By default, Tablestore supports access through a VPC, a classic network, or the console. You can change the network access type and bind a VPC to an instance to ensure that Tablestore resources can be accessed only through the bound VPC. This configuration prevents access from the public network, a classic network, or other unbound VPCs and ensures network access security.
Instance network types
By default, Tablestore creates a public endpoint, a VPC endpoint, and a classic network endpoint for each instance. For more information, see Endpoints.
-
Public endpoint: Accessible from the internet. You can use a public endpoint to access Tablestore resources.
ImportantAccessing Tablestore over the internet incurs outbound data transfer fees. For more information, see Billing overview.
-
Classic network endpoint: This endpoint is visible to ECS servers in the same region. Accessing Tablestore from an ECS server in the classic network of the same region provides lower response latency and does not generate public network traffic.
-
VPC domain name: This domain name is visible to applications within a VPC environment. Applications within a VPC environment can use the VPC domain name to access Tablestore. For more information, see What is a Virtual Private Cloud (VPC)?.
Tablestore supports various combinations of instance network types to meet different network security requirements.
|
Instance network type |
Description |
|
Custom |
By default, newly created instances cannot be accessed from the internet. You can access them only via a classic network endpoint, a VPC endpoint, or the console. Important
To access an instance from the internet, log in to the Tablestore console and manually enable public access for the instance. |
|
Restrict console or bound VPC access |
The instance allows access only from the console or a bound VPC. It cannot be accessed from the internet or a classic network. This provides enhanced network isolation. Important
Before selecting this instance network type, ensure your services do not require access from the internet or a classic network to prevent service disruptions. |
|
Restrict bound VPC access |
The instance allows access only from a bound VPC. It cannot be accessed from the internet, a classic network, or the console. You also cannot access instance resources from the console. This provides enhanced network isolation. Important
Before selecting this instance network type, ensure your services do not require access from the internet, a classic network, or the console to prevent service disruptions. |
Restrict Tablestore access to bound VPCs
Prerequisites
-
You have planned your network and created a Virtual Private Cloud (VPC) and a vSwitch. For more information, see Plan networks and Create a Virtual Private Cloud and a vSwitch (IPv4).
-
You have created a Tablestore instance. For more information, see Activate Tablestore and create an instance.
Step 1: Change the network access type
By default, Tablestore allows access through its classic network endpoint, VPC endpoint, or the console. To control network access to your instance, you can change the access type to Tablestore Console or Bound VPCs or Bound VPCs.
After you restrict the access type, the instance will no longer be accessible from the public network or a classic network. Proceed with caution.
-
Log on to the Tablestore console.
-
In the top navigation bar, select a resource group and a region.
-
On the Overview page, in the Instances section, click the instance name or click Manage Instance in the Actions column.
-
On the Network Management tab, in the Network Access Control section, select an access type based on your security requirements.
-
If you want to allow access to Tablestore instance resources only from the console or a bound VPC, set Access Type to Tablestore Console or Bound VPCs.
-
If you want to allow access to Tablestore instance resources only through a bound VPC, set Access Type to Bound VPCs.
NoteYou can also set Access Type to Custom to configure allowed network types and sources.
-
-
In the Warning dialog box, carefully read the risks, select the confirmation checkbox, and then click OK.
Step 2: Bind a VPC to the instance
After you bind a VPC to a Tablestore instance, only VPCs within that VPC can access the Tablestore instance.
If you manage VPCs with a VPC, your VPC must grant that user the AliyunVPCReadOnlyAccess permission. Without this permission, the VPC cannot retrieve VPC information.
-
Log on to the Tablestore console.
-
In the top navigation bar, select a resource group and a region.
-
On the Overview page, in the Instances section, click the instance name or click Manage Instance in the Actions column.
-
On the Network Management tab, click Bind VPC.
-
In the Bind VPC dialog box, select a VPC and a VPC within that VPC, and then enter a name for the VPC binding.
The VPC binding name must be 3 to 16 characters in length, start with a letter, and can contain only letters and digits.
-
Click OK.
After the binding is successful, the bound VPC is listed in the VPCs section of the Network Management tab. VPCs in this VPC can then access the bound Tablestore instance by using its VPC endpoint.
You can perform the following operations as needed.
Actions
Description
View VPC details
Click Details in the Actions column for the VPC. You can then view the VPC ID, instance name, VPC binding name, and VPC endpoint.
Unbind a VPC from the instance
If you no longer use the VPC to access Tablestore, you can unbind the instance from the VPC.
ImportantAfter you unbind the VPC, VPCs within that VPC can no longer access the Tablestore instance through its VPC endpoint. Proceed with caution. To restore access, you must rebind the VPC.
-
Click Unbind in the Actions column for the VPC.
-
In the Unbind VPC dialog box, confirm that you understand the risks.
-
Click OK.
-
Step 3: Access Tablestore from the bound VPC
Use a Tablestore SDK or the Tablestore on an VPC within the bound VPC to access Tablestore resources through the VPC endpoint.
More access control operations
You can use the following methods to further restrict user access to your resources.
-
Use a RAM policy to control a RAM user's access to specific resources based on conditions such as IP address, HTTPS protocol, access time, and TLS version. For more information, see Grant permissions to a RAM user by using a RAM policy and Custom RAM policies.
-
Use an instance policy to control access to the Tablestore instance based on conditions such as the source VPC, IP address, and TLS version. For more information, see Configure an instance policy and Permissions of instance policies.
-
For enterprise accounts, use control policies in Resource Directory to define resource access boundaries. For example, you can enforce a minimum TLS version or allow users to create only instances that are inaccessible from the public network. For more information, see Grant permissions by using a control policy and Custom control policies.