OSS offers network access solutions covering endpoint configuration, performance acceleration, security controls, and dedicated connectivity to help you build stable, secure storage architectures.
Quick selection
|
Category |
Use case |
Recommended solution |
|
Basic access |
Find endpoints and internal VIP CIDR blocks by region. |
|
|
Learn domain name formats for public, internal, and transfer acceleration endpoints. |
||
|
Enable online file preview and unify brand identity. |
||
|
Performance optimization |
Accelerate global delivery of static resources (images, audio, video, documents). |
|
|
Speed up cross-region and long-distance data transfers. |
||
|
Security |
Enable HTTPS for a custom domain name. |
|
|
Create an isolated private connection between a VPC and OSS. |
||
|
Preventing DNS hijacking and improving resolution stability on mobile clients. |
||
|
Block unauthorized hotlinking that inflates traffic costs. |
||
|
Dedicated access |
Access OSS through a static IP address. |
|
|
Grant different permissions to multiple apps or teams sharing one bucket. |
||
|
Web applications |
Host static files in a bucket as a website. |
|
|
Resolve cross-origin errors when browsers load OSS resources. |
Endpoint types
OSS provides different endpoint types for various network environments. Endpoint formats, examples, and switching methods are covered in Access OSS by using endpoints and bucket domain names. Per-region endpoint lists are in Regions and endpoints.
|
Endpoint type |
Use cases |
Costs |
Activation |
|
Public network endpoint |
Access from the public internet (web apps, mobile clients). |
Billed by outbound public traffic. |
Available by default. |
|
Internal network endpoint |
Access from the Alibaba Cloud internal network (e.g., ECS to OSS). |
No charge for internal network traffic. |
Available by default. |
|
Transfer acceleration endpoint |
Cross-region and international high-speed transfers. |
Outbound public traffic fees + transfer acceleration fees. |
Enable transfer acceleration. |
|
Dual-stack endpoint |
Access OSS over IPv6. |
Billed by outbound public traffic. |
Supported in some regions. |
|
CNAME domain name |
DNS resolution target for custom domain names. |
Billed by outbound public traffic. |
OSS bucket domain names force file downloads instead of inline display. To enable browser previews, bind a custom domain name to a public, transfer acceleration, access point, or Object FC access point endpoint. Buckets in the Chinese mainland require an ICP filing for the custom domain.
Performance optimization
CDN acceleration and transfer acceleration accelerate different scenarios and can be used separately or together.
|
Dimension |
CDN acceleration |
Transfer acceleration |
|
How it works |
Caches static resources on globally distributed edge nodes to serve user requests from the nearest location. |
Uses intelligent routing over the Alibaba Cloud backbone network to optimize data transfer paths. |
|
Use cases |
High-frequency reads of static resources, such as images, audio, video, and documents. |
Long-distance, cross-region, and international data uploads and downloads. |
|
Upload support |
Uploads over CDN are not recommended. |
Accelerated uploads are supported. |
|
Costs |
Outbound public network traffic fees + transfer acceleration fees |
|
|
Combined use |
Configure CDN to use a transfer acceleration endpoint for origin fetch. This creates a dual-acceleration architecture that combines CDN edge caching with backbone network acceleration. |
|
Security
HTTPS
OSS bucket endpoints support HTTPS by default. For custom domain names, configure an SSL certificate: use Upload Certificate in the OSS console (without CDN) or SSL Certificate in the CDN console (with CDN). In production, enforce HTTPS-only access through a bucket policy. Enable certificate hosting for automatic renewal. Access OSS over HTTPS.
PrivateLink
PrivateLink creates a private endpoint for OSS within your VPC. Traffic stays on the Alibaba Cloud backbone network and never traverses the public internet, providing stronger isolation than default internal endpoints.
|
Capability |
Internal network endpoint |
PrivateLink |
|
Attack surface |
A shared service entry point exposed to all VPCs. |
An entry point inside the VPC that other VPCs cannot discover or access. |
|
Network-level control |
No security group control. |
Security group binding for fine-grained source IP control. |
|
Auditing capabilities |
Logs successful requests only. |
VPC flow logs audit all connection attempts. |
|
IP planning |
Uses 100.64.0.0/10, which may conflict with on-premises networks. |
Uses VPC CIDR addresses with custom IP planning. |
Connect on-premises devices or data centers to a VPC via SSL-VPN or Express Connect, then access OSS through PrivateLink. Access OSS over a private network by using PrivateLink.
