Help Center/ VPC Endpoint/ Getting Started/ Configuring a VPC Endpoint for Accessing the Private IP Address of OBS
Updated on 2026-03-30 GMT+08:00

Configuring a VPC Endpoint for Accessing the Private IP Address of OBS

Solution Overview

If you want to access a cloud service like OBS from an on-premises data center over an intranet, you can connect the on-premises data center to your VPC using a VPN connection or a Direct Connect connection, configure OBS as a VPC endpoint service, and then use a VPC endpoint to access OBS from your on-premises data center.

This section describes how you can use a VPC endpoint to access the private IP address of OBS from an on-premises data center.

To access OBS as a gateway VPC endpoint service, you need to search for it by name. To obtain its name, submit a service ticket or contact the OBS O&M engineers.

The preceding figure shows the process of connecting an on-premises data center to a VPC over VPN or Direct Connect, and then using two VPC endpoints to enable the on-premises data center to access DNS and OBS through an intranet.

A VPC endpoint relies on a VPC endpoint service to function. Before you buy a VPC endpoint, ensure that the VPC endpoint service you want to access is available.

In this practice, the following VPC endpoint services are required:

  • DNS as a VPC endpoint service: required to resolve the OBS domain name.
  • OBS as a VPC endpoint service: required to allow the on-premises data center to access the OBS through an intranet.

Procedure

Step

Description

Preparations

Before using VPC Endpoint, you need to sign up for a HUAWEI ID and enable Huawei Cloud services.

Step 1: Buy a VPC Endpoint for Accessing DNS

Buy a VPC endpoint for accessing DNS to resolve the OBS domain name.

Step 2: Buy a VPC Endpoint for Accessing OBS

Buy a VPC endpoint for accessing OBS from the on-premises data center.

Step 3: Access OBS Through a VPC Endpoint

Access OBS through a VPN or Direct Connect connection.

Preparations

Sign up for a HUAWEI ID and enable Huawei Cloud services.

VPC Endpoint is not available on the Huawei Cloud application. You can only use it on the Huawei Cloud management console.

Step 1: Buy a VPC Endpoint for Accessing DNS

This section describes how to buy a VPC endpoint for accessing DNS to resolve OBS domain names.

  1. Go to the VPC endpoint list page.
  2. On the VPC Endpoints page, click Buy VPC Endpoint.

    The Buy VPC Endpoint page is displayed.

  3. Configure required parameters.
    Table 1 Parameters for configuring a VPC endpoint

    Parameter

    Example Value

    Description

    Region

    EU-Dublin

    Specifies the region where the VPC endpoint will be used to access a VPC endpoint service.

    Resources in different regions cannot communicate with each other over an intranet. For lower latency and faster access, select the region nearest to where your services will be accessed.

    Billing Mode

    Pay-per-use

    Specifies the billing mode of the VPC endpoint. You are billed by how long you use each VPC endpoint. VPC endpoints can be used or deleted at any time.

    Only pay-per-use billing is supported.

    Service Category

    Cloud services

    There are two options:

    • Cloud services: Select it if the target VPC endpoint service is a cloud service.
    • Find a service by name: Select it if the target VPC endpoint service is your private service.

    In this example, select Cloud services.

    Service List

    eu.myhuaweicloud.eu-west-101.dns

    This parameter is available only when you select Cloud services for Service Category.

    The VPC endpoint service has been created by the O&M personnel and you can directly use it.

    In this example, select eu.myhuaweicloud.eu-west-101.dns.

    Create a Private Domain Name

    -

    If you want to access a VPC endpoint using a domain name, select Create a Private Domain Name.

    This parameter is mandatory when the VPC endpoint will be used to access an interface VPC endpoint service.

    VPC

    -

    Specifies the VPC where the VPC endpoint is to be deployed.

    Subnet

    -

    This parameter is available only when you create a VPC endpoint for accessing an interface VPC endpoint service.

    Specify the subnet where the VPC endpoint is to be deployed.

    IPv4 Address

    -

    This parameter is available only when you create a VPC endpoint for accessing an interface VPC endpoint service.

    Select a way to assign an IPv4 address to your VPC endpoint.

    IPv4 addresses can be automatically assigned or manually specified.

    Access Control

    Enable

    This parameter is available only when you create a VPC endpoint for accessing an interface VPC endpoint service.

