You can configure AccessKey pair-based policies for network access control to allow only specific IP addresses to call Alibaba Cloud API operations by using permanent AccessKey pairs. This way, API operations are called by using AccessKey pairs in a trusted network environment.
Policy types
Resource Access Management (RAM) provides the following types of AccessKey pair-based policies for network access control:
Account-level AccessKey pair-based policies for network access control
This type of policy takes effect on all AccessKey pairs of an Alibaba Cloud account, including the AccessKey pairs of the Alibaba Cloud account and the AccessKey pairs of the RAM users that belong to the Alibaba Cloud account.
AccessKey pair-level policies for network access control
This type of policy takes effect on a single AccessKey pair of an Alibaba Cloud account or RAM user.
An AccessKey pair-level policy for network access control has a higher priority than an account-level AccessKey pair-based policy. If an AccessKey pair-level policy for network access control is configured for an AccessKey pair, no account-level AccessKey pair-based policies take effect on the AccessKey pair.
The following figure shows the policy evaluation process.
Usage notes
AccessKey pair-based policies for network access control take effect only on permanent AccessKey pairs and do not take effect on temporary Security Token Service (STS) tokens.
If you want to implement network access control over console logon, you can configure the Allowed network address while sign-in parameter to specify the IP addresses that can be used to log on to the Alibaba Cloud Management Console by using usernames and passwords or single sign-on (SSO). For more information, see Settings for network access control.
We recommend that you configure an AccessKey pair-based policy for network access control for an AccessKey pair in a test environment or a newly created AccessKey pair before you configure an AccessKey pair-based policy for network access control for an AccessKey pair in the production environment. The test operation can help prevent improper IP address configurations from affecting your workloads.
If applications deployed on Alibaba Cloud need to call other Alibaba Cloud services over the Internet, AccessKey pair-based policy for public network access control are required. If applications deployed on Alibaba Cloud need to call other Alibaba Cloud services over private networks, AccessKey pair-based policy for Virtual Private Cloud (VPC) access control are required.
Limits
AccessKey pair-based policies for network access control take effect on all Alibaba Cloud services except ApsaraMQ for RocketMQ, ApsaraMQ for RabbitMQ, ApsaraMQ for MQTT, EventBridge, Simple Message Queue, CloudMonitor (limited to reporting event monitoring data over HTTP), and Hologres. The time when AccessKey pair-based policies for network access control take effect on the unsupported Alibaba Cloud services is subject to the announcement of each service.
You can configure up to eight network access control policies for a single Alibaba Cloud account or a single AccessKey pair. You can configure only one public network access control policy for a single Alibaba Cloud account or a single AccessKey pair.
Each policy contains up to 50 IP addresses or CIDR blocks.
Configure policies
Policies for network access control take effect immediately after they are configured. We recommend that before you configure a policy for network access control, you view the AccessKey pair audit records and obtain trusted IP addresses based on enterprise network management information. This helps you specify accurate and complete source IP addresses in a policy for network access control.
Configure account-level AccessKey pair-based policies for network access control
Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, click Settings. In the Network Access Control section, click Modify next to Allowed source network address while calling APIs by AccessKey.
In the Account-level Network Access Control panel, configure account-level AccessKey pair-based policies for public network access control and VPC access control, set the Policy Status parameter to Enable, and then click Submit.
Policy Status: The configured policies take effect after you select Enable.
Public Network Policy: If you click Add Public Network Policy, you must enter public IP addresses or CIDR blocks. IPv4 and IPv6 addresses are supported. If no policies for public network access control are configured, access from all public IP addresses is denied. If you click Allow All Public Network Access, a policy in which the CIDR blocks
0.0.0.0/0and::/0are specified is automatically configured for public network access control. The policy allows access from all public IP addresses.VPC Network Policy: If you click Add VPC (Virtual Private Cloud) Policy, you must enter a VPC ID and IP addresses or CIDR blocks in the VPC. IPv4 and IPv6 addresses are supported. If no policies for VPC access control are configured, access from IP addresses in all VPCs is denied. If you click Allow All VPC Network Access, a policy in which the VPC ID
AllowAllVPCand the CIDR blocks0.0.0.0/0and::/0are specified is automatically configured for VPC network access control. The policy allows access from IP addresses in all VPCs of different Alibaba Cloud accounts.
NoteYou can enter multiple IP addresses or CIDR blocks in a single policy. Separate multiple IP addresses with spaces, commas (,), or semicolons (;).
Configure AccessKey pair-level policies for network access control for a RAM user
Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, choose .
On the Users page, click the username of the RAM user that you want to manage.
In the AccessKey section of the Authentication tab, find the AccessKey pair that you want to manage and click Network Access Control in the Actions column.
