Overview of OSS access domains and network connectivity (domain configuration, acceleration, security, and proxy) - Object Storage Service

Quick selection

Category	Scenario	Recommended solution
Basic access	Find the endpoints and internal VIP CIDR blocks for each region.	Regions and endpoints
	Learn the format and usage of different domain types, such as public, internal, and transfer acceleration.	Access OSS by using endpoints and bucket domain names
	Enable online file previews and maintain a consistent brand identity.	Access OSS by using a custom domain name
Performance optimization	Accelerate global delivery of static assets like images, audio, video, and documents.	Access OSS by using CDN acceleration
Performance optimization	Accelerate long-distance, cross-region data uploads and downloads.	Access OSS by using transfer acceleration
Security	Enable HTTPS encryption for a custom domain name.	Access OSS over HTTPS
	Establish a secure, isolated, private connection between a VPC and OSS.	Access OSS over a private network by using PrivateLink
	Prevent unauthorized websites from using your resources and causing high traffic costs.	Hotlink protection
Dedicated access	Access OSS through a static IP address.	Access OSS by using an ECS reverse proxy
Dedicated access	Grant different applications or teams granular permissions to the same bucket.	Access point
Web applications	Publish static files from a bucket as a website.	Static website hosting
Web applications	Resolve cross-origin resource access issues when a browser loads OSS resources.	CORS configuration

Domain name types

OSS provides different types of access domain names based on your network environment and performance needs. For information about the format, usage examples, and switching methods for each domain name type, see Access OSS by using endpoints and bucket domain names. For the endpoints corresponding to each region, see Regions and endpoints.

Important

Due to a policy change to improve compliance and security, starting March 20, 2025, new OSS users must use a custom domain name (CNAME) to perform data API operations on OSS buckets located in Chinese mainland regions. Default public endpoints are restricted for these operations. Refer to the official announcement for a complete list of the affected operations. If you access your data via HTTPS, you must bind a valid SSL Certificate to your custom domain. This is mandatory for OSS Console access, as the console enforces HTTPS.

Domain name type	Use case	Billing	Activation required
Public access domain name	Public access from web applications and mobile clients.	Charged for outbound traffic over the public network.	Available by default.
Internal access domain name	Access from within the Alibaba Cloud network (for example, ECS to OSS).	Internal traffic is free of charge.	Available by default.
Transfer acceleration domain name	High-speed cross-region and international uploads/downloads.	This incurs transfer acceleration fees in addition to outbound traffic fees.	Requires enabling the transfer acceleration feature.
Dual-stack domain name	Access OSS from an IPv6 network environment.	Charged for outbound traffic over the public network.	Supported in some regions.
CNAME domain name	Used for DNS resolution when you map a custom domain name.	Charged for outbound traffic over the public network.	Requires mapping a custom domain name and configuring a CNAME record.

ECS instances in the same region can directly connect to OSS by using an internal domain name, such as oss-cn-hangzhou-internal.aliyuncs.com. This traffic travels over the Alibaba Cloud internal network and does not pass through the public internet and does not incur outbound data transfer fees. ECS instances in both classic network and VPCs can use the same internal endpoint to access OSS. This internal traffic avoids the public internet and incurs no outbound data transfer fees. To access OSS across regions, you must use the public network or Cloud Enterprise Network (CEN).

Important

Accessing files like HTML or images with an OSS bucket domain name forces a browser download instead of an online preview. To enable file previews, you must access OSS by using a custom domain name. You can map a custom domain name to a public access domain name, a transfer acceleration domain name, an access point domain name, or an object FC access point domain name. If your bucket is in the Chinese mainland, the mapped domain name must have an ICP filing.

Performance optimization

CDN acceleration and transfer acceleration optimize performance in different scenarios. You can use them individually or together.

Dimension	CDN acceleration	Transfer acceleration
How it works	Caches static resources at global edge nodes to serve user requests from the nearest location.	Uses intelligent routing over the Alibaba Cloud backbone network to optimize data transfer paths.
Use case	High-frequency reads of static assets, such as images, audio, video, and document downloads.	Long-distance, cross-region, and international data uploads and downloads.
Upload support	Not recommended for uploads.	Accelerated uploads are supported.
Billing	CDN fees + OSS CDN back-to-origin traffic	Outbound traffic fees + transfer acceleration fees
Combined usage	Configure CDN to use a transfer acceleration domain name for origin fetch. This creates a dual-acceleration architecture that combines CDN edge caching with backbone network acceleration.

Security

HTTPS

OSS bucket domain names support HTTPS access by default, requiring no extra configuration. When you access OSS by using a custom domain name, you must configure an SSL certificate for that domain name. If CDN is not enabled, configure Upload Certificate for the custom domain name mapped to the bucket in the OSS console. If CDN is enabled, configure an SSL Certificate for the CDN domain name in the CDN console. For production environments, we recommend enforcing HTTPS access with a bucket policy that denies all HTTP requests. Alibaba Cloud SSL certificates support automatic renewal through certificate hosting. For more information, see Access OSS over HTTPS.

PrivateLink

PrivateLink creates a dedicated private endpoint for OSS within your Virtual Private Cloud (VPC). All traffic is routed over the Alibaba Cloud backbone network instead of the public internet. This provides stronger security isolation than the default OSS internal access domain name.

Capability	Internal domain	PrivateLink
Attack surface	Public service entry point exposed to all VPCs.	Entry point is inside a VPC, preventing discovery and access from other VPCs.
Network-level control	Not controllable by security groups.	Supports binding security groups for precise source IP access control.
Auditing capabilities	Logs only successful requests.	Supports VPC flow logs to audit all connection attempts.
IP planning	Uses the 100.64.0.0/10 CIDR block, which may conflict with on-premises data centers.	Uses an IP address from your VPC CIDR block, following your custom IP plan.

