All Products
Search
Document Center

Resource Access Management:Restrict access by IP address

Last Updated:Jun 20, 2026

Use RAM to restrict access to your Alibaba Cloud resources from specific IP addresses to enhance access security.

Use cases

An enterprise uses various Alibaba Cloud resources to run its business, such as ECS instances, ApsaraDB RDS instances, Server Load Balancer (SLB) instances, and OSS buckets. To protect its services and data, the enterprise wants to allow access to its Alibaba Cloud resources only from specific IP addresses.

To do this, create a custom policy and a RAM user, and then attach the policy to the user. The RAM user can then access your Alibaba Cloud resources only from the specified IP addresses.

Procedure

This example shows how to allow a RAM user to access ECS instances only from the IP addresses 192.0.2.0/24 and 203.0.113.2.

  1. Create a custom policy.

    Log on to the RAM console. In the left-side navigation pane, choose Permissions > Policies. On the Policies page, click Create Policy. You can create a custom policy in the visual editor or on the JSON tab. For more information, see Create a custom policy.

    The following code provides an example permission policy:

    {
      "Statement": [
        {
          "Action": "ecs:*",
          "Effect": "Allow",
          "Resource": "*",
          "Condition": {
            "IpAddress": {
              "acs:SourceIp":[
              "192.0.2.0/24",
              "203.0.113.2"
             ]
            }
          }
        }
      ],
      "Version": "1"
    }
    Note

    When you use this policy, replace the value of acs:SourceIp with your actual IP addresses.

  2. Create a RAM user.

    In the left-side navigation pane, choose Identities > Users and click Create User. For security, we recommend that you select only one access mode for the RAM user and separate human users from application users. For more information, see Create a RAM user.

    In the Logon Name and Display Name fields, enter Bob. For Access Mode, select Console Access.

  3. Grant permissions to the RAM user.

    On the Users page, find the RAM user and attach the custom policy. For more information, see Grant permissions to a RAM user.

    On the Add Permissions page, select Account Level for Resource Scope. Find and select the custom policy that you created, such as ECS-test1, and then click OK.

  4. Log on as the RAM user and access an ECS instance to verify the policy.

    If the RAM user accesses an ECS instance from an allowed IP address, such as one in the 192.0.2.0/24 range or 203.0.113.2, the access is successful. If the RAM user attempts to access the instance from any other IP address, the access is denied.

FAQ

Policy does not take effect

If a permission policy does not take effect after you grant it to a RAM user, the IP addresses in the policy might be incorrect. For Alibaba Cloud services that are integrated with ActionTrail, you can view the related events in the ActionTrail console. In the event details, you can find the source IP address of the request. Then, you can modify the IP addresses in the policy and verify the policy again.

In the left-side navigation pane, choose Event Query. Filter events by Cloud Service Name. In the event list, find the relevant event and click View Details in the Actions column.

Related documentation

  • This topic focuses on using the Allow statement with the IpAddress condition key. You can also use the Deny statement with the NotIpAddress condition key to specify allowed IP addresses. For more policy examples, see Control access based on IP addresses.

  • For more information about policy elements such as Effect, Action, Resource, and Condition, see Basic elements of a permission policy.

  • For more information about how to view events in ActionTrail, see Query events.

  • With Terraform Explorer, you can run this tutorial's template to deploy the environment directly. Terraform Explorer.