Using network access control-Tablestore(Tablestore)-阿里云帮助中心

Background information

By default, Tablestore creates a public endpoint, a VPC endpoint, and a classic network endpoint for each instance. For more information, see Endpoints.

Public endpoint: Accessible from the internet. You can use a public endpoint to access Tablestore resources.

Important
Accessing Tablestore over the internet incurs outbound data transfer fees. For more information, see Billing overview.
Classic network endpoint: This endpoint is visible to ECS servers in the same region. Accessing Tablestore from an ECS server in the classic network of the same region provides lower response latency and does not generate public network traffic.
VPC domain name: This domain name is visible to applications within a VPC environment. Applications within a VPC environment can use the VPC domain name to access Tablestore. For more information, see What is a Virtual Private Cloud (VPC)?.

Tablestore supports various combinations of instance network types to meet different network security requirements.

Instance network type	Description
Custom	By default, newly created instances cannot be accessed from the internet. You can access them only via a classic network endpoint, a VPC endpoint, or the console. Important To access an instance from the internet, log in to the Tablestore console and manually enable public access for the instance.
Restrict console or bound VPC access	The instance allows access only from the console or a bound VPC. It cannot be accessed from the internet or a classic network. This provides enhanced network isolation. Important Before selecting this instance network type, ensure your services do not require access from the internet or a classic network to prevent service disruptions.
Restrict bound VPC access	The instance allows access only from a bound VPC. It cannot be accessed from the internet, a classic network, or the console. You also cannot access instance resources from the console. This provides enhanced network isolation. Important Before selecting this instance network type, ensure your services do not require access from the internet, a classic network, or the console to prevent service disruptions.

Notes

If you configure both an Instance Policy and a Network ACL for an instance, an access request is granted only if it satisfies the conditions of both.
If you want to access a Tablestore instance from a specified VPC, make sure that you have bound the VPC to the instance. For more information, see Bind a VPC to an instance.
If you set the Access Type for an instance to Bound VPCs, you can access the Tablestore instance only from the bound VPC by using an SDK, a command-line tool, or other tools.
- You cannot access Tablestore from the console. On the Instance Management page, only the features on the Instance Monitoring, Network Management, and Security Policy tabs are available. The features on the Instance Details, Deliver Data to OSS, and Query by Executing SQL Statement tabs are unavailable.
- If you need to access the Tablestore instance from the console again, change its Access Type on the Network Management tab.

Procedure

Log in to the Tablestore console.
In the top navigation bar, select a resource group and a region.
On the Overview page, find your instance in the Instances section. Then, click the instance name or click Manage Instance in the Actions column.

On the Instance Management page, click the Network Management tab. Configure the network access parameters as described in the following table, and then click Settings.

By default, Tablestore allows access from a VPC, a classic network, or the console. You can restrict access by configuring the Allowed Network Type or Allowed Source Type.

Parameter	Description
Access Type	The network access type. Valid values: Custom: Allows you to customize the allowed network types and source types. A client can access Tablestore if its connection meets the requirements for at least one configured network type or the allowed source type. Tablestore Console or Bound VPCs: Allows access to Tablestore from the console or a bound VPC. Bound VPCs: Allows access to Tablestore only from a bound VPC by using an SDK, a command-line tool, or other tools.
Allowed Network Type	Note This parameter is available only when Access Type is set to Custom. Specifies the network types that can be used to access Tablestore resources. You can select multiple network types. Valid values: VPC: Specifies whether to allow access through a VPC. By default, VPC is selected, which allows access through a VPC. If you do not require access through a VPC, deselect VPC. Internet: Allows access from the internet. By default, the Internet checkbox is cleared, denying access from the internet. To allow access from the internet, select the Internet checkbox. Classic Network: Specifies whether to allow access from the classic network. By default, Classic Network is selected, which means that access from the classic network is allowed. If you do not need access from the classic network, deselect Classic Network.
Allowed Source Type	Note This parameter is available only when Access Type is set to Custom. Specifies whether to allow access to Tablestore resources from the console. By default, Trusted Gateway (Console) is selected, which enables console access. If you do not require console access, deselect Trusted Gateway (Console).

If a mobile phone number is bound to your Alibaba Cloud account, you must complete verification. In the Mobile Verification dialog box, obtain and enter a verification code.

The system applies the changes only after successful verification.
In the Warning dialog box, carefully read the risks, select the confirmation checkbox, and then click OK.

Use cases

Manage network security