    You can specify IP addresses and CIDR blocks that are allowed to access the VPC endpoint.

    • If Access Control is enabled, only IP addresses and CIDR blocks in the whitelist are allowed to access the VPC endpoint.
    • If Access Control is disabled, any IP address and CIDR block can access the VPC endpoint.

    Whitelist

    -

    This parameter is available only when you create a VPC endpoint for accessing an interface VPC endpoint service.

    You can specify the IP addresses and CIDR blocks that are allowed to access the VPC endpoint. You can add a maximum of 20 records.

    Tag (Optional)

    example_key1

    example_value1

    Specifies the tags that will be used to classify and identify the VPC endpoint.

    This parameter can be modified after you buy a VPC endpoint.

    Description (Optional)

    -

    Provides supplementary information about the VPC endpoint.

    Table 2 Tag requirements for VPC endpoints

    Parameter

    Requirement

    Key

    • Cannot be left blank.
    • Must be unique for each resource.
    • Can contain a maximum of 128 characters.
    • Can contain letters, digits, spaces, and any of the following characters: _.:=+-@. It cannot start or end with a space, or start with _sys_.

    Value

    • Can be left blank.
    • Can contain a maximum of 255 characters.
    • Can contain letters, digits, spaces, and any of the following characters: _.:=+-@. It cannot start or end with a space.
  4. Click Next.
  5. Confirm the VPC endpoint information and click Submit.

Step 2: Buy a VPC Endpoint for Accessing OBS

This section describes how you can buy a VPC endpoint to access OBS from an on-premises data center.

  1. Go to the VPC endpoint list page.
  2. On the VPC Endpoints page, click Buy VPC Endpoint.

    The Buy VPC Endpoint page is displayed.

  3. Configure required parameters.
    Table 3 Parameters for configuring a VPC endpoint

    Parameter

    Example Value

    Description

    Region

    EU-Dublin

    Specifies the region where the VPC endpoint will be used to connect a VPC endpoint service.

    Resources in different regions cannot communicate with each other over an intranet. For lower latency and faster access, select the region nearest to where your services will be accessed.

    Billing Mode

    Pay-per-use

    Specifies the billing mode of the VPC endpoint. You are billed by how long you use each VPC endpoint. VPC endpoints can be used or deleted at any time.

    Only pay-per-use billing is supported.

    Service Category

    Cloud services

    There are two options:

    • Cloud services: Select it if the target VPC endpoint service is a cloud service.
    • Find a service by name: Select it if the target VPC endpoint service is your private service.

    In this example, select Find a service by name.

    VPC Endpoint Service Name

    -

    This parameter is available only when you select Find a service by name for Service Category.

    To access OBS as a gateway VPC endpoint service, you need to search for it by name. To obtain its name, submit a service ticket or contact the OBS O&M engineers.

    Enter the OBS endpoint service name and click Verify.

    VPC

    -

    Specifies the VPC where the VPC endpoint is to be deployed.

    Route Table

    -

    This parameter is available only when you create a VPC endpoint for accessing a gateway VPC endpoint service.

    NOTE:

    This parameter is available only in the regions where the route table function is enabled.

    You are advised to select all route tables. Otherwise, access may fail.

    Select the route tables in the VPC where the VPC endpoint is created as required.

    For details about how to add a route, see Adding a Custom Route in the Virtual Private Cloud User Guide.

    Tag (Optional)

    example_key1

    example_value1

    Specifies the tags that will be used to classify and identify the VPC endpoint.

    This parameter can be modified after you buy a VPC endpoint.

    Description (Optional)

    -

    Provides supplementary information about the VPC endpoint.

    Table 4 Tag requirements for VPC endpoints

    Parameter

    Requirement

    Tag key

    • Cannot be left blank.
    • Must be unique for each resource.
    • Can contain a maximum of 128 characters.
    • Can contain letters, digits, spaces, and any of the following characters: _.:=+-@. It cannot start or end with a space, or start with _sys_.

    Tag value

    • Can be left blank.
    • Can contain a maximum of 255 characters.
    • Can contain letters, digits, spaces, and any of the following characters: _.:=+-@. It cannot start or end with a space.
  4. Click Next.
  5. Confirm the VPC endpoint information and click Submit.

