OSS provides diverse network access solutions covering domain configuration, performance optimization, security protection, and dedicated access. Use these capabilities to build an efficient, stable, and secure storage access architecture.
Quick selection
Category | Scenario | Recommended solution |
Basic access | Query endpoints and internal VIP CIDR blocks for all regions | |
Format and usage of domain types such as public endpoint, internal endpoint, and acceleration endpoint | ||
Enable online preview of files and unify brand identity | ||
Performance optimization | Global distribution and acceleration of static resources such as images, audio and video files, and documents | |
Accelerate cross-region and cross-border uploads and downloads | ||
Security protection | Enable HTTPS encrypted transmission for a custom domain name | |
Establish a secure and isolated private connection between your VPC and OSS | ||
Prevent unauthorized use of resources by other websites, which may cause traffic costs to surge | ||
Dedicated access | Access OSS using a fixed IP address | |
Grant differentiated permissions to multiple applications or teams accessing the same bucket | ||
Web applications | Host static files from a bucket as a website | |
Resolve cross-domain blocking when browsers load OSS resources |
Domain types
OSS provides different types of access domains based on network environment and performance requirements. For formats, usage examples, and switching methods of each domain type, see Access OSS using endpoints and bucket domain names. For endpoints in each region, see Regions and endpoints.
Due to a policy change to improve compliance and security, starting March 20, 2025, new OSS users must use a custom domain name (CNAME) to perform data API operations on OSS buckets located in Chinese mainland regions. Default public endpoints are restricted for these operations. Refer to the official announcement for a complete list of the affected operations. If you access your data via HTTPS, you must bind a valid SSL Certificate to your custom domain. This is mandatory for OSS Console access, as the console enforces HTTPS.
Domain type | Use case | Billing characteristics | Activation required |
Public endpoint | Public access from web applications and mobile clients | Billed by outbound traffic over Internet | Available by default |
Internal endpoint | Alibaba Cloud internal network access (for example, ECS instances accessing OSS) | Free for internal network traffic | Available by default |
Acceleration endpoint | High-speed cross-region and cross-border uploads and downloads | In addition to outbound traffic over Internet fees, you are charged transfer acceleration fees | You must enable transfer acceleration |
Dual-stack endpoint | Access OSS over IPv6 networks | Billed by outbound traffic over Internet | Supported in selected regions |
CNAME | Used for DNS resolution when binding a custom domain name | Billed by outbound traffic over Internet | You must bind a custom domain name and configure CNAME resolution |
When you access HTML files, images, and other objects through an OSS bucket domain name, browsers force downloads instead of online previews. To enable file preview, access OSS using a custom domain name. You can bind a custom domain name to a public endpoint, acceleration endpoint, access point, or object FC access point. If your bucket is in the Chinese mainland, the domain name must have an ICP filing.
Performance optimization
CDN acceleration and transfer acceleration provide acceleration for different scenarios. You can use them separately or together, based on your business needs:
Dimension | CDN acceleration | Transfer acceleration |
Acceleration principle | Cache static resources at global edge nodes and serve user requests from the nearest point of presence | Use intelligent routing over Alibaba Cloud's backbone network to optimize data transmission paths |
Use case | Frequent reads of static resources (images, audio and video files, document downloads) | Long-distance cross-region and cross-border uploads and downloads |
Upload support | Do not upload through CDN | Support accelerated uploads |
Cost | CDN fees + OSS origin traffic | Outbound traffic over Internet fees + transfer acceleration fees |
Combined use | Configure CDN origin fetch to use the acceleration endpoint to build a dual-acceleration architecture: CDN edge caching plus backbone network acceleration | |
Security protection
HTTPS
OSS bucket domain names support HTTPS access by default, with no extra configuration required. When you access OSS using a custom domain name, configure an SSL certificate for that domain: if you do not use CDN, configure Upload Certificate for the custom domain name bound to the bucket in the OSS console. If you use CDN, configure an SSL Certificate for the CDN-accelerated domain name in the CDN console. In production environments, enforce HTTPS access using a bucket policy and deny all HTTP requests. Alibaba Cloud SSL certificates support automatic renewal through certificate hosting. For more information, see Access OSS using HTTPS.
PrivateLink private connection
PrivateLink creates a dedicated private endpoint for OSS inside your VPC. All traffic flows through Alibaba Cloud's backbone network without traversing the Internet. Compared with the default internal endpoint for OSS, PrivateLink provides higher-level security isolation:
Capability | Internal endpoint | PrivateLink |
Attack surface | Public service entry exposed to all VPCs | Entry resides inside the VPC. Other VPCs cannot discover or access it |
Network-layer control | Cannot be controlled by security groups | Supports binding security groups to precisely control source IP access |
Audit capability | Records only successful requests | Supports VPC flow logs to audit all connection attempts |
IP planning | Uses the 100.64.0.0/10 CIDR block, which may conflict with your on-premises data center | Uses IPs from your VPC CIDR block, following your custom IP plan |
You can connect on-premises devices or data centers to your VPC using SSL-VPN or Express Connect, then access OSS through PrivateLink. For more information, see Access OSS over PrivateLink.
