When you call KMS instance API for cryptographic operations, keys are only accessible through the VPC network by default. If you need to access keys over the Internet, you must enable Internet access through the console. This topic describes how to enable Internet access.
Limits
Regardless of the QPS you selected when purchasing the KMS instance, the QPS for cryptographic operations over the Internet cannot exceed 1000. For more information, see Performance quotas. If your application has high performance requirements, use the VPC network to access keys.
Internet access can only be enabled through the console. It cannot be enabled through OpenAPI.
In scenarios where multiple accounts share a KMS instance, only the instance owner can enable Internet access.
By default, secrets in a KMS instance can be accessed either over the Internet or through the VPC network.
Procedure
Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose .
On the Instance page, click the target instance ID and turn on Internet Access.
After enabling Internet access, you can obtain the public endpoint. We recommend that you configure fine-grained access control policies to enhance security. For more information, see Authorization management.
What to do next
You can use the Alibaba Cloud SDK to perform cryptographic operations over the Internet. For more information, see Alibaba Cloud SDK overview.