BestHub
Sign in
Cloud Computing 10 min read

Secure Multi‑Tenant Data Lakes on Alibaba Cloud: OSS Access Points + VPC Gateway Endpoints

This guide explains how to build a secure, multi‑tenant data lake on Alibaba Cloud by combining OSS Access Points with VPC Gateway Endpoints, covering architecture overview, step‑by‑step configuration, policy examples, and best‑practice considerations for private‑network access.

Alibaba Cloud Infrastructure
Alibaba Cloud Infrastructure
Alibaba Cloud Infrastructure
Secure Multi‑Tenant Data Lakes on Alibaba Cloud: OSS Access Points + VPC Gateway Endpoints

Background

Enterprises that build a centralized data lake or warehouse on Alibaba Cloud OSS often need three conflicting capabilities: private‑network only access, fine‑grained permission isolation for different departments, and a manageable policy size. Placing all permissions in a single bucket policy quickly becomes complex and hits size limits.

Solution Overview

The recommended architecture combines OSS Access Points (AP) with VPC Gateway Endpoints to provide secure, multi‑tenant private access.

Each business unit gets a dedicated Access Point with its own AP policy, isolating permissions from the central bucket policy.

A VPC Gateway Endpoint creates a private “green channel” inside the VPC, eliminating public‑network traffic and reducing bandwidth cost.

Data flow:

ECS instance → VPC route table → VPC Gateway Endpoint → OSS internal network → Access Point (AP policy) → Bucket (Bucket policy)

Step‑by‑Step Configuration

1. Create VPC Gateway Endpoint

Log in to the VPC console.

Navigate to Endpoints > Gateway Endpoints .

Click Create Endpoint and set the following fields:

Service type : Alibaba Cloud Service.

Service name : com.aliyun.<region>.oss (e.g., com.aliyun.cn-hangzhou.oss).

VPC : select the VPC where your workloads run.

Route table : select the route table bound to the ECS subnet that needs OSS access.

After creation, a route to OSS is automatically added to the selected route table.

2. Create OSS Access Points

Log in to the OSS console.

Open the target bucket and choose Access Points > Create Access Point .

Configure the Access Point:

Name : e.g., finance-ap.

Network type : VPC.

VPC ID : the same VPC used in step 1.

Access Point Policy : define the users and resources that may use this AP.

Saving creates an Access Point alias and a dedicated domain name.

3. Configure Policies

Three policies must be aligned: Access Point Policy, Bucket Policy, and VPC Endpoint Policy.

3.1 Access Point Policy Example

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": ["ACS:RAM:1234567890123456:role/FinanceRole"],
      "Action": ["oss:GetObject", "oss:PutObject"],
      "Resource": ["acs:oss:cn-hangzhou:1234567890123456:accesspoint/finance-ap1"]
    }
  ]
}

3.2 Bucket Policy (Access Point Delegation)

The bucket policy delegates permission to a set of Access Points. Three delegation condition keys are supported: oss:DataAccessPointArn, oss:DataAccessPointAccount, and oss:AccessPointNetworkOrigin.

{
  "Version": "1",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["oss:*"],
    "Principal": "*",
    "Resource": ["acs:oss:*:137918634953****:company-data-lake/finance/*"],
    "Condition": {
      "StringEquals": {
        "oss:DataAccessPointArn": [
          "acs:oss:cn-hangzhou:1234567890123456:accesspoint/finance-ap1",
          "acs:oss:cn-hangzhou:1234567890123456:accesspoint/finance-ap2",
          "acs:oss:cn-hangzhou:1234567890123456:accesspoint/finance-ap3"
        ]
      }
    }
  }]
}

3.3 VPC Gateway Endpoint Policy

{
  "Version": "1",
  "Statement": [{
    "Effect": "Allow",
    "Action": "oss:*",
    "Principal": ["123456789012****"],
    "Resource": [
      "acs:oss:*:*:example-bucket",
      "acs:oss:*:*:example-bucket/*"
    ]
  }]
}

Best Practices & Caveats

Domain switching : After creating an Access Point, use its domain (e.g., finance-ap-xxxx.oss-cn-hangzhou.oss-accesspoint.aliyuncs.com) or alias in SDK/CLI instead of the original bucket domain.

Region consistency : The VPC endpoint, Access Point, and bucket must reside in the same Alibaba Cloud region.

Permission stacking : Access succeeds only when RAM policy, Access Point policy, and Bucket policy all grant the required permission.

Endpoint type limitation : VPC Gateway Endpoints support only same‑region private access; cross‑region access requires a reverse proxy or Cloud Enterprise Network (CEN).

Resource limits : Each UID can create up to 1,000 Access Points, which is sufficient for most multi‑tenant scenarios.

Conclusion

Combining OSS Access Points with VPC Gateway Endpoints provides a scalable, secure, and cost‑effective architecture for enterprise data lakes. The design isolates permissions per department, removes public‑network exposure, and reduces bandwidth costs.

Reference links:

VPC console: https://vpc.console.aliyun.com/

OSS console: https://oss.console.aliyun.com/

Access Point documentation: https://help.aliyun.com/zh/oss/user-guide/access-point/

cloud computingsecurityOSSdata lakeAlibaba Cloudaccess pointVPC Endpoint
Alibaba Cloud Infrastructure
Written by

Alibaba Cloud Infrastructure

For uninterrupted computing services

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment