Change the network type used to access a Tablestore instance to ensure network access security - Tablestore

By default, Tablestore allows access over all networks. You can bind your Tablestore instance to a virtual private cloud (VPC) and change the network type of the instance to allow access only over the VPC. This ensures network access security.

Network types of Tablestore instances

By default, Tablestore creates a public endpoint, a virtual private cloud (VPC) endpoint, and a classic network endpoint for each instance. For more information, see Endpoints.

Public endpoint: used for access over the Internet. Users can access resources of the instance over the Internet by using the public endpoint.
Important
If you access Tablestore over the Internet, you are charged for the outbound traffic over the Internet. For more information, see Billing overview.
Classic network endpoint: used for access from Elastic Compute Service (ECS) instances that reside in the same region as the instance. When applications on ECS instances access a Tablestore instance in the same region over the classic network, the response latency is lower and no outbound traffic over the Internet is generated.
VPC endpoint: used for access from applications in a VPC. You must bind the required VPC to the instance in the Tablestore console. Then, applications in the VPC can access the instance by using the VPC endpoint. For more information, see What is a VPC?

Tablestore supports different combinations of network types to meet different network security requirements.

Network type	Description
All networks	The instance can be accessed over all networks. For example, you can use the public endpoint, classic network endpoint, VPC endpoint, or Tablestore console to access the instance.
Tablestore console and VPCs	The instance can be accessed only from the Tablestore console or over the bound VPCs. This method isolates your instance from networks outside your VPC. You cannot access the instance over the Internet or the classic network. Important Before you select this network type for an instance, make sure that your business does not require access over the Internet or the classic network.
VPCs	The instance can be accessed only over the bound VPCs. You cannot access the instance over the Internet, the classic network, or from the Tablestore console. In addition, you cannot access resources of the instance from the Tablestore console. This provides better network isolation. Important Before you select this network type for an instance, make sure that your business does not require access over the Internet or the classic network, or from the Tablestore console.

Access Tablestore instances over VPCs

Prerequisites

Network planning is complete, and a VPC and a vSwitch are created. For more information, see Plan networks and the Create a VPC and vSwitches section of the "Create a VPC with an IPv4 CIDR block" topic.
A Tablestore instance and a data table are created. For more information, see Use the Wide Column model in the Tablestore console or Manage the Wide Column model in the Tablestore CLI.

Step 1: Bind a VPC to a Tablestore instance

After you bind a VPC to a Tablestore instance, you can access the Tablestore instance from the ECS instances that reside in the same region as the Tablestore instance in the VPC.

Important

If you want to manage VPCs as a Resource Access Management (RAM) user, make sure that the AliyunVPCReadOnlyAccess policy is attached to the RAM user by using the Alibaba Cloud account to which the RAM user belongs. Otherwise, you are not authorized to obtain information about VPCs.

Log on to the Tablestore console.
On the Overview page, click the name of the target instance or click Manage Instance in the Actions column.
On the Network Management tab, click Bind VPC.
In the Bind VPC dialog box, select a VPC and a vSwitch, and enter a name for the VPC.
The name of a VPC can contain only letters and digits and must start with a letter. The name must be 3 to 16 characters in length.

Click OK.

After the VPC is bound to the Tablestore instance, you can view the information about the VPC in the VPCs section on the Network Management tab. The ECS instances in the VPC can use the VPC endpoint to access the Tablestore instance to which the VPC is bound. fig_20230106_vpclist

You can also perform additional operations on the VPC. The following table describes these operations.

Operation

Description

You can click Details in the Actions column of the VPC to view the information about the VPC, such as the VPC ID, VPC name, VPC endpoint, and name of the Tablestore instance to which the VPC is bound.

Unbind the VPC from the Tablestore instance

If you no longer need to access the Tablestore instance over the VPC, you can unbind the VPC from the Tablestore instance. After you unbind the VPC from the Tablestore instance, the ECS instances in the VPC can no longer use the VPC endpoint to access the Tablestore instance. To access the Tablestore instance from the ECS instances, you must bind the VPC to the Tablestore instance again.

Important

After you unbind the VPC from the Tablestore instance, you can no longer use the VPC endpoint to access the Tablestore instance. Proceed with caution.

Click Unbind in the Actions column of the VPC.
In the Unbind VPC dialog box, make sure that you are aware of the risks.
Click OK.

Step 2: (Optional) Change the network type of the Tablestore instance

By default, Tablestore allows unrestricted access over all networks. If you want a Tablestore instance to allow access only from the Tablestore console or over VPCs, you can set the network type of the instance to Tablestore Console or Bound VPCs or Bound VPCs.

Important

After you set the network type of a Tablestore instance to Tablestore Console or Bound VPCs or Bound VPCs, the Tablestore instance cannot be accessed over the Internet or classic network. The Tablestore instance can be accessed only from the Tablestore console or over VPCs. Proceed with caution.

Log on to the Tablestore console.
On the Overview page, click the name of the target instance or click Manage Instance in the Actions column.
In the Network Access Control section of the Network Management tab, select an access type based on your network security requirements.
Note
If you set the Access Type parameter to Custom, you can customize the allowed network types and allowed source types.
- To allow access only from the Tablestore console or from ECS instances that reside in the same region as the Tablestore instance over VPCs, set the Access Type parameter to Tablestore Console or Bound VPCs.
- To allow access only over bound VPCs, set the Access Type parameter to Bound VPCs.
Click Settings. In the Warning dialog box, carefully read the message, select the check box, and then click OK.
Then, if you want to access the Tablestore instance over a VPC, you can use only the endpoint of the VPC that is bound to the instance.

Step 3: Access the Tablestore instance over the VPC

Use Tablestore SDKs or the Tablestore CLI to access the Tablestore instance from the ECS instances in the VPC by using the VPC endpoint.

More access control methods

You can further restrict access to Tablestore resources by using the following methods:

You can attach RAM policies to RAM users to control their access to Tablestore resources. For example, you can restrict the IP addresses, protocols, and Transport Layer Security (TLS) versions that users can use to access Tablestore resources and the time when users can access Tablestore resources. For more information, see Use a RAM policy to grant permissions to a RAM user and Configure a custom policy.
You can configure an instance policy for a Tablestore instance to restrict the access sources of the instance, including the VPCs, IP addresses, and TLS versions that users can use to access the instance. For more information, see Use instance policies to restrict the access sources of an instance and Configure an instance policy.
You can use the control policy feature of Resource Directory to define the permission boundaries of enterprise accounts in a resource directory. For example, you can restrict the TLS versions that can be used to access Tablestore resources and restrict users to creating only Tablestore instances that do not support public access. For more information, see Use a custom access control policy to define the permission boundaries of enterprise users and Use custom access control policies.