If you access OSS resources by using the internal endpoint of OSS, no fees are charged for the traffic generated. This topic describes how ECS instances access OSS resources by using the internal endpoint of OSS.

ECS instances can use the following methods to access OSS resources through the internal endpoint of OSS:
  • ECS instances deployed within the same region as an OSS bucket can use the internal endpoint of OSS to access the bucket resources that the ECS instances has been authorized to access.
  • ECS instances that are not in the same region as the bucket and Internet users can use the ECS reverse proxy to access the OSS resources through the internal endpoint of OSS.

Obtain through the internal endpoint of OSS

  • Obtain from the OSS console

    Log on to the OSS console. On the Overview tab of the specified bucket, you can view the endpoints and bucket domain names in the Domain Names section. The following figure shows an example.Domain names

  • Follow the fixed format

    OSS bucket domain names are in the following format: BucketName.Endpoint. In this format, BucketName indicates the name of your bucket. Endpoint indicates the endpoint used to access the region where your bucket is located. For more information, see OSS domain names.

Access from ECS instances within the same region

ECS instances deployed within the same region as an OSS bucket can use the internal network to access resources in the bucket.

  • Use URLs
    You can use the internal endpoint of OSS to access OSS resources that you are authorized to access. For example, a bucket named test is located in the China (Hangzhou) region. The bucket contains an object named 1.jpg in its root directory, and the object ACL is public read. In this case, ECS instances in the China (Hangzhou) region can access this object by using http://test.oss-cn-hangzhou-internal.aliyuncs.com/1.jpg. You can embed the access URL of the object in your website and provide the URL to ECS users within the same region or to users who have connected to the internal network through a leased line.
    Warning For data security reasons, we recommend that you do not set the ACL of your OSS resources to public read or public read/write. You can use bucket policies to authorize other users to access OSS resources. For more information, see Use bucket policies to authorize other users to access OSS resources.
  • Use ossbrowser

    When you set the parameters for logging on to ossbrowser, set Endpoint to the internal endpoint of OSS. For more information, see ossbrowser

  • Use ossutil

    When you set the parameters for logging on to ossutil, set Endpoint to the internal endpoint of OSS. For more information, see ossutil.

  • Use SDKs
    When you initialize the client instance, set Endpoint to the internal endpoint of OSS.
    • OSS SDK for Java
      String endpoint = "http://oss-cn-hangzhou-internal.aliyuncs.com";//The China (Hangzhou) region is used as an example.
      String accessKeyId = "<Your AccessKey ID>";
      String accessKeySecret = "<Your AccessKey secret>";
      OSSClient client = new OSSClient(endpoint, accessKeyId, accessKeySecret);          

      For more information, see Initialization.

    • OSS SDK for PHP
      $accessKeyId = "<Your AccessKey ID>";
      $accessKeySecret = "<Your AccessKey secret>";
      $endpoint = "<A data center endpoint that you have selected to access OSS, such as http://oss-cn-hangzhou.aliyuncs.com>";           

      For more information, see Initialization.

    • OSS SDK for Python
      auth = oss2.Auth('Your AccessKey ID', 'Your AccessKey secret')
      endpoint = 'http://oss-cn-hangzhou-internal.aliyuncs.com' # The China (Hangzhou) region is used as an example.
      bucket = oss2.Bucket(auth, endpoint, 'Your bucket name')         

      For more information, see Initialization.

    • OSS SDK for .NET
      const string accessKeyId = "<Your AccessKey ID>";
      const string accessKeySecret = "<Your AccessKey secret>";
      const string endpoint = "http://oss-cn-hangzhou-internal.aliyuncs.com";
      var ossClient = new OssClient(endpoint, accessKeyId, accessKeySecret);   

      For more information, see Initialization.

    • OSS SDK for C
      options->config = oss_config_create(options->pool);
      aos_str_set(&options->config->endpoint, "http://oss-cn-hangzhou-internal.aliyuncs.com");
      aos_str_set(&options->config->access_key_id, "<Your AccessKey ID>");
      aos_str_set(&options->config->access_key_secret, "<Your AccessKey secret>");
      options->config->is_cname = 0;
      options->ctl = aos_http_controller_create(options->pool, 0);         

      For more information, see Initialization.

Access OSS resources by configuring a reverse proxy on ECS instances

ECS instances or Internet users in different regions cannot directly access OSS resources by using the internal endpoint of OSS. However, you can configure a reverse proxy on ECS instances to access OSS resources. Follow these steps:
  1. Create an ECS instance with a public IP address in the same region as the OSS resources. For more information, see Create an ECS instance.
  2. Configure the reverse proxy on the ECS instance. For more information, see Configure HTTPS for your own domain name in OSS through reverse proxy.
  3. Configure OSS bucket policies to allow access from the internal IP address of the ECS instance. For more information, see Use bucket policies to authorize other users to access OSS resources.

After you complete the preceding steps, users can access the public IP address of the ECS instance. Then, the ECS instance requests OSS resources over the internal network and returns the OSS resources to the users.