By default, KMS instance keys are accessible only over a virtual private cloud (VPC) network. If your application runs outside a VPC, enable Internet access through the KMS console to call cryptographic operation APIs from the Internet.
Secrets in a KMS instance are accessible over both the Internet and the VPC network by default. If your application only accesses secrets, you do not need to enable Internet access.
Limitations
| Limitation | Details |
|---|---|
| Enablement method | Internet access can only be enabled through the console, not through OpenAPI. |
| QPS cap | Cryptographic operations over the Internet cannot exceed 1,000 queries per second (QPS), regardless of the QPS tier purchased. For high-performance workloads, use the VPC network. For QPS benchmarks, see Performance data. |
| Multi-account permission | When a KMS instance is shared across multiple Alibaba Cloud accounts, only the instance owner can enable Internet access. Instance users cannot perform this action. |
If you are an instance user rather than the instance owner, you cannot enable Internet access. Contact the instance owner to complete this configuration before proceeding.
Prerequisites
Before you begin, ensure that you have:
A KMS instance
Instance owner permissions
Enable Internet access
Log in to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Instances.
In the instance list, click the target instance ID. On the instance details page, go to the Share Resources tab and enable Internet access. When a KMS instance is shared with multiple Alibaba Cloud accounts, you can configure Internet access permissions for each account individually.
Switch to the Instance tab and view the public endpoint displayed on the page.
What's next
Use the public endpoint with the Alibaba Cloud SDK to perform cryptographic operations over the Internet. For SDK setup and usage, see Alibaba Cloud SDK.