All Products
Search

This Product

    API Gateway:Create a domain name

    Document Center

    API Gateway:Create a domain name

    Last Updated:Dec 04, 2025

    AI Gateway provides multi-domain management capabilities, making it easy for you to manage protocols, certificates, and routing configurations under different domain names. It also supports wildcard domain matching. For example, after binding the wildcard domain *.hello.com, you can access it through domain names such as 1.hello.com and 2.hello.com.

    Prerequisite (conditional)

    Internet Content Provider (ICP) filings for domain names are obtained.

    Note

    If you want to associate independent domain names with cloud-native gateways in a region in the Chinese mainland, you must apply for ICP filings in the Alibaba Cloud ICP Filing system or add Alibaba Cloud as a service provider to the ICP filing information of the domain names. If you want to associate independent domain names with cloud-native gateways in a region outside the Chinese mainland, ICP filings are not required.

    Procedure

    1. Log on to the AI Gateway console.

    2. In the navigation pane on the left, choose Domain Name. In the top menu bar, select a region.

    3. Click Add Domain Name, configure the relevant parameters in the Add Domain Name panel, and then click OK.

      Parameter

      Description

      Domain Name

      Enter a complete domain name (for example, hello.com) or a wildcard domain name (for example, *.hello.com). Under this domain name, you can independently manage the protocol and certificate for the domain name. Routing configurations can be isolated from each other through domain names.

      Important

      *.hello.com can match domain names such as a.hello.com, b.hello.com, and a.b.hello.com. However, if the certificate domain name is *.hello.com, the certificate can only be used for a.hello.com and b.hello.com, but not for a.b.hello.com.

      Select the HTTP protocol or HTTPS protocol. The supported port number varies based on the protocol.

      • HTTP: Port 80 is supported.

      • HTTPS: Port 443 is supported.

      Select HTTPS as the protocol

      Certificate

      Select the certificate from Alibaba Cloud SSL Certificate Service that is associated with the HTTPS protocol.

      Note

      If you have not purchased or uploaded the relevant SSL certificate, you can click Purchase/Upload Certificate to go to the SSL Certificate Management console for operations. For more information, see Purchase SSL Certificates.

      Always Use HTTPS

      If you enable Always Use HTTPS, only the HTTPS port can be accessed and HTTP requests are redirected to the HTTPS port.

      Enable HTTP/2?

      Select an option to specify whether to use HTTP/2 during the TLS handshake based on Application-Layer Protocol Negotiation (ALPN). Valid values:

      • Use Gateway Instance Configuration: Determines whether the current domain name uses HTTP/2 based on the value of the EnableHttp2 parameter in the parameter configuration, and dynamically changes with the value of the EnableHttp2 parameter in the parameter configuration.

      • Enable: The current domain name uses the HTTP/2 protocol for communications after the TLS handshake succeeds.

      • Disable: The current domain name does not use the HTTP/2 protocol for communications after the TLS handshake succeeds.

      Note

      If the HTTP protocol is used, the gateway uses HTTP Upgrade to automatically upgrade HTTP to HTTP/2 based on client requirements. Therefore, you need to configure this parameter based on your business requirements only if you select HTTPS from the drop-down list of the Protocol parameter.

      TLS Version

      Select the earliest and latest TLS versions when the current domain name uses TLS for communications.

      • Minimum Version: Configure the minimum version allowed for TLS communication for the current domain name. The default is 1.0.

      • Maximum Version: Configure the maximum version allowed for TLS communication for the current domain name. The default is 1.3.

      Cipher Suite

      Select Default or Custom cipher suite.

      • Default: Select the default cipher suite.

        Default cipher suite

        • ECDHE-ECDSA-AES128-GCM-SHA256(Supported versions: TLS 1.2, TLS 1.3)

        • ECDHE-RSA-AES128-GCM-SHA256(Supported versions: TLS 1.2, TLS 1.3)

        • ECDHE-ECDSA-AES256-GCM-SHA384(Supported versions: TLS 1.2, TLS 1.3)

        • ECDHE-RSA-AES256-GCM-SHA384(Supported versions: TLS 1.2, TLS 1.3)

        • ECDHE-ECDSA-CHACHA20-POLY1305(Supported versions: TLS 1.2, TLS 1.3)

        • ECDHE-RSA-CHACHA20-POLY1305(Supported versions: TLS 1.2, TLS 1.3)

        • ECDHE-ECDSA-AES128-SHA(Supported versions: TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3)

        • ECDHE-RSA-AES128-SHA(Supported versions: TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3)

        • ECDHE-ECDSA-AES256-SHA(Supported versions: TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3)

        • ECDHE-RSA-AES256-SHA(Supported versions: TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3)

        • AES128-GCM-SHA256(Supported versions: TLS 1.2, TLS 1.3)

        • AES256-GCM-SHA384(Supported versions: TLS 1.2, TLS 1.3)

        • AES128-SHA(Supported versions: TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3)

        • AES256-SHA(Supported versions: TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3)

      • Custom: Select encryption algorithms to add to the selected algorithms box.

        Note

        The specified cipher suite is effective only when the negotiation result is TLS 1.0-1.2, and is not effective when the negotiation result is TLS 1.3.

      Mutual Authentication mTLS

      Enable or disable Mutual Authentication mTLS. It is disabled by default.

      Mutual Authentication CA Certificate

      After enabling Mutual Authentication mTLS, you need to configure the Mutual Authentication CA Certificate to verify the client identity.

      Resource Group

      Select the resource group that you want to use. You can click Create Resource Group on the right.

    Verify the result

    A route that can be accessed has been configured under the current domain name path.

    • If your domain name's public network resolution has taken effect, you can directly verify it through a browser.

    • If you do not configure the Domain Name System (DNS) resolution for your domain name, you can run one of the following commands to verify the result based on the supported protocol. For example, if the domain name is configured as hello.com, replace {Public IP} in the following URL with your actual public IP address.

      • Verify HTTP

        curl http://hello.com --resolve "hello.com:80:{Public IP}"

      • Verify HTTPS

        curl -v -k https://hello.com --resolve "hello.com:443:{Public IP}" --cacert my-cert.pem