In the AccessKey-level Network Access Control panel, configure AccessKey pair-level policies for public network access control and VPC access control, set the Policy Status parameter to Enable, and then click Submit.
Policy Status: The configured policies take effect after you select Enable.
Public Network Policy: If you click Add Public Network Policy, you must enter public IP addresses or CIDR blocks. IPv4 and IPv6 addresses are supported. If no policies for public network access control are configured, access from all public IP addresses is denied. If you click Allow All Public Network Access, a policy in which the CIDR blocks
0.0.0.0/0and::/0are specified is automatically configured for public network access control. The policy allows access from all public IP addresses.VPC Network Policy: If you click Add VPC (Virtual Private Cloud) Policy, you must enter a VPC ID and IP addresses or CIDR blocks in the VPC. IPv4 and IPv6 addresses are supported. If no policies for VPC access control are configured, access from IP addresses in all VPCs is denied. If you click Allow All VPC Network Access, a policy in which the VPC ID
AllowAllVPCand the CIDR blocks0.0.0.0/0and::/0are specified is automatically configured for VPC network access control. The policy allows access from IP addresses in all VPCs of different Alibaba Cloud accounts.
NoteYou can enter multiple IP addresses or CIDR blocks in a single policy. Separate multiple IP addresses with spaces, commas (,), or semicolons (;).
Configure AccessKey pair-level policies for network access control for an Alibaba Cloud account
Log on to the Alibaba Cloud Management Console with an Alibaba Cloud account.
Move the pointer over the profile picture in the upper-right corner of the page that appears and click AccessKey.
In the Main Account AccessKey is not recommended dialog box, confirm and select I am aware of the security risks of using a main account AccessKey and click use Main Account AccessKey.
On the page that appears, find the AccessKey pair that you want to manage and click Network Access Control in the Actions column.
In the AccessKey-level Network Access Control panel, configure AccessKey pair-level policies for public network access control and VPC access control, set the Policy Status parameter to Enable, and then click Submit.
Policy Status: The configured policies take effect after you select Enable.
Public Network Policy: If you click Add Public Network Policy, you must enter public IP addresses or CIDR blocks. IPv4 and IPv6 addresses are supported. If no policies for public network access control are configured, access from all public IP addresses is denied. If you click Allow All Public Network Access, a policy in which the CIDR blocks
0.0.0.0/0and::/0are specified is automatically configured for public network access control. The policy allows access from all public IP addresses.VPC Network Policy: If you click Add VPC (Virtual Private Cloud) Policy, you must enter a VPC ID and IP addresses or CIDR blocks in the VPC. IPv4 and IPv6 addresses are supported. If no policies for VPC access control are configured, access from IP addresses in all VPCs is denied. If you click Allow All VPC Network Access, a policy in which the VPC ID
AllowAllVPCand the CIDR blocks0.0.0.0/0and::/0are specified is automatically configured for VPC network access control. The policy allows access from IP addresses in all VPCs of different Alibaba Cloud accounts.
NoteYou can enter multiple IP addresses or CIDR blocks in a single policy. Separate multiple IP addresses with spaces, commas (,), or semicolons (;).
Configuration example
Scenario | Policy configuration |
No network access control is implemented over all AccessKey pairs. | Set the Policy Status parameter to Disable for account-level and AccessKey pair-level policies for network access control. |
Calls initiated by all public IP addresses need to be allowed. | Configure an account-level or AccessKey pair-level policy for public network access control in which the CIDR blocks |
Calls initiated by IP addresses in all VPCs of different Alibaba Cloud accounts need to be allowed. | Configure an account-level or AccessKey pair-level policy for VPC network access control in which the VPC ID |
Calls initiated by all public IP addresses need to be denied. | Set the Policy Status parameter to Enable for account-level and AccessKey pair-level policies for network access control and make sure that no policies are configured for public network access control. |
Calls initiated by IP addresses in all VPCs need to be denied. | Set the Policy Status parameter to Enable for account-level and AccessKey pair-level policies for network access control and make sure that no policies are configured for VPC network access control. |
Account-level network access control is configured. A specific AccessKey pair can be used by all public and VPC IP addresses to initiate calls. | Configure the following AccessKey pair-level policies for network access control:
|
For all AccessKey pairs in an Alibaba Cloud account, a specific public IP address such as | Configure the following account-level AccessKey pair-based policies for network access control:
For more information, see Configure account-level AccessKey pair-based policies for network access control. |
For a specific AccessKey pair, a specific public IP address such as | Configure the following AccessKey pair-level policies for network access control:
After the AccessKey pair-level policies for network access control are enabled for the AccessKey pair, an account-level AccessKey pair-based policy for network access control does not take effect on the AccessKey pair. For more information, see Configure AccessKey pair-level policies for network access control for a RAM user and Configure AccessKey pair-level policies for network access control for an Alibaba Cloud account. |
FAQ
How do I obtain trusted IP addresses?
