All Products
Search

This Product

    Object Storage Service:Access OSS via Endpoints and Bucket Domains

    Document Center

    Object Storage Service:Access OSS via Endpoints and Bucket Domains

    Last Updated:Jun 16, 2026

    Each OSS bucket has default domain names for internet, internal network, and transfer acceleration access. Learn the domain name formats, use cases, and configuration for each access type.

    Core Concepts

    OSS access addresses combine multiple components. Understanding the following four concepts is essential for correctly accessing OSS:

    Concept

    Description

    Example

    Purpose

    Region ID

    General Region Identifier

    ap-southeast-1

    Used for SDK and ossutil V4 signature scenarios

    Dedicated Region ID

    OSS Dedicated Region Identifier

    oss-ap-southeast-1

    Used for composing Endpoints, API input parameters, return parameters, and other scenarios

    Endpoint

    Service Access Address

    oss-ap-southeast-1.aliyuncs.com

    Configured in SDK and ossutil to establish network connections with OSS service

    Bucket Domain

    Specific Bucket Access Address

    bucket-name.oss-ap-southeast-1.aliyuncs.com

    Used for direct browser access, generating signed URLs, hosting static websites, custom domain CNAME resolution, and other scenarios.

    These concepts form a hierarchy: Region ID identifies a location, OSS assigns a dedicated Region ID for it, which combines with the domain suffix to form the Endpoint. Prepending the bucket name to the Endpoint produces the Bucket domain name for resource access.

    Domain name types

    OSS provides different domain name types to suit various network environments and performance requirements.

    Important

    Due to a policy change to improve compliance and security, starting March 20, 2025, new OSS users must use a custom domain name (CNAME) to perform data API operations on OSS buckets located in Chinese mainland regions. Default public endpoints are restricted for these operations. Refer to the official announcement for a complete list of the affected operations. If you access your data via HTTPS, you must bind a valid SSL Certificate to your custom domain. This is mandatory for OSS Console access, as the console enforces HTTPS.

    Internet access domain name

    Suitable for web applications, mobile clients, and cross-region access over the public internet.

    Domain format

    • Endpoint:oss-[RegionID].aliyuncs.com

    • Bucket domain:[BucketName].oss-[RegionID].aliyuncs.com

    Access examples

    File URL

    The following example obtains a signed URL for a file in a private bucket through the console. For more information about how to obtain signed URLs, see Using presigned URLs to download or preview files.

    1. Go to Bucket list, click the target bucket.

    2. Click the filename of the target file or Details in the Actions column.

    3. For Domain, select Internet domain, then click Copy file URL.

    4. Access the URL in a browser.

    When you access HTML, images, or other files through the OSS bucket domain, the files are downloaded instead of previewed in the browser. To enable in-browser preview, Access OSS through a custom domain name.

    ossutil

    The following example downloads a file using ossutil 2.0. First install and configure ossutil 2.0. The tool uses the internet endpoint by default. You can also specify it explicitly with the -e parameter.

    ossutil cp oss://example-bucket/dest.jpg dest.jpg -e oss-ap-southeast-1.aliyuncs.com

    SDK

    The following shows SDK examples for common languages. For more languages, see the initialization methods in SDK Reference.

    Java SDK V2

    The SDK client uses the internet endpoint by default. Specify only the Region ID — no explicit Endpoint is required. For complete initialization code, see OSS SDK for Java 2.0 (preview).

    Java SDK V1

    Specify the internet endpoint when initializing the OSS client. For complete initialization code, see OSS Java SDK V1.

    // Example using the public network access Endpoint for Singapore
String endpoint = "oss-ap-southeast-1.aliyuncs.com";
// Initialize OSS client
OSS ossClient = OSSClientBuilder.create()
        .credentialsProvider(provider)
        .clientConfiguration(clientBuilderConfiguration)
        .region("ap-southeast-1")
        .endpoint(endpoint)
        .build();

    Python SDK V2

    The SDK client uses the internet endpoint by default. Specify only the Region ID — no explicit Endpoint is required. For complete initialization code, see OSS Python SDK V2.

