This topic describes how to configure PrivateZone so that you can call API actions for ECS instances in a VPC through the provided domain name system (DNS) service of PrivateZone.

Background information

The endpoints provided by Alibaba Cloud ECS can be used to send API calls over the Internet. However, if your ECS instance is not assigned an Internet bandwidth package or a public IP address, the instance cannot initiate an API action request by using the Alibaba Cloud CLI or corresponding SDK. To ensure that your instance can send API requests from Alibaba Cloud intranet, Alibaba Cloud provides the PrivateZone solution. You can use PrivateZone to associate the VPC with the region to which your ECS instance belongs.


  • You can configure PrivateZone only for the region where your VPC-connected ECS instances are located. You cannot configure PrivateZone across multiple regions.
  • We recommend that you create instances by using custom images that have been deployed with Alibaba Cloud CLI or SDK. This allows your ECS instances to load relevant dependencies even when they have no access to the Internet.
  • Currently, only the following ECS endpoints support PrivateZone.
    Alibaba Cloud region Region ID CNAME record value Internet endpoint
    China (Beijing) cn-beijing
    China (Hangzhou) cn-hangzhou
    China (Shanghai) cn-shanghai
    China (Shenzhen) cn-shenzhen
    China (Hohhot) cn-huhehaote
    China (Zhangjiakou-Beijing Winter Olympics) cn-zhangjiakou
    China (Hong Kong) cn-hongkong
    Singapore ap-southeast-1
    Germany (Frankfurt) eu-central-1


  1. Log on to the Alibaba Cloud DNS console.
  2. In the left-side navigation pane, click PrivateZone.
  3. Click Add Zone.
  4. In the displayed dialog box, set the parameters as needed, and then click OK.
    • Zone Name: Set an ECS endpoint that supports PrivateZone. In this example, set the zone name to
    • Subdomain recursive resolution proxy: If you select this option, the name resolved on the Internet is used when DNS detects a domain name with the suffix Zone that is not included in the Zone file.

  5. Locate the created PrivateZone, and then click Configure in the Actions column.
  6. On the displayed Resolution Settings page, click Add Record.
  7. In the displayed dialog box, set the parameters as needed, and then click OK.
    • Record Type: Select CNAME.
    • Resource Records: Enter @ to resolve the domain name.
    • Record Value: Set it to the CNAME record value of the corresponding region. For more information, see Limits.
    • TTL Value: The time to live value. In this example, select 1 minute(s).

  8. Go back to the PrivateZone page, locate the created PrivateZone, and then click Bind VPC in the Actions column.
  9. In the displayed dialog box, select the region where the PrivateZone is located, select one or more VPCs to which your ECS instance belongs, and then click OK.

What to do next

After you associate a VPC with your PrivateZone, you can log on to your ECS instance to check whether the instance can access the endpoint of the corresponding region. For more information, see Connect to an instance by using the Management Terminal. For example, if the zone name is, you can:
  • Conduct a ping test to check whether data packets can be properly transmitted and received.

  • Use Alibaba Cloud CLI to call DescribeRegions, and change the endpoint in the --endpoint field.
    aliyun ecs DescribeRegions --endpoint