You cannot call API operations on VPC-type ECS instances that do not have public IP addresses. This topic describes how to call API operations on VPC-type ECS instances over the Alibaba Cloud internal network.

Background information

ECS provides public endpoints. If your ECS instance does not have a public bandwidth or a public IP address, you cannot make API requests for the instance by using tools such as Alibaba Cloud CLI or SDKs. You can use one of the following methods to call API operations over the Alibaba Cloud internal network:
  • Use the SDK core library version 4.5.3 or later to call API operations over the internal network in a VPC.
  • Configure PrivateZone to associate the VPC with the region where your ECS instance is deployed to call API operations over the Alibaba Cloud internal network.
Take note of the following items:
  • These methods are applicable only in regions where VPC-type ECS instances are deployed. The endpoint of a region can be used to manage only resources within that region. Cross-region operations are not supported.
  • We recommend that you use custom images that have Alibaba Cloud CLI or SDKs deployed to create ECS instances. Otherwise, the ECS instances cannot load related dependencies without public network access.

Method 1 (recommended): Use SDKs to call API operations over the internal network

The following table describes the endpoints over which you can use SDKs to call API operations. Make sure that you use an endpoint listed in the table.

Alibaba Cloud region Region ID Endpoint
China (Hangzhou) cn-hangzhou ecs-vpc.cn-hangzhou.aliyuncs.com
China (Shanghai) cn-shanghai ecs-vpc.cn-shanghai.aliyuncs.com
China (Qingdao) cn-qingdao ecs-vpc.cn-qingdao.aliyuncs.com
China (Beijing) cn-beijing ecs-vpc.cn-beijing.aliyuncs.com
China (Zhangjiakou-Beijing Winter Olympics) cn-zhangjiakou ecs-vpc.cn-zhangjiakou.aliyuncs.com
China (Hohhot) cn-huhehaote ecs-vpc.cn-huhehaote.aliyuncs.com
China (Ulanqab) cn-wulanchabu ecs-vpc.cn-wulanchabu.aliyuncs.com
China (Shenzhen) cn-shenzhen ecs-vpc.cn-shenzhen.aliyuncs.com
China (Heyuan) cn-heyuan ecs-vpc.cn-heyuan.aliyuncs.com
China (Chengdu) cn-chengdu ecs-vpc.cn-chengdu.aliyuncs.com
China (Hong Kong) cn-hongkong ecs-vpc.cn-hongkong.aliyuncs.com
Singapore (Singapore) ap-southeast-1 ecs-vpc.ap-southeast-1.aliyuncs.com
Australia (Sydney) ap-southeast-2 ecs-vpc.ap-southeast-2.aliyuncs.com
Malaysia (Kuala Lumpur) ap-southeast-3 ecs-vpc.ap-southeast-3.aliyuncs.com
Indonesia (Jakarta) ap-southeast-5 ecs-vpc.ap-southeast-5.aliyuncs.com
Japan (Tokyo) ap-northeast-1 ecs-vpc.ap-northeast-1.aliyuncs.com
Germany (Frankfurt) eu-central-1 ecs-vpc.eu-central-1.aliyuncs.com
UK (London) eu-west-1 ecs-vpc.eu-west-1.aliyuncs.com
US (Silicon Valley) us-west-1 ecs-vpc.us-west-1.aliyuncs.com
US (Virginia) us-east-1 ecs-vpc.us-east-1.aliyuncs.com
India (Mumbai) ap-south-1 ecs-vpc.ap-south-1.aliyuncs.com
UAE (Dubai) me-east-1 ecs-vpc.me-east-1.aliyuncs.com
Simple configurations are required when you use SDKs to call API operations over the internal network. The following code provides an example on how to use SDK for Java to call an API operation over the internal network.
DefaultProfile profile = DefaultProfile.getProfile("<RegionId>", "<AccessKeyId>", "<AccessKeySecret>");
IAcsClient client = new DefaultAcsClient(profile);

// Make global configurations. <product> refers to the service. For example, you can enter Ecs for ECS.
DefaultProfile.addEndpoint("<RegionId>", "<product>", "<Endpoint>");

