If you access Object Storage Service (OSS) resources by using an internal endpoint of OSS, no fees are charged for the traffic generated. This topic describes how Elastic Compute Service (ECS) instances access OSS resources by using an internal endpoint of OSS.

ECS instances can use the following methods to access OSS resources by using an internal endpoint of OSS:
  • ECS instances deployed within the same region as an OSS bucket can use the internal endpoint of OSS to access the bucket resources that the ECS instances are authorized to access.
  • ECS instances that are not in the same region as the bucket and Internet users can use the ECS reverse proxy to access the OSS resources by using the internal endpoint of OSS.

Obtain the internal endpoint of OSS

  • Obtain from the OSS console
    Log on to the OSS console. On the Overview tab of the specified bucket, you can view the endpoints and bucket domain names in the Port section. The following figure shows an example. Port
  • Follow the fixed format

    OSS bucket domain names are in the following format: BucketName.Endpoint. In this format, BucketName indicates the name of your bucket. Endpoint indicates the endpoint used to access the region where your bucket is located. For more information, see OSS domain names.

Access from ECS instances within the same region

ECS instances deployed within the same region as an OSS bucket can use the internal network to access resources in the bucket.

  • Use URLs
    You can use the internal endpoint of OSS to access OSS resources that you are authorized to access. For example, a bucket named test is located in the China (Hangzhou) region. The bucket contains an object named 1.jpg in the root directory of the bucket, and the access control list (ACL) of the object is public read. In this case, ECS instances in the China (Hangzhou) region can access this object by using http://test.oss-cn-hangzhou-internal.aliyuncs.com/1.jpg. You can embed the access URL of the object in your website and provide the URL to ECS users within the same region or to users who have connected to the internal network by using a leased line.
    Warning For data security reasons, we recommend that you do not set the ACL of your OSS resources to public read or public read/write. You can use bucket policies to authorize other users to access OSS resources. For more information, see Configure bucket policies to authorize other users to access OSS resources.
  • Use ossbrowser

    When you set the parameters for logging on to ossbrowser, set Endpoint to the internal endpoint of OSS. For more information, see ossbrowser.

  • Use ossutil

    When you set the parameters for logging on to ossutil, set Endpoint to the internal endpoint of OSS. For more information, see ossutil.

  • Use SDKs
    When you initialize the client instance, set Endpoint to the internal endpoint of OSS.
    • Java SDK 
      String endpoint = "http://oss-cn-hangzhou-internal.aliyuncs.com";// The China (Hangzhou) region is used in the example.
String accessKeyId = "<yourAccessKeyId>";
String accessKeySecret = "<yourAccessKeySecret>";
OSSClient client = new OSSClient(endpoint, accessKeyId, accessKeySecret);

      For more information, see Initialization.

    • PHP SDK 
      $accessKeyId = "<yourAccessKeyId>";
$accessKeySecret = "<yourAccessKeySecret>";
$endpoint = "<A data center endpoint that you have selected to access OSS, such as http://oss-cn-hangzhou-internal.aliyuncs.com>";

      For more information, see Initialization.

    • Python SDK 
      auth = oss2.Auth('<yourAccessKeyId>', '<yourAccessKeySecret>')
endpoint = 'http://oss-cn-hangzhou-internal.aliyuncs.com' # A data center endpoint that you have selected to access OSS. The China (Hangzhou) region is used in the example.
bucket = oss2.Bucket(auth, endpoint, 'BucketName')

      For more information, see Initialization.

    • .NET SDK 
      const string accessKeyId = "<yourAccessKeyId>";
const string accessKeySecret = "<yourAccessKeySecret>";
const string endpoint = "http://oss-cn-hangzhou-internal.aliyuncs.com";
var ossClient = new OssClient(endpoint, accessKeyId, accessKeySecret);

      For more information, see Initialization.

    • C SDK 
      options->config = oss_config_create(options->pool);
aos_str_set(&options->config->endpoint, "http://oss-cn-hangzhou-internal.aliyuncs.com");
aos_str_set(&options->config->access_key_id, "<yourAccessKeyId>");
aos_str_set(&options->config->access_key_secret, "<yourAccessKeySecret>");
options->config->is_cname = 0;
options->ctl = aos_http_controller_create(options->pool, 0);

      For more information, see Initialization.

Access OSS resources by configuring a reverse proxy on ECS instances

ECS instances or Internet users in different regions cannot directly access OSS resources by using the internal endpoint of OSS. However, you can configure a reverse proxy on ECS instances to access OSS resources. Follow these steps:
  1. Create an ECS instance with a public IP address in the same region as the OSS resources. For more information, see Create an ECS instance.
  2. Configure the reverse proxy on the ECS instance. For more information, see Configure HTTPS for your own domain name in OSS through reverse proxy.
  3. Configure OSS bucket policies to allow access from the internal IP address of the ECS instance. For more information, see Configure bucket policies to authorize other users to access OSS resources.

After you complete the preceding steps, users can access the OSS resources by using the public IP address of the ECS instance. Then, the ECS instance requests OSS resources over the internal network and returns the OSS resources to the users.