Query the source IP addresses in successful calls on the ActionTrail console
You can query and analyze the source IP addresses in successful calls by using the audit logs provided by ActionTrail. The following methods are available:
If a trail is created to deliver events to a Simple Log Service Logstore: On the Trails page of the ActionTrail console, click the name of the trail or Details in the Actions column to go to the details page. On the details page, click the name of the Logstore to switch to the Simple Log Service console. In the Simple Log Service console, you can search for source IP addresses (event.sourceIpAddress) by using a specific AccessKey pair (event.userIdentity.accessKeyId) or a specific VPC ID (event.vpcId). For more information, see Query events in the Simple Log Service or OSS console.
Sample query statement:
* | SELECT "event.userIdentity.accessKeyId" AS access_key_id, "event.sourceIpAddress" AS source_ip_address, "event.vpcId" AS vpc_id FROM log WHERE "event.userIdentity.accessKeyId" = 'LTAI****************'If a trail is not created to deliver events to a Simple Log Service Logstore: On the AccessKey Pair Audit page of the ActionTrail console, enter an AccessKey ID in the search box to query the source IP addresses of each Alibaba Cloud service in the call records. For more information, see Query the logs of an AccessKey pair.
You can query only audit events of supported Alibaba Cloud services in the ActionTrail console. If specific data events are not supported by ActionTrail, you must use the audit feature of the related Alibaba Cloud service to query the data events. For more information, see Audit events of supported cloud services.
Query network configurations
Applications deployed on Alibaba Cloud
If your applications are deployed on Elastic Compute Service (ECS) instances or container instances of Alibaba Cloud, you can query the public IP addresses, VPC IDs, and private CIDR blocks that are bound to the instances and cluster in the Alibaba Cloud Management Console.
If your applications access the public endpoints of Alibaba Cloud services, the source IP addresses are the public egress IP addresses or the public IP addresses that are bound to Internet NAT gateways. If your applications access the VPC endpoints of Alibaba Cloud services, the source IP addresses are the private IP addresses of the VPCs.
Calls between Alibaba Cloud services
If data transmission is required between your Alibaba Cloud Services A and B, multiple call methods are available. When Alibaba Cloud Service A calls Alibaba Cloud Service B, the IP address of Alibaba Cloud Service A may be used. In this case, the event source in the record of ActionTrail contains the IP address of Alibaba Cloud Service A or internal. We recommend that you use service-linked roles or other AccessKey pair-free methods for the calls. For more information, see the documentation of each Alibaba Cloud service.
The following list describes the configuration recommendation for calls between specific Alibaba Cloud services:
DataWorks: If DataWorks calls MaxCompute for data analysis by using a CIDR block, you can query the CIDR block by referring to Appendix: IP address whitelist for Data Analysis. If DataWorks calls MaxCompute for metadata collection by using a CIDR block, you can query the CIDR block by referring to Configure IP address whitelists for metadata collection.
Simple Log Service: If the data transformation feature is used to transmit logs to other Alibaba Cloud accounts, we recommend that you follow instructions described in Scenario 2: Use custom roles to transfer data within the same Alibaba Cloud account. AccessKey pairs are not recommended.
Application Real-Time Monitoring Service (ARMS): We recommend that you use RAM roles for cross-account integration. For more information, see Monitor applications across Alibaba Cloud accounts.
Dynamic IP addresses
If cloud resources are automatically scaled or the specifications of cloud resources are automatically changed, the related IP addresses change. You need to add the new IP addresses to the AccessKey pair-based policies for network access control at your earliest opportunity.
Function Compute: Dynamic public IP addresses are used by default. In this case, no specific IP addresses can be queried. You can also configure static public IP addresses. For more information, see Configure static public IP addresses.
Applications deployed outside Alibaba Cloud
You need to manually query the egress IP addresses of application environments.
IP addresses of office networks
If you use AccessKey pairs for local development and debugging, you can contact the administrator of the enterprise network to obtain the egress IP address of the office network.
What do I do if my API call is denied by a network access control policy and I want the call to be allowed?
After an AccessKey pair-based policy for network access control takes effect, calls from the source IP addresses that are not specified in the policy are denied and no call audit record is generated. If you want to allow calls from an unspecified source IP address, you can perform the following operations:
Check whether an AccessKey pair-level policy for network access control is configured for the related AccessKey pair.
If yes, add the source IP address to the AccessKey pair-level policy for network access control.
If no, perform the subsequent operation.
Add the source IP address to the account-level AccessKey pair-based policy for network access control.
If calls from the source IP address are still denied, make sure that the source IP address is accurate.