All Products
Search
Document Center

Tablestore:Network security management

Last Updated:Jun 20, 2026

By default, Tablestore supports access through a VPC, a classic network, or the console. You can change the network access type and bind a VPC to an instance to ensure that Tablestore resources can be accessed only through the bound VPC. This configuration prevents access from the public network, a classic network, or other unbound VPCs and ensures network access security.

Instance network types

By default, Tablestore creates a public endpoint, a VPC endpoint, and a classic network endpoint for each instance. For more information, see Endpoints.

  • Public endpoint: Accessible from the internet. You can use a public endpoint to access Tablestore resources.

    Important

    Accessing Tablestore over the internet incurs outbound data transfer fees. For more information, see Billing overview.

  • Classic network endpoint: This endpoint is visible to ECS servers in the same region. Accessing Tablestore from an ECS server in the classic network of the same region provides lower response latency and does not generate public network traffic.

  • VPC domain name: This domain name is visible to applications within a VPC environment. Applications within a VPC environment can use the VPC domain name to access Tablestore. For more information, see What is a Virtual Private Cloud (VPC)?.

Tablestore supports various combinations of instance network types to meet different network security requirements.

Instance network type

Description

Custom

By default, newly created instances cannot be accessed from the internet. You can access them only via a classic network endpoint, a VPC endpoint, or the console.

Important

To access an instance from the internet, log in to the Tablestore console and manually enable public access for the instance.

Restrict console or bound VPC access

The instance allows access only from the console or a bound VPC. It cannot be accessed from the internet or a classic network. This provides enhanced network isolation.

Important

Before selecting this instance network type, ensure your services do not require access from the internet or a classic network to prevent service disruptions.

Restrict bound VPC access

The instance allows access only from a bound VPC. It cannot be accessed from the internet, a classic network, or the console. You also cannot access instance resources from the console. This provides enhanced network isolation.

Important

Before selecting this instance network type, ensure your services do not require access from the internet, a classic network, or the console to prevent service disruptions.

Restrict Tablestore access to bound VPCs

Prerequisites

Step 1: Change the network access type

By default, Tablestore allows access through its classic network endpoint, VPC endpoint, or the console. To control network access to your instance, you can change the access type to Tablestore Console or Bound VPCs or Bound VPCs.

Important

After you restrict the access type, the instance will no longer be accessible from the public network or a classic network. Proceed with caution.

  1. Log on to the Tablestore console.

  2. In the top navigation bar, select a resource group and a region.

  3. On the Overview page, in the Instances section, click the instance name or click Manage Instance in the Actions column.

  4. On the Network Management tab, in the Network Access Control section, select an access type based on your security requirements.

    • If you want to allow access to Tablestore instance resources only from the console or a bound VPC, set Access Type to Tablestore Console or Bound VPCs.

    • If you want to allow access to Tablestore instance resources only through a bound VPC, set Access Type to Bound VPCs.

    Note

    You can also set Access Type to Custom to configure allowed network types and sources.

  5. In the Warning dialog box, carefully read the risks, select the confirmation checkbox, and then click OK.

Step 2: Bind a VPC to the instance

After you bind a VPC to a Tablestore instance, only VPCs within that VPC can access the Tablestore instance.

Important

If you manage VPCs with a VPC, your VPC must grant that user the AliyunVPCReadOnlyAccess permission. Without this permission, the VPC cannot retrieve VPC information.

  1. Log on to the Tablestore console.

  2. In the top navigation bar, select a resource group and a region.

  3. On the Overview page, in the Instances section, click the instance name or click Manage Instance in the Actions column.

  4. On the Network Management tab, click Bind VPC.

  5. In the Bind VPC dialog box, select a VPC and a VPC within that VPC, and then enter a name for the VPC binding.

    The VPC binding name must be 3 to 16 characters in length, start with a letter, and can contain only letters and digits.

  6. Click OK.

    After the binding is successful, the bound VPC is listed in the VPCs section of the Network Management tab. VPCs in this VPC can then access the bound Tablestore instance by using its VPC endpoint.

    You can perform the following operations as needed.

    Actions

    Description

    View VPC details

    Click Details in the Actions column for the VPC. You can then view the VPC ID, instance name, VPC binding name, and VPC endpoint.

    Unbind a VPC from the instance

    If you no longer use the VPC to access Tablestore, you can unbind the instance from the VPC.

    Important

    After you unbind the VPC, VPCs within that VPC can no longer access the Tablestore instance through its VPC endpoint. Proceed with caution. To restore access, you must rebind the VPC.

    1. Click Unbind in the Actions column for the VPC.

    2. In the Unbind VPC dialog box, confirm that you understand the risks.

    3. Click OK.

Step 3: Access Tablestore from the bound VPC

Use a Tablestore SDK or the Tablestore on an VPC within the bound VPC to access Tablestore resources through the VPC endpoint.

More access control operations

You can use the following methods to further restrict user access to your resources.