

    Interconnect VPCs across regions using CEN

    Linked topic

    Supported regions

    Internet access and VPC dedicated connection are available only in the following regions.

    Internet access

    Supported regions:

    • China (Hangzhou), China (Shanghai), China (Beijing), China (Zhangjiakou), China (Ulanqab), China (Shenzhen), and China (Hong Kong)

    • Japan (Tokyo), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Germany (Frankfurt), US (Silicon Valley), and US (Virginia)

    Supported targets: Public IP addresses or domain names.

    VPC dedicated connection

    Supported regions and zones:

    Region

    Zones

    China (Hangzhou)

    H, I, J, K

    China (Beijing)

    F, G, H, I, L

    China (Shanghai)

    B, E, G, M, N

    China (Zhangjiakou)

    A, B, C

    China (Ulanqab)

    B, C

    China (Shenzhen)

    C, D, E, F

    China (Hong Kong)

    B, C

    China (Shanghai) Finance Cloud

    F

    Japan (Tokyo)

    A, B

    Singapore

    A, B, C

    Malaysia (Kuala Lumpur)

    A, B

    Indonesia (Jakarta)

    A, B

    Germany (Frankfurt)

    A, B, C

    US (Silicon Valley)

    A, B

    US (Virginia)

    A, B

    Supported targets: VPC IP addresses or domain names, RDS, HBase clusters, Hadoop clusters.

    Limitations

    Internet and VPC outbound access from MaxCompute is a free service with the following limitations:

    Limitation

    Description

    Failover reruns

    Network connectivity is guaranteed, but failover may rerun nodes for network operations triggered by your code. Ensure your code is idempotent. Prefer read operations. For writes, implement safeguards against dirty data from repeated execution.

    Proxy capacity

    Access goes through a proxy with limited forwarding capacity. Use persistent connections and limit concurrency. Excessive connections can cause requests to fail.

    No bandwidth guarantee

    Bandwidth is not guaranteed and may cause slow task execution. Alibaba Cloud is not responsible for performance degradation from bandwidth limitations.

    Limited egress IPs

    The proxy uses a limited number of egress IP addresses. If you encounter abnormal connection behavior, contact Alibaba Cloud technical support.

    Egress IP changes

    Egress IP addresses may change. Do not rely on IP-based access control on the target service. Alibaba Cloud cannot guarantee proxy egress IPs remain unchanged.
    Important

    After establishing a network connection, you may still encounter access issues when running jobs due to network restrictions in the tool you use. For example, if you use DataWorks for data synchronization or data cleaning, ensure the DataWorks resource group can connect to the data source and that the sandbox whitelist allows access. Network connection solutions.

    FAQ

    DNS resolution fails under high concurrency

    During UDF or Spark tasks, high-concurrency requests to a target domain name can overwhelm DNS resolution.

    Resolve the domain name to an IP address during task initialization, then use the resolved IP for all subsequent requests. High concurrency causes DNS resolution failures.

    HTTPS access fails when using an IP address directly

    When a Spark or UDF task accesses a remote VPC service (such as KMS or OSS) over HTTPS, connecting by IP address instead of domain name causes a certificate validation error.

    Add the domain name to the Host header of the request to resolve the validation error. Use an IP address to access an HTTPS service.