HTTPDNS anti-hijacking
Mobile apps using traditional local DNS face risks like DNS hijacking and unstable resolution. EMAS HTTPDNS provides authoritative resolution over HTTP, bypassing carrier DNS risks. Integration steps: . Supported on Android, iOS, and HarmonyOS. Access OSS by using Alibaba Cloud HTTPDNS.
Hotlink protection
Configure a Referer whitelist or blacklist to block hotlinking that inflates traffic costs. OSS checks in priority order: . Hotlink protection applies only to anonymous access and signed-URL access — it does not affect AccessKey-signed API calls. With CDN acceleration, also configure hotlink rules in the CDN console to prevent cached bypass. Hotlink protection.
Dedicated access
ECS reverse proxy
OSS DNS resolution returns dynamic IPs, which complicates firewall whitelists and system integrations. Deploy an Nginx reverse proxy on an ECS instance with a static IP to forward requests to OSS. For production, use load balancing across multiple zones. Access OSS by using an ECS reverse proxy.
Access points
Access points provide independent entry points to a bucket. Create one per application or team, each with its own alias, access policy, and network origin (internet or a specific VPC). This avoids complex bucket policies by enabling a three-layer model: RAM policies + bucket policies + access point policies. Access points.
Web applications
Static website hosting
Publish static files (HTML, CSS, JavaScript) in a bucket as a website without maintaining servers. Configure a default homepage, subdirectory homepage, and custom 404 page. For SPAs, set the 404 page to index.html with response code 200. Static website hosting.
OSS bucket domain names force HTML file downloads. To display webpages correctly, bind a custom domain name.
CORS configuration
A blocked by CORS policy error means the browser's same-origin policy blocked a cross-origin request. Configure CORS rules (Origin, Allowed Methods, Allowed Headers) to authorize access from specified origins. With multiple origins or wildcards, enable Vary: Origin to prevent cache poisoning. With CDN, configure cross-origin rules in CDN or pass through OSS CORS headers. CORS configuration.
FAQ
Long-term unsigned URLs
Use one of the following methods:
-
Set the object's ACL to public-read: This allows anyone to access the object without restrictions. To prevent unauthorized use of your resources and avoid extra fees, you must configure hotlink protection to restrict access sources.
-
Access OSS by using CDN acceleration: Keep the object's permission private and enable CDN's private bucket origin-pull feature to provide public read access. CDN offers better performance and caching. You must configure hotlink protection rules at the CDN level to prevent unauthorized resource use.
Slow file transfers
Transfer speed depends on client bandwidth, link quality, and transfer strategy. Optimization approaches:
-
Bandwidth and link: Confirm your bandwidth does not exceed the bucket's bandwidth limit. Use an MTR tool to check for packet loss, high latency, or routing anomalies. For cross-border or long-distance transfers, enable transfer acceleration.
-
Tool selection: Use ossutil for large or batch file transfers. Its
probecommand checks current network status. -
SDK tuning: For large files, use multipart upload and resumable upload. Configure appropriate
part_sizeandnum_threads. On stable networks, increase part size to reduce requests. Optionally disable CRC64 (e.g.,enable_crc=Falsein Python SDK) and use theContent-MD5header for integrity verification instead.
Troubleshoot network errors
If the request reaches OSS (response contains a Request ID), obtain the Request ID and use the OSS Self-service Diagnosis Tool.
If the request does not reach OSS (the Request ID is empty), troubleshoot based on the error type:
|
Error type |
Common causes |
Resolution |
|
Connection refused |
The port is blocked, or an internal endpoint is used for cross-region access. |
Use the correct public endpoint. Use |
|
ConnectionTimeOut |
Poor network conditions or a short timeout period. |
Increase the connection and read timeouts in the SDK and enable the failure retry mechanism. For large files, use multipart upload and resumable upload to improve stability. Consider using CDN acceleration or transfer acceleration. |
|
Socket timeout / closed |
The connection timed out or was unexpectedly closed. |
Increase the socket timeout setting in the SDK, such as |
|
Connection reset |
Incorrect endpoint configuration or security restrictions on the bucket. |
Troubleshoot in the following order: 1. Check network connectivity by using |