Step 3: Access OBS Through a VPC Endpoint

Your on-premises data center has been connected to your VPC using a VPN or Direct Connect connection.
  • The VPC subnet CIDR block that can be accessed through the VPN gateway must contain the OBS CIDR block. You can view the route tables of the VPC endpoint for accessing OBS to obtain the OBS CIDR block.

    For details about how to create a VPN connection, see the Virtual Private Network User Guide.

  • The VPC subnet CIDR block that can be accessed through the Direct Connect virtual gateway must contain the OBS CIDR block. You can view the route tables of the VPC endpoint for accessing OBS to obtain the OBS CIDR block.

    For details on how to enable Direct Connect, see Enabling Direct Connect.

  1. In the VPC endpoint list, click the ID of the VPC endpoint created for accessing DNS to view its IP address.
  2. Add DNS forwarding rules on the DNS server at your on-premises data center to forward requests for resolving OBS domain names to the VPC endpoint for accessing DNS.

    The methods of configuring DNS forwarding rules vary depending on OSs. For details, see the DNS software operation guides.

    The following uses Bind, a common DNS software, as an example to show how you can configure forwarding rules on a UNIX server.

    Method 1: In the /etc/named.conf file, add the DNS forwarder configuration and set forwarders to the private IP address of the VPC endpoint for accessing DNS.

    options {
    forward only;
    forwarders{ xx.xx.xx.xx;};
    };

    Method 2: In the /etc/named.rfc1912.zones file, add the following content, and set forwarders to the private IP address of the VPC endpoint for accessing DNS.

    zone "obs.xxxx.myhuaweicloud.com" {
    type forward;
    forward only;
    forwarders{ xx.xx.xx.xx;};
    };
    zone "obs.xxxx.myhuaweicloud.com" {
    type forward;
    forward only;
    forwarders{ xx.xx.xx.xx;};
    };
    • If no DNS server is available at your on-premises data center, add the private IP address of the VPC endpoint for accessing DNS to the /etc/resolv.conf file.
    • xx.xx.xx.xx indicates the IP address of the VPC endpoint for accessing DNS in step 1.
  3. Add a route destined for DNS over the VPN gateway or Direct Connect gateway.

    To access DNS over a VPN or Direct Connect connection, ensure that traffic from your on-premises data center to DNS is directed through the VPN gateway or Direct Connect gateway.

    Configure a permanent route at your on-premises data center and specify the IP address of the Direct Connect gateway or VPN gateway as the next hop for accessing DNS. The following is the example command for configuring such a route:

    route -p add xx.xx.xx.xx mask 255.255.255.255 xxx.xxx.xxx.xxx
    • xx.xx.xx.xx indicates the IP address of the VPC endpoint for accessing DNS in step 1.
    • xxx.xxx.xxx.xxx indicates the IP address of the Direct Connect gateway or VPN gateway at your on-premises data center.
    • The route command format varies depending on the OS. Use the correct format based on your OS.
  4. Add a route destined for OBS from the on-premises data center over the VPN gateway or Direct Connect gateway.

    Traffic from the VPC endpoint to OBS will be directed through 100.125.0.0/16, reserved as the private CIDR block for OBS. To access OBS over a VPN connection or Direct Connect connection, ensure that traffic from your on-premises data center to OBS is directed through the VPN gateway or Direct Connect gateway.

    Configure a permanent route at your on-premises data center and specify the Direct Connect gateway or VPN gateway as the next hop for accessing OBS. The following is the example command for configuring such a route:

    route -p add 100.125.0.0 mask 255.255.0.0 xxx.xxx.xxx.xxx
    • xxx.xxx.xxx.xxx indicates the IP address of the Direct Connect gateway or VPN gateway at your on-premises data center.
    • The route command format varies depending on the OS. Use the correct format based on your OS.
  5. At the on-premises data center, run the following command to verify the connectivity with OBS:
    telnet bucketname.endpoint Port number

    bucketname.endpoint indicates the domain name of the OBS bucket. You can obtain the domain name by viewing the bucket information on the OBS console. For details, see Viewing Basic Information of a Bucket.

    In the command:

    • bucketname: indicates the bucket name.
    • endpoint: indicates the bucket endpoint (domain name) in the region where the bucket is deployed.
    • Port number: indicates the service port number, which can be 80 or 443.