Connect on-premises devices or data centers to your VPC with an SSL-VPN or Express Connect circuit to access OSS through PrivateLink. For more information, see Access OSS over a private network by using PrivateLink.

Hotlink protection

If other websites hotlink your OSS resources and increase your traffic costs, you can configure Referer-based blacklists and whitelists to control access. OSS enforces access control in the following order of priority: empty Referer check > blacklist check > whitelist check. Hotlink protection applies only to anonymous access and signed URLs. This restriction does not apply to API calls signed with an AccessKey. If you use CDN acceleration for OSS, you must also configure hotlink protection rules at the CDN layer. Otherwise, hotlinking requests might hit the CDN cache and bypass OSS verification. For more information, see Hotlink protection.

Dedicated access

ECS reverse proxy

OSS provides dynamic IP addresses through DNS resolution. This dynamism can complicate firewall whitelisting and specific system integrations. You can deploy an Nginx reverse proxy on an ECS instance with a static public IP address to forward requests to OSS. This lets you access OSS resources through a fixed IP address. For production environments, we recommend a high-availability architecture that uses a load balancer with an ECS instance group across multiple availability zones. For more information, see Access OSS by using an ECS reverse proxy.

Access point

An access point provides a dedicated entry point for a bucket. When multiple applications or teams with different permission levels need to access the same bucket, you can create a separate access point for each. This lets you manage permissions individually through access point policies, avoiding complex rules in a single bucket policy. Each access point has its own alias, access policy, and network origin configuration (public internet or a specified VPC). It supports federated authentication with RAM policies and bucket policies in a three-layer policy model. For more information, see Access point.

Web applications

Static website hosting

OSS lets you publish static files (such as HTML, CSS, and JavaScript) in a bucket directly as a publicly accessible website, without requiring server maintenance. You can configure a default homepage, subdirectory homepages, and a custom 404 error page. It also supports routing for single-page applications (SPAs) by setting the 404 page to index.html and the error response code to 200. For more information, see Static website hosting.

Important

When you use an OSS bucket domain name to access an HTML file, the browser forces a download. You must map a custom domain name to enable normal web browsing.

CORS configuration

When your website loads resources from OSS, the browser may report a blocked by CORS policy error. This is due to the browser's same-origin policy, which restricts cross-origin resource access. By configuring CORS rules for your bucket (such as Origin, Allowed Methods, and Allowed Headers), you can authorize specified websites to access your OSS resources. When using multiple sources or wildcards, enable Vary: Origin to prevent cache pollution. If your bucket uses CDN acceleration, you must either configure cross-origin rules in the CDN console or set CDN to pass through the CORS response headers from OSS. For more information, see CORS configuration.

FAQ

Access with long-term, non-signed URLs

You can use one of the following methods:

Set the object ACL to public-read: Anyone can access the object without restrictions. To prevent extra costs from unauthorized use, make sure to configure hotlink protection to restrict access sources.
Access OSS by using CDN acceleration: Keep the object permission private and enable CDN's private bucket back-to-origin feature to provide public access. CDN offers better access performance and caching. You must configure hotlink protection rules at the CDN layer to prevent unauthorized use.

Troubleshoot slow uploads or downloads

OSS transfer speed depends on client network bandwidth, link quality, and transfer strategy. Troubleshoot and optimize using the following guidelines:

Bandwidth and link quality: Confirm that your current bandwidth does not exceed the bucket's bandwidth limit. Use an MTR tool to analyze the network link for packet loss, high latency, or routing anomalies. For cross-border or long-distance transfers, we recommend enabling transfer acceleration.
Tool selection: Use ossutil for transferring large or numerous files. You can use its probe command to check the current network status.
SDK tuning: For large files, always use multipart upload and resumable upload. Configure the part size (part_size) and number of concurrent threads (num_threads) appropriately. On a good network, increase the part size to reduce the number of requests. When you initialize the client, you can disable CRC64 validation (for example, set enable_crc=False in Python) and use the Content-MD5 request header for integrity checks. This can improve transfer performance while ensuring data security.

Troubleshoot network errors

If the request has reached OSS (the response contains a Request ID), get the Request ID and use the OSS self-service diagnostic tool to perform a check.

If the request has not reached OSS (the Request ID is empty), troubleshoot based on the error type:

Error type	Common cause	Solution
Connection refused	A blocked port, or the use of an internal endpoint for cross-region access.	Use the correct public endpoint. Use `ping` and `telnet` to check firewall rules and network connectivity.
ConnectionTimeOut	Poor network conditions or a short timeout setting.	Increase the SDK connection and read timeouts, and enable the retry mechanism. For large files, use multipart upload and resumable upload for better stability. Consider using CDN acceleration or transfer acceleration.
Socket timeout / closed	Connection timed out or was unexpectedly closed.	Increase the socket timeout setting in your SDK (for example, `ClientConfiguration.setSocketTimeout` in the Java SDK).
Connection reset	Incorrect endpoint configuration or security restrictions on the bucket.	Troubleshoot in the following order: 1. Check network connectivity with `ping` or the Alibaba Kunlun Diagnostic Tool. 2. Ensure the endpoint includes the correct protocol prefix (`http://` or `https://`). 3. Confirm that the bucket has not been placed in the OSS sandbox due to security reasons. 4. Capture packets with Wireshark and contact Technical Support.