    Python SDK V1

    Specify the internet endpoint when initializing the OSS client. For complete initialization code, see Initialization.

    # Example using the public endpoint for Singapore
endpoint = "https://oss-ap-southeast-1.aliyuncs.com"
# Initialize OSS client instance
bucket = oss2.Bucket(auth, endpoint, "example-bucket", region="ap-southeast-1")

    Go SDK V2

    The SDK uses the internet endpoint by default. Specify only the Region ID — no explicit Endpoint is required. For complete initialization code, see OSS Go SDK V2.

    Go SDK V1

    Specify the internet endpoint when initializing the OSS client. For complete initialization code, see Configure a client (Go SDK V1).

    // Create OSS client instance
client, _ := oss.New(
        "oss-ap-southeast-1.aliyuncs.com",	// Example using the public endpoint for Singapore
        "",
        "",
        oss.SetCredentialsProvider(&provider),
        oss.AuthVersion(oss.AuthV4),
        oss.Region("ap-southeast-1"),
)

    Internal endpoints

    Suitable for ECS instances accessing OSS within the same region. Internal access eliminates internet traffic fees and provides lower latency and more stable connections.

    Domain format

    • Endpoint:oss-[RegionID]-internal.aliyuncs.com

    • Bucket domain:[BucketName].oss-[RegionID]-internal.aliyuncs.com

    Usage recommendations

    • DNS configuration optimization

      When using internal endpoints, configure Alibaba Cloud private DNS addresses (100.100.2.136 and 100.100.2.138) to ensure correct VIP resolution and prevent DNS-related access failures.

    • VIP network segment routing configuration completeness

      OSS assigns fixed VIP segments for each region's internal network. The system dynamically switches IPs within these segments. When you access OSS through the internal network from local devices or data centers, routing must cover the complete VIP segments. Incomplete routing causes connection interruptions. For VIP segment details, see Regions and Endpoints.

      Important

      Ensure your routing configuration covers the full VIP segment. If OSS access fails due to missing VIP segment routes, the configuring party is responsible for any resulting losses.

    • Security Group Rule Configuration

      ECS security group rules must not block access to any VIP segment used by OSS internal endpoints.

    Access Examples

    ossutil

    The following example downloads a file using ossutil 2.0 from an ECS instance in the same region. First install and configure ossutil 2.0. You can set the internal endpoint during configuration or specify it with the -e parameter.

    ossutil cp oss://example-bucket/dest.jpg dest.jpg -e oss-ap-southeast-1-internal.aliyuncs.com

    SDK

    The following shows SDK examples for common languages. For more languages, see SDK Reference for initialization methods of each language.

    Java SDK V2

    Specify the Endpoint or set useInternalEndpoint(true) to use the internal endpoint. For complete initialization code, see OSS SDK for Java 2.0 (preview).

    • Method 1: Specify internal access Endpoint

      // Example using the internal access Endpoint for Singapore
String endpoint = "oss-ap-southeast-1-internal.aliyuncs.com";
// Initialize the OSS client
OSSClient client = OSSClient.newBuilder()
        .credentialsProvider(provider)
        .region("ap-southeast-1")
        .endpoint(endpoint)
        .build();

    • Method 2: Set via useInternalEndpoint(true)

      // Initialize the OSS client
OSSClient client = OSSClient.newBuilder()
        .credentialsProvider(provider)
        .region("ap-southeast-1")
        .useInternalEndpoint(true)
        .build();

    Java SDK V1

    Specify the internal endpoint when initializing the OSS client. For complete initialization code, see OSS Java SDK V1.

    // Example of internal access endpoint for Singapore
String endpoint = "oss-ap-southeast-1-internal.aliyuncs.com";
// Initialize OSS client
OSS ossClient = OSSClientBuilder.create()
        .credentialsProvider(provider)
        .clientConfiguration(clientBuilderConfiguration)
        .region("ap-southeast-1")
        .endpoint(endpoint)
        .build();

    Python SDK V2

    Specify the Endpoint or set use_internal_endpoint = True to use the internal endpoint. For complete initialization code, see OSS Python SDK V2.

