By default, when you call KMS instance API for cryptographic operations, keys are only accessible through the virtual private cloud (VPC) network. If you need to access keys over the Internet, you must enable Internet access through the console. This topic details the process.
Limits
Regardless of the queries per second (QPS) you selected when purchasing the KMS instance, the QPS for cryptographic operations over the Internet cannot exceed 1000. For more information, see Performance data. If your application has high performance requirements, use the VPC network.
By default, secrets in a KMS instance can be accessed either over the Internet or through the VPC network. If your application only accesses secrets over the Internet, you do not need to enable Internet access.
Internet access can only be enabled through the console. It cannot be enabled through OpenAPI.
When multiple accounts share a KMS instance, only the instance owner can enable Internet access, not instance users.
Procedure
Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose .
In the instance list page, click the target instance ID, and then enable Internet access on the Share Resources tab of the details page.
When a KMS instance is shared with multiple Alibaba Cloud accounts, you can configure Internet access permissions for each account.
Switch to the Instance tab, and view the public endpoint.
What to do next
You can use the Alibaba Cloud SDK to perform cryptographic operations over the Internet. For more information, see Alibaba Cloud SDK.