All Products
Search
Document Center

Object Storage Service:Access to OSS resources from an ECS instance by using an internal endpoint of OSS

Last Updated:Mar 11, 2024

If you access Object Storage Service (OSS) resources by using an internal endpoint of OSS, no fees are charged for the traffic generated. This topic describes how Elastic Compute Service (ECS) instances access OSS resources by using an internal endpoint of OSS.

ECS instances can use the following methods to access OSS resources by using an internal endpoint of OSS:

  • ECS instances deployed within the same region as an OSS bucket can use the internal endpoint to access resources in the bucket that the ECS instances are authorized to access.

  • ECS instances that are not in the same region as the bucket and Internet users can use the ECS reverse proxy to access the OSS resources by using the internal endpoint of OSS.

Obtain the internal endpoint for a bucket

  • Use the OSS console

    1. Log on to the OSS console.

    2. In the left-side navigation pane, click Buckets. On the Buckets page, click the name of the bucket whose internal endpoint you want to obtain.

    3. In the left-side navigation tree, click Overview.

    4. In the Port section, view the endpoint and domain name of the bucket.访问端口

  • Follow the fixed format

    OSS bucket domain names are in the following format: BucketName.Endpoint, where BucketName is the name of your bucket, and Endpoint is the endpoint of the region in which the bucket is located. For more information, see OSS domain names.

Access from ECS instances within the same region

ECS instances deployed within the same region as an OSS bucket can use the internal network to access resources in the bucket.

  • Use URLs

    You can use the internal URL of an OSS resource for which you have permissions to access the OSS resource. For example, a bucket named test is located in the China (Hangzhou) region. The bucket contains an object named 1.jpg in the root directory of the bucket, and the access control list (ACL) of the object is public-read. In this case, all ECS instances in the China (Hangzhou) region can use http://test.oss-cn-hangzhou-internal.aliyuncs.com/1.jpg to access the object. You can embed the URL of the object in your website and provide the URL for ECS users within the same region or for users who have connected to the internal network by using a leased line.

    Warning

    To ensure data security, we recommend that you do not set the access control list (ACL) of your OSS resources to public-read or public-read-write. You can use bucket policies to authorize other users to access your OSS resources. For more information, see Configure bucket policies to authorize other users to access OSS resources.

  • Use ossbrowser

    When you configure parameters for access to OSS resources by using ossbrowser, set Endpoint to the internal endpoint of OSS. For more information, see Use ossbrowser.

  • Use ossutil

    When you configure parameters for access to OSS resources by using ossutil, set Endpoint to the internal endpoint of OSS. For more information, see ossutil.

  • Use SDKs

    When you initialize an client instance, set Endpoint to the internal endpoint of OSS.

    • OSS SDK for Java

      String endpoint = "http://oss-cn-hangzhou-internal.aliyuncs.com";// In this example, the endpoint of the China (Hangzhou) region is used.
      String accessKeyId = "<yourAccessKeyId>";
      String accessKeySecret = "<yourAccessKeySecret>";
      OSSClient client = new OSSClient(endpoint, accessKeyId, accessKeySecret);          

      For more information, see Initialization.

    • OSS SDK for PHP

      $accessKeyId = "<yourAccessKeyId>";
      $accessKeySecret = "<yourAccessKeySecret>";
      $endpoint = "<The endpoint. Example: http://oss-cn-hangzhou-internal.aliyuncs.com>";           

      For more information, see Initialization.

    • OSS SDK for Python

      auth = oss2.Auth('<yourAccessKeyId>', '<yourAccessKeySecret>')
      endpoint = 'http://oss-cn-hangzhou-internal.aliyuncs.com' # The endpoint of the region. In this example, the China (Hangzhou) region is used.
      bucket = oss2.Bucket(auth, endpoint, 'BucketName')         

      For more information, see Initialization.

    • OSS SDK for .NET

      const string accessKeyId = "<yourAccessKeyId>";
      const string accessKeySecret = "<yourAccessKeySecret>";
      const string endpoint = "http://oss-cn-hangzhou-internal.aliyuncs.com";
      var ossClient = new OssClient(endpoint, accessKeyId, accessKeySecret);   

      For more information, see Initialization.

    • OSS SDK for C

      options->config = oss_config_create(options->pool);
      aos_str_set(&options->config->endpoint, "http://oss-cn-hangzhou-internal.aliyuncs.com");
      aos_str_set(&options->config->access_key_id, "<yourAccessKeyId>");
      aos_str_set(&options->config->access_key_secret, "<yourAccessKeySecret>");
      options->config->is_cname = 0;
      options->ctl = aos_http_controller_create(options->pool, 0);         

      For more information, see Initialization.

Access OSS resources by configuring a reverse proxy on ECS instances

ECS instances or Internet users in different regions cannot directly access OSS resources in a bucket by using the internal endpoint of the bucket. However, you can configure a reverse proxy on ECS instances to access OSS resources in the bucket:

  1. Create an ECS instance with a public IP address in the same region as the bucket. For more information, see Create an ECS instance.

  2. Configure the reverse proxy on the ECS instance. For more information, see Use an ECS instance that runs CentOS to configure a reverse proxy for access to OSS, Use an ECS instance that runs Ubuntu to configure a reverse proxy for access to OSS, and Use an ECS instance that runs Windows to configure a reverse proxy for access to OSS.

  3. Configure a bucket policy to allow access from the internal IP address of the ECS instance. For more information, see Configure bucket policies to authorize other users to access OSS resources.

After you complete the preceding steps, users can access the OSS resources by using the public IP address of the ECS instance. Then, the ECS instance requests OSS resources over the internal network and returns the OSS resources to users.