    • Method 1: Specify internal access endpoint

      # Example of internal access endpoint for Singapore
config.endpoint = "https://oss-ap-southeast-1-internal.aliyuncs.com"
# Initialize OSS client
client = oss.Client(config)

    • Method 2: Set via use_internal_endpoint = True

      config.use_internal_endpoint = True
# Initialize OSS client
client = oss.Client(config)

    Python SDK V1

    Specify the internal endpoint when initializing the OSS client. For complete initialization code, see Initialization.

    # Example using internal access Endpoint for Singapore
endpoint = "oss-ap-southeast-1-internal.aliyuncs.com"
# Initialize OSS client instance
bucket = oss.Bucket(auth, endpoint, bucket, region="ap-southeast-1")

    Go SDK V2

    Specify the Endpoint or use WithUseInternalEndpoint(true) to use the internal endpoint. For complete initialization code, see OSS Go SDK V2.

    • Method 1: Specify internal access Endpoint

      // Configure OSS client, set credential provider and service region
config := oss.LoadDefaultConfig().
        WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
        WithRegion("ap-southeast-1").
        WithEndpoint("oss-ap-southeast-1-internal.aliyuncs.com") // Example using internal access Endpoint for Singapore

// Initialize OSS client instance
client := oss.NewClient(config)

    • Method 2: Use WithUseInternalEndpoint(true) setting

      // Configure OSS client, set credentials provider and service region
config := oss.LoadDefaultConfig().
        WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
        WithRegion("ap-southeast-1").
        WithUseInternalEndpoint(true)

// Initialize OSS client instance
client := oss.NewClient(config)

    Go SDK V1

    Specify the internal endpoint when initializing the OSS client. For complete initialization code, see Configure a client (Go SDK V1).

    // Create OSS client instance
client, _ := oss.New(
        "oss-ap-southeast-1-internal.aliyuncs.com", // Example using Singapore internal network access endpoint
        "",
        "",
        oss.SetCredentialsProvider(&provider),
        oss.AuthVersion(oss.AuthV4),
        oss.Region("ap-southeast-1"),
)

    Transfer Acceleration Domain Name

    After you enable Access OSS using transfer acceleration, you can use dedicated domains that route data through global acceleration nodes. This is suitable for cross-region and cross-border upload and download scenarios with high latency requirements.

    Domain Name Format

    • Endpoint:oss-accelerate.aliyuncs.com

    • Bucket Domain Name: [BucketName].oss-accelerate.aliyuncs.com

    Access Examples

    ossutil

    The following example downloads files from a cross-region bucket on an ECS instance in the Singapore region using ossutil 2.0. First install and configure ossutil 2.0. You can set the transfer acceleration endpoint during configuration or specify it with the -e parameter.

    ossutil cp oss://example-bucket/dest.jpg dest.jpg -e oss-accelerate.aliyuncs.com

    SDK

    The following shows SDK examples for common languages. For more languages, see the initialization methods in SDK Reference.

    Java SDK V2

    Specify the Endpoint or set useAccelerateEndpoint(true) to use the transfer acceleration domain. For complete initialization code, see OSS SDK for Java 2.0 (preview).

    • Method 1: Specify transfer acceleration Endpoint

      String endpoint = "oss-accelerate.aliyuncs.com";
// Initialize OSS client
OSSClient client = OSSClient.newBuilder()
        .credentialsProvider(provider)
        .region("ap-southeast-1")
        .endpoint(endpoint)
        .build();

    • Method 2: Set via useAccelerateEndpoint(true)

      // Initialize OSS client
OSSClient client = OSSClient.newBuilder()
        .credentialsProvider(provider)
        .region("ap-southeast-1")
        .useAccelerateEndpoint(true)
        .build();

    Java SDK V1

    Specify the transfer acceleration endpoint when initializing the OSS client. For complete initialization code, see OSS Java SDK V1.

