You can configure a network access control list (ACL) for a Tablestore instance. This way, you can restrict the types of networks from which users can access the instance. This ensures network access security.
Background information
By default, Tablestore creates a public endpoint, a virtual private cloud (VPC) endpoint, and a classic network endpoint for each instance. For more information, see Endpoints.
Public endpoint: used for access over the Internet. Users can access resources of the instance over the Internet by using the public endpoint.
ImportantIf you access Tablestore over the Internet, you are charged for the outbound traffic over the Internet. For more information, see Billing overview.
Classic network endpoint: used for access from Elastic Compute Service (ECS) instances that reside in the same region as the instance. When applications on ECS instances access a Tablestore instance in the same region over the classic network, the response latency is lower and no outbound traffic over the Internet is generated.
VPC endpoint: used for access from applications in a VPC. You must bind the required VPC to the instance in the Tablestore console. Then, applications in the VPC can access the instance by using the VPC endpoint. For more information, see What is a VPC?
Tablestore supports different combinations of network types to meet different network security requirements.
Network type | Description |
All networks | The instance can be accessed over all networks. For example, you can use the public endpoint, classic network endpoint, VPC endpoint, or Tablestore console to access the instance. |
Tablestore console and VPCs | The instance can be accessed only from the Tablestore console or over the bound VPCs. This method isolates your instance from networks outside your VPC. You cannot access the instance over the Internet or the classic network. Important Before you select this network type for an instance, make sure that your business does not require access over the Internet or the classic network. |
VPCs | The instance can be accessed only over the bound VPCs. You cannot access the instance over the Internet, the classic network, or from the Tablestore console. In addition, you cannot access resources of the instance from the Tablestore console. This provides better network isolation. Important Before you select this network type for an instance, make sure that your business does not require access over the Internet or the classic network, or from the Tablestore console. |
Usage notes
If you want to access a Tablestore instance over a specific VPC, make sure that the instance is bound to the VPC. For more information, see the Step 1: Bind a VPC to a Tablestore instance section of the "Network security management" topic.
If you configure both an instance policy and a network ACL for an instance, the instance can be accessed only when the access source meets both the conditions of the instance policy and network ACL.
After you set the Access Type parameter to Bound VPCs for an instance, you can use only interfaces such as SDKs to access the instance over the bound VPCs. You cannot use the Tablestore console to access the instance. If you want to access the instance from the Tablestore console later, you can modify the Access Type parameter for the instance on the Network Management tab.
After you set the Access Type parameter to Bound VPCs for an instance, you can use only features on the Instance Monitoring, Network Management, and Security Policy tabs of the Instance Management page in the Tablestore console for the instance. Features on the Instance Details, Deliver Data to OSS, and Query by Executing SQL Statement tabs are unavailable.
Procedure
Log on to the Tablestore console.
In the upper part of the Overview page, select a region and click the name of the instance that you want to manage.
On the Network Management tab, modify the parameters about network access control based on the description in the following table and click Settings.
By default, Tablestore supports access over VPC, the classic network, and the Internet, and allows access from the Tablestore console. You can exclude specific network types or source types as needed.
Parameter
Description
Access Type
The type of network access. Valid values:
Custom: The instance can be accessed by using the selected network or source types.
A client can access the instance as long as the network or source type of the client meets the requirements.
Tablestore Console or Bound VPCs: The instance can be accessed from the Tablestore console or over the bound VPCs.
Bound VPCs: The instance can be accessed only by using interfaces such as SDKs over the bound VPCs.
Allowed Network Type
The types of networks that can be used to access the resources of the instance. You can select multiple network types at a time. This parameter is available only if you set the Access Type parameter to Custom. Valid values:
VPC: By default, VPC is selected, which indicates that the resources can be accessed over bound VPCs. If you do not require access over a VPC, clear VPC.
Internet: By default, Internet is selected, which indicates that the resources can be accessed over the Internet. If you do not require access over the Internet, clear Internet.
Classic Network: By default, Classic Network is selected, which indicates that the resources can be accessed over the classic network. If you do not require access over the classic network, clear Classic Network.
Allowed Source Type
Specifies whether the resources of the instance can be accessed from the Tablestore console. This parameter is available only if you set the Access Type parameter to Custom.
By default, Trusted Gateway (Console) is selected, which indicates that resources can be accessed from the Tablestore console. If you do not require access from the Tablestore console, clear Trusted Gateway (Console).
In the Warning dialog box, carefully read the message, select the check box, and then click OK.