// Make configurations for the request. For example, when you call the DescribeRegions operation, you can make the following configurations:
DescribeRegionsRequest regionsRequest = new DescribeRegionsRequest();
// If you set the productNetwork parameter, you do not need to set SysEndpoint.
regionsRequest.setSysEndpoint("<Endpoint>");
// Configure the network. Valid values of productNetwork: vpc and public.
// Set the parameter to vpc when you call the operation over the internal network. Set the parameter to public when you call the operation over the Internet. public is the default value.
regionsRequest.productNetwork = "vpc";
DescribeRegionsResponse regionsResponse = client.getAcsResponse(regionsRequest);

Method 2: Configure PrivateZone

The following table describes the endpoints that support PrivateZone. Make sure that you use an endpoint listed in the table.
Alibaba Cloud region Region ID CNAME record value Internet endpoint
China (Beijing) cn-beijing popunify-vpc.cn-beijing.aliyuncs.com ecs.cn-beijing.aliyuncs.com
China (Hangzhou) cn-hangzhou popunify-vpc.cn-hangzhou.aliyuncs.com ecs.cn-hangzhou.aliyuncs.com
China (Shanghai) cn-shanghai popunify-vpc.cn-shanghai.aliyuncs.com ecs.cn-shanghai.aliyuncs.com
China (Shenzhen) cn-shenzhen popunify-vpc.cn-shenzhen.aliyuncs.com ecs.cn-shenzhen.aliyuncs.com
China (Hohhot) cn-huhehaote popunify-vpc.cn-huhehaote.aliyuncs.com ecs.cn-huhehaote.aliyuncs.com
China (Zhangjiakou-Beijing Winter Olympics) cn-zhangjiakou popunify-vpc.cn-zhangjiakou.aliyuncs.com ecs.cn-zhangjiakou.aliyuncs.com
China (Hong Kong) cn-hongkong popunify-vpc.cn-hongkong.aliyuncs.com ecs.cn-hongkong.aliyuncs.com
Singapore (Singapore) ap-southeast-1 popunify-vpc.ap-southeast-1.aliyuncs.com ecs.ap-southeast-1.aliyuncs.com
Germany (Frankfurt) eu-central-1 popunify-vpc.eu-central-1.aliyuncs.com ecs.eu-central-1.aliyuncs.com
Procedure:
  1. Log on to the Alibaba Could DNS console.
  2. In the left-side navigation pane, click PrivateZone.
  3. On the PrivateZone page, click Add Zone.
  4. In the Add PrivateZone dialog box, set the following parameters, and then click OK.
    • Zone Name: Enter an ECS endpoint that supports PrivateZone. In this example, enter ecs.cn-hangzhou.aliyuncs.com.
    • Subdomain recursive resolution proxy: If you select this option, the name resolved on the Internet is used when DNS detects a domain name suffixed by Zone that is not included in the Zone file.
  5. Find the created private zone, and click Configure in the Actions column.
  6. On the Resolution Settings page, click Add Record.
  7. In the Add Record dialog box, configure the following parameters, and then click OK.
    • Record Type: Select CNAME.
    • Resource Records: Enter @ to resolve the @.example.com domain name.
    • Record Value: Enter the CNAME record value of the corresponding region. For more information, see the table in the "Method 2: Configure PrivateZone" section of this topic.
    • TTL Value: The time to live value. In this example, select 1 minute(s).
  8. Go back to the PrivateZone page. Find the created private zone, and click Bind VPC in the Actions column.
  9. In the Bind VPC pane, select the same region as the created private zone. Select one or more VPCs to which your ECS instance belongs. Then, click Confirm.
    Note Select the VPC to which your ECS instance belongs.
After you associate the VPC with the created private zone, you can log on to your ECS instance to check whether the instance can access the endpoint of the corresponding region. For more information, see Connect to a Linux instance by using VNC. For example, if the endpoint is ecs.cn-hangzhou.aliyuncs.com, you can:
  • Run a ping command to check whether data packets can be properly transmitted and received.
    ping ecs.cn-hangzhou.aliyuncs.com
  • Use Alibaba Cloud CLI to call the DescribeRegions operation, and set the value of --endpoint to the example endpoint.
    aliyun ecs DescribeRegions --endpoint ecs.cn-hangzhou.aliyuncs.com