OSS provides diverse network access solutions that cover domain name configuration, performance optimization, security protection, and proxy access. These solutions help build an efficient, stable, and secure storage access architecture.
Domain name selection
OSS provides two access methods: bucket domain names and custom domain names. These methods are suitable for different business scenarios.
Due to a policy change to improve compliance and security, starting March 20, 2025, new OSS users must use a custom domain name (CNAME) to perform data API operations on OSS buckets located in Chinese mainland regions. Default public endpoints are restricted for these operations. Refer to the official announcement for a complete list of the affected operations. If you access your data via HTTPS, you must bind a valid SSL Certificate to your custom domain. This is mandatory for OSS Console access, as the console enforces HTTPS.
Domain name type | Description | Pros | Cons |
Default domain name provided by OSS |
|
| |
Use your own domain name. Map your domain name to a CNAME domain name (recommended) or a public bucket domain name by adding a CNAME record. This provides a branded access experience. |
|
|
Performance acceleration
CDN acceleration
You can configure CDN acceleration to distribute static resources in OSS, such as images, audio, videos, and documents. CDN uses global edge nodes to respond to user requests from the nearest location. This significantly improves access speed, reduces network latency, and lowers costs by reducing direct traffic to OSS.
Transfer acceleration
You can enable the transfer acceleration feature to significantly improve performance for long-distance, cross-region data transfers, such as accessing buckets outside China from the Chinese mainland or vice versa. This feature uses Alibaba Cloud's globally distributed data centers and smart routing to route user requests to the nearest access point. It uses optimized network protocols and transfer paths to provide an end-to-end acceleration solution for file uploads and downloads.
Security improvement
HTTPS secure protocol
The HTTP protocol transmits data in plaintext. This poses risks of data breaches and tampering and fails to meet enterprise data protection and compliance requirements. You can configure an SSL Certificate to enable HTTPS access to OSS. This provides end-to-end data encryption during transmission, which effectively prevents network security threats such as man-in-the-middle attacks and data eavesdropping. It also helps meet the security and compliance standards of industries such as finance and healthcare.
PrivateLink connection
A PrivateLink connection establishes a dedicated private channel between a virtual private cloud (VPC) and OSS, providing native traffic isolation at the network layer. This solution mitigates the security risks of public network transmission, avoids network address conflicts, and simplifies operations and maintenance (O&M). It helps enterprises build a secure and controllable cloud storage access architecture that meets requirements.
Proxy access
ECS reverse proxy
The IP addresses that OSS provides through DNS resolution change dynamically. This can cause restricted or failed access when you need to configure a firewall whitelist or perform specific system integrations. To resolve this issue, you can configure a reverse proxy on an ECS instance that has a static public IP address attached. The reverse proxy then forwards access requests to OSS. This configuration lets you access OSS resources using a static IP address.
FAQ
Which ports does OSS support?
Port 80: HTTP protocol
Port 443: HTTPS protocol
Port 1935: RTMP stream ingest (used only for RTMP stream ingest scenarios)