    String endpoint = "oss-accelerate.aliyuncs.com";
// Initialize OSS client
OSS ossClient = OSSClientBuilder.create()
        .credentialsProvider(provider)
        .clientConfiguration(clientBuilderConfiguration)
        .region("ap-southeast-1")
        .endpoint(endpoint)
        .build();

    Python SDK V2

    Specify the Endpoint or set use_accelerate_endpoint = True to use the transfer acceleration domain. For complete initialization code, see OSS Python SDK V2.

    • Method 1: Specify transfer acceleration endpoint

      config.endpoint = "oss-accelerate.aliyuncs.com"
# Initialize OSS client
client = oss.Client(config)

    • Method 2: Set via use_accelerate_endpoint = True configuration

      config.use_accelerate_endpoint = True
# Initialize OSS client
client = oss.Client(config)

    Python SDK V1

    Specify the transfer acceleration endpoint when initializing the OSS client. For complete initialization code, see Initialization.

    endpoint = "oss-accelerate.aliyuncs.com"
# Initialize OSS client instance
bucket = oss.Bucket(auth, endpoint, bucket, region="ap-southeast-1")

    Go SDK V2

    Specify the Endpoint or use WithUseAccelerateEndpoint(true) to enable transfer acceleration. For complete initialization code, see OSS Go SDK V2.

    • Method 1: Specify transfer acceleration endpoint

      // Configure OSS client, set credentials provider and service region
config := oss.LoadDefaultConfig().
        WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
        WithRegion("ap-southeast-1").
        WithEndpoint("oss-accelerate.aliyuncs.com")

// Initialize OSS client instance
client := oss.NewClient(config)

    • Method 2: Set via WithUseAccelerateEndpoint(true)

      // Configure OSS client, set credentials provider and service region
config := oss.LoadDefaultConfig().
        WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
        WithRegion("ap-southeast-1").
        WithUseAccelerateEndpoint(true)

// Initialize OSS client instance
client := oss.NewClient(config)

    Go SDK V1

    Specify the transfer acceleration endpoint when initializing the OSS client. For complete initialization code, see Configure a client (Go SDK V1).

    // Create OSS client instance
client, _ := oss.New(
        "oss-accelerate.aliyuncs.com",
        "",
        "",
        oss.SetCredentialsProvider(&provider),
        oss.AuthVersion(oss.AuthV4),
        oss.Region("ap-southeast-1"),
)

    CNAME Domain

    A dedicated CNAME domain generated by OSS for custom domain binding. When you Access OSS through a custom domain name, point your custom domain CNAME to this address. This is suitable for hosting static resources such as website images and scripts.

    Usage Notes

    • DNS resolution only: The CNAME domain is used only for DNS resolution of custom domains and cannot be accessed directly

    • Access via custom domain name : After completing domain name binding, you can access OSS resources through your custom domain name

    • Regional support: Currently supports China (Hangzhou), China (Shanghai), China (Qingdao), and Singapore regions

    Domain Format

    OSS assigns a CNAME domain within the region for each bucket. Different buckets may receive different domains.

    • Bucket Domain: [BucketName].[RegionId].[CnameDomain] (for example example-***.cn-hangzhou.taihang***.cn)

    Protocol Support

    HTTP/HTTPS Protocol

    All endpoints and bucket domains support HTTP and HTTPS. Use HTTPS in production environments for secure data transmission.

    IP Protocol

    All regions support IPv4. Some regions also support dual-stack (IPv4/IPv6) access, which allows IPv6 clients to connect directly to OSS. No special client configuration is needed. DNS automatically resolves and prioritizes IPv6 addresses in IPv6 or dual-stack environments. ECS instances in classic networks do not support IPv4 or IPv6 access to OSS.

    How to verify IPv6 support for Endpoints?

    Use dig AAAA to check whether an endpoint supports IPv6.

    dig AAAA ap-southeast-1.oss.aliyuncs.com

    If IPv6 is supported, the ANSWER SECTION displays AAAA records.

    ap-southeast-1.oss.aliyuncs.com. 60 IN  AAAA    240b:4000:f10::2c5

    Related documentation