Configure source authentication to implement secure access to Object Storage Service (OSS) over private networks - PrivateLink

PrivateLink can be used to establish private, stable, and secure connections between virtual private clouds (VPCs) and other Alibaba Cloud services. This topic describes how to use PrivateLink to access Object Storage Service (OSS) from a VPC.

Background information

You may encounter the following challenges when you access Alibaba Cloud services:

Data security risk: If you access Alibaba Cloud services over the Internet, sensitive information may be leaked. This poses a threat to data security.
CIDR block conflict: By default, Alibaba Cloud services occupy the 100.64 CIDR block. If your data center uses the same CIDR block, address conflicts occur.
O&M management difficulty: O&M teams cannot audit the access traffic to Alibaba Cloud services when the services are accessed over traditional private networks.

To address these challenges, we recommend that you use PrivateLink, which has the following benefits:

Enhanced data privacy: PrivateLink effectively prevents data from being exposed over the Internet and reduces data leak risks.
Optimized network architecture: PrivateLink eliminates the need to configure routes and prevents CIDR block conflicts between data centers and the cloud. Network management is simplified.
Strengthened access control: PrivateLink supports source authentication and fine-grained permission management to ensure data security. In addition, the VPC flow log and traffic mirroring features enable comprehensive monitoring and auditing of access traffic to further improve data security.

Scenarios

The following scenario is used as an example in this topic. A company deploys OSS in the Indonesia (Jakarta) region, creates two private buckets named Bucket 1 and Bucket 2, and uploads objects to the buckets. Now the company wants to allow its data center to access only Bucket 1. To prevent sensitive information from being exposed over the Internet, and the CIDR block of your data center from conflicting with the 100.64 CIDR block of Alibaba Cloud services, you can use PrivateLink to access Bucket 1 over private networks.

You need to specify OSS as an endpoint service and create an endpoint in the VPC to connect to OSS. Then, you can use Express Connect or VPN Gateway to connect your data center to the VPC. In this way, your data center can access OSS over a private network.

Limits

OSS can be accessed by endpoints in the following regions over private networks: China (Hangzhou), China (Shanghai), China (Shenzhen), China (Beijing), China (Hong Kong), Indonesia (Jakarta), and Singapore.
The endpoint and OSS must be deployed in the same region.

Prerequisites

Your application for PrivateLink-based access to OSS is approved by the OSS technical support. For more information, see Access OSS by using PrivateLink.
Two private OSS buckets named Bucket 1 and Bucket 2 are created and the corresponding objects are uploaded to the buckets. For more information, see Create a bucket.
A VPC and a vSwitch are created in the region where OSS is deployed. An Elastic Compute Service (ECS) instance is created in the VPC. For more information, see Create a VPC and a vSwitch and Create and manage an ECS instance in the console (express version).

Step 1: Create an interface endpoint

Log on to the VPC console.
In the top navigation bar, select Indonesia (Jakarta) from the region drop-down list.
On the Endpoints page, click Create Endpoint.

On the Create Endpoint page, configure the following parameters for the endpoint and click OK.

The following table describes only the parameters that are relevant to this topic. For more information about how to configure other parameters, see Create and manage endpoints.

Parameter	Description
Region	In this example, Indonesia (Jakarta) is selected by default.
Endpoint Name	Enter a name for the endpoint.
Endpoint Type	In this example, Interface Endpoint is selected.
Endpoint Service	Select the endpoint service that you want to associate. In this example, Alibaba Cloud Service is clicked and the endpoint service named `com.aliyuncs.privatelink.ap-southeast-5.oss` is selected.
VPC	Select the VPC where you want to create the interface endpoint.
Security Groups	Select the security group that you want to associate with the elastic network interface (ENI) of the endpoint.
Zone and vSwitch	Select a zone of the VPC and select a vSwitch in the zone.
Access Policies	Specify an access policy. In this example, Custom Policy is selected. In this example, grant all RAM users within the Alibaba Cloud account 123456789012** the permission to download the `1.txt` object in `Bucket 1` by using the ECS instance whose IP address is 172.16.0.1. Sample policy: JSON `{ "Version": "1", "Statement": [ { "Action": [ "oss:GetObject" ], "Effect": "Allow", "Principal": { "RAM": "acs:ram::123456789012*:" }, "Resource": [ "acs:oss:::Bucket1/1.txt" ], "Condition": { "IpAddress": { "acs:SourceIp": [ "172.16.0.1" ] } } } ] }` The endpoint policies can be used to manage service access permissions. You can use endpoint policies to determine the operations that specified Alibaba Cloud users can perform on specified resources by using endpoints. This enhances network security, protects sensitive data, and meets specific security requirements. For more information, see Endpoint policies.

Record the generated PrivateLink endpoint for accessing OSS later.

Step 2: Access OSS from the VPC

Log on to the ECS instance created in the VPC. For more information, see Connection method overview.
Use ossutil to access OSS by specifying the domain name of the endpoint. You can also use SDKs to access OSS. For more information, see the SDK section of the Access OSS by using PrivateLink topic.
1. Install ossutil 1.7.17 or later on the ECS instance. For more information, see Install ossutil.
  Note
  - In this example, the ECS instance runs Alibaba Cloud Linux 3.2104 LTS 64-bit. Before you download ossutil on the ECS instance, make sure that the ECS instance can access the Internet. For more information, see Associate or disassociate an EIP.
  - When you configure ossutil, set the endpoint parameter to the domain name of the endpoint that is generated in Step 1: Create an interface endpoint. For more information about other parameters, see Configure ossutil.
2. Run the ossutil64 cp oss://examplebucket/examplefile.txt /tmp/ -e ep-k1aid5cd5d5249e9****.oss.ap-southeast-5.privatelink.aliyuncs.com --force-path-style command to download the examplefile.txt object in examplebucket to the local directory /tmp/.
  In the example, -e is used to specify the domain name of the endpoint, and --force-path-style is used to specify the path-style URL access to OSS.
  - The following output is returned when the ECS instance accesses Bucket 1.
  - The following output is returned when the ECS instance accesses Bucket 2.
  Only Bucket 1 can be accessed from the VPC by using PrivateLink.

Step 3: Connect your data center to the VPC

You can use VPN Gateway or Express Connect to synchronize data between your data center and the VPC. For more information, see Synchronize data to a database in a VPC over a VPN gateway and Connect DTS to a data center by using an Express Connect circuit.

References

For more information about the components and usage scenarios of PrivateLink, see What is PrivateLink?
For more information about how OSS works, see What is OSS?
For more information about the syntax and structure of endpoint policies, see Policy structure and syntax.
For more information about how to configure more access control policies for OSS, see Overview.
For more information about how to monitor traffic, see Overview, Overview of flow logs, and Overview of traffic mirroring.