Hotlink protection
When hotlinking causes traffic costs to surge, configure Referer blacklists and whitelists to restrict access sources. OSS enforces access control in this order: . Hotlink protection applies only to anonymous access and signed URL access. API calls signed with AccessKeys are not restricted. If you enable CDN acceleration for OSS, configure hotlink protection rules in CDN as well. Otherwise, hotlink requests may hit CDN cache and bypass validation. For more information, see Hotlink protection.
Dedicated access
Reverse proxy on an ECS instance
OSS resolves its service endpoints to dynamic IP addresses through DNS. This may cause access restrictions when you configure firewall allowlists or integrate with systems requiring a fixed IP address. Deploy an Nginx reverse proxy on an Elastic Compute Service (ECS) instance with a static public IP address. Forward requests through this instance to access OSS resources using a fixed IP address. In production environments, use a high-availability architecture with Server Load Balancer and an ECS instance group across multiple zones. For more information, see Access OSS using a reverse proxy on an ECS instance.
Access points
An access point provides a dedicated access endpoint for a bucket. When multiple applications or teams need to access the same bucket with different permissions, create separate access points for each. Manage permissions individually using access point policies (AP policies) instead of maintaining complex permission rules in a single bucket policy. Each access point has its own alias, access policy, and network source configuration (Internet or specified VPC). It supports three-layer joint authentication with RAM policies and bucket policies. For more information, see Access points.
Web applications
Static website hosting
OSS lets you host static files (HTML, CSS, JavaScript, etc.) from a bucket as a publicly accessible website without managing servers. Configure a default index page, subdirectory index pages, and custom 404 error pages. Support single-page applications (SPA) by setting the 404 page to index.html and the response code to 200. For more information, see Static website hosting.
When you access HTML files through an OSS bucket domain name, browsers force downloads. Bind a custom domain name to enable normal webpage browsing.
Cross-domain settings
When your website loads OSS resources and the browser shows a blocked by CORS policy error, it is due to the browser's same-origin policy restricting cross-domain resource access. Configure CORS rules for your bucket (Origin, Allowed Methods, Allowed Headers, etc.) to authorize specific websites to access OSS resources across domains. Enable Vary: Origin when using multiple origins or wildcard characters to prevent cache pollution. If your bucket uses CDN acceleration, configure cross-domain rules in the CDN console or pass through OSS CORS response headers. For more information, see Cross-domain settings.
FAQ
How do I access OSS objects with long-term, unsigned URLs?
You have two options:
Set objects to public-read: Anyone can access the objects without restrictions. To prevent malicious hotlinking and unexpected charges, configure hotlink protection to restrict access sources.
Access OSS using Alibaba Cloud CDN (CDN): Keep objects private and enable private bucket origin fetch in CDN to provide public-read access. CDN delivers better access performance and caching. Configure hotlink protection in CDN to prevent unauthorized use of resources.
Why is my upload or download speed slow?
OSS transfer speed depends mainly on client network bandwidth, link quality, and transfer strategy. Troubleshoot and optimize as follows:
Bandwidth and link: Confirm current bandwidth does not exceed the bucket's bandwidth limit. Use the MTR tool to analyze packet loss, high latency, or routing anomalies. For cross-border or long-distance transfers, enable transfer acceleration.
Tool selection: Use ossutil for large or bulk file transfers. Use its
probecommand to test current network status.SDK tuning: Always use multipart upload and resumable upload for large files. Set appropriate part size (
part_size) and concurrent thread count (num_threads). Increase part size when network conditions are good to reduce request count. Disable CRC64 checksum during client initialization (for example, setenable_crc=Falsein Python) and use theContent-MD5request header for integrity verification. This improves transfer performance while keeping data secure.
How do I troubleshoot network errors such as DNS resolution failure or connection timeout?
If the request reaches OSS (the response includes a Request ID), use the Request ID with the OSS self-diagnostic tool to diagnose the issue.
If the request does not reach OSS (Request ID is empty), troubleshoot by error type:
Error type | Common causes | Action |
Connection refused | Port unreachable or internal endpoint used across regions | Use the correct public endpoint. Check firewall and network connectivity with |
ConnectionTimeOut | Poor network conditions or short timeout setting | Increase SDK connection and read timeouts. Enable retry on failure. Use multipart upload and resumable upload for large files to improve stability. Consider using CDN acceleration or transfer acceleration |
Socket timeout / closed | Connection timed out or was abnormally closed | Increase socket timeout in the SDK (for example, |
Connection reset | Incorrect endpoint configuration or bucket security restriction | Troubleshoot step by step: 1. Check network connectivity with |