Help Center/ VPC Endpoint/ Getting Started/ Configuring a VPC Endpoint for Accessing the Private IP Address of OBS
Updated on 2026-02-26 GMT+08:00
View PDF
Share

Configuring a VPC Endpoint for Accessing the Private IP Address of OBS

Solution Overview

If you want to access a cloud service like OBS from an on-premises data center over an intranet, you can connect the on-premises data center to your VPC using a VPN connection or a Direct Connect connection, configure OBS as a VPC endpoint service, and then use a VPC endpoint to access OBS from your on-premises data center.

This section describes how you can use a VPC endpoint to access the private IP address of OBS from an on-premises data center.

In some regions, you can select OBS as a gateway VPC endpoint service on the console. This scenario applies only to these regions.

To select OBS as a gateway VPC endpoint service in other regions, you need to search for it by name. To obtain its name, you can submit a service ticket or contact the OBS O&M engineers.

The preceding figure shows the process of connecting an on-premises data center to a VPC over VPN or Direct Connect, and then using two VPC endpoints to enable the on-premises data center to access DNS and OBS through an intranet.

A VPC endpoint relies on a VPC endpoint service to function. Before you buy a VPC endpoint, ensure that the VPC endpoint service you want to access is available.

In this practice, the following VPC endpoint services are required:

  • DNS as a VPC endpoint service: required to resolve the OBS domain name.

    LA-Mexico City1: com.myhuaweicloud.na-mexico-1.dns

  • OBS as a VPC endpoint service: required to allow the on-premises data center to access the OBS through an intranet.

    LA-Mexico City1: com.myhuaweicloud.na-mexico-1.obs

Procedure

Step

Description

Preparations

Before using VPC Endpoint, you need to sign up for a HUAWEI ID, enable Huawei Cloud services, and complete real-name authentication.

Step 1: Buy a VPC Endpoint for Accessing DNS

Buy a VPC endpoint for accessing DNS to resolve the OBS domain name.

Step 2: Buy a VPC Endpoint for Accessing OBS

Buy a VPC endpoint for accessing OBS from the on-premises data center.

Step 3: Access OBS Through a VPC Endpoint

Access OBS through a VPN or Direct Connect connection.

Preparations

Sign up for a HUAWEI ID and enable Huawei Cloud services.

If you already have a HUAWEI ID, use it to log in to the VPC Endpoint console.

VPC Endpoint is not available on the Huawei Cloud application. You can only use it on the Huawei Cloud management console.

Step 1: Buy a VPC Endpoint for Accessing DNS

This section describes how to buy a VPC endpoint for accessing DNS to resolve OBS domain names.

  1. Go to the VPC endpoint list page.
  2. On the VPC Endpoints page, click Buy VPC Endpoint.

    The Buy VPC Endpoint page is displayed.

  3. Configure required parameters.
    Table 1 Parameters for configuring a VPC endpoint

    Parameter

    Example Value

    Description

    Region

    LA-Mexico City1

    Specifies the region where the VPC endpoint will be used to access a VPC endpoint service.

    Resources in different regions cannot communicate with each other over an intranet. For lower latency and faster access, select the region nearest to where your services will be accessed.

    Billing Mode

    Pay-per-use

    Specifies the billing mode of the VPC endpoint. You are billed by how long you use each VPC endpoint. VPC endpoints can be used or deleted at any time.

    Only pay-per-use billing is supported.

    Service Category

    Cloud services

    There are two options:

    • Cloud services: Select it if the target VPC endpoint service is a cloud service.
    • Find a service by name: Select it if the target VPC endpoint service is your private service.

    In this example, select Cloud services.

    Service List

    com.myhuaweicloud.na-mexico-1.dns

    This parameter is available only when you select Cloud services for Service Category.

    The VPC endpoint service has been created by the O&M personnel and you can directly use it.

    In this example, select com.myhuaweicloud.na-mexico-1.dns.

    Create a Private Domain Name

    -

    If you want to access a VPC endpoint using a domain name, select Create a Private Domain Name.

    This parameter is mandatory when the VPC endpoint will be used to access an interface VPC endpoint service.

    VPC

    -

    Specifies the VPC where the VPC endpoint is to be deployed.

    Subnet

    -

    This parameter is available only when you create a VPC endpoint for accessing an interface VPC endpoint service.

    Specify the subnet where the VPC endpoint is to be deployed.

    IPv4 Address

    -

    This parameter is available only when you create a VPC endpoint for accessing an interface VPC endpoint service.

    Select a way to assign an IPv4 address to your VPC endpoint.

    IPv4 addresses can be automatically assigned or manually specified.

    Access Control

    Enable

    This parameter is available only when you create a VPC endpoint for accessing an interface VPC endpoint service.

    You can specify IP addresses and CIDR blocks that are allowed to access the VPC endpoint.

    • If Access Control is enabled, only IP addresses and CIDR blocks in the whitelist are allowed to access the VPC endpoint.
    • If Access Control is disabled, any IP address and CIDR block can access the VPC endpoint.

    Whitelist

    -

    This parameter is available only when you create a VPC endpoint for accessing an interface VPC endpoint service.

    You can specify the IP addresses and CIDR blocks that are allowed to access the VPC endpoint. You can add a maximum of 20 records.

    Policy

    -

    Specifies the VPC endpoint policy.

    VPC endpoint policies are a type of resource-based policies. You can configure a policy to control which principals can use the VPC endpoint to access VPC endpoint services.

    Tag (Optional)

    example_key1

    example_value1

    Specifies the tags that will be used to classify and identify the VPC endpoint.

    This parameter can be modified after you buy a VPC endpoint.

    Description (Optional)

    -

    Provides supplementary information about the VPC endpoint.
    Table 2 Tag requirements for VPC endpoints

    Parameter

    Requirement

    Key
    • Cannot be left blank.
    • Must be unique for each resource.
    • Can contain a maximum of 128 characters.
    • Can contain letters, digits, spaces, and any of the following characters: _.:=+-@. It cannot start or end with a space, or start with _sys_.

    Value
    • Can be left blank.
    • Can contain a maximum of 255 characters.
    • Can contain letters, digits, spaces, and any of the following characters: _.:=+-@. It cannot start or end with a space.
  4. Click Next.
  5. Confirm the VPC endpoint information and click Submit.

Step 2: Buy a VPC Endpoint for Accessing OBS

This section describes how you can buy a VPC endpoint to access OBS from an on-premises data center.

  1. Go to the VPC endpoint list page.
  2. On the VPC Endpoints page, click Buy VPC Endpoint.

    The Buy VPC Endpoint page is displayed.

  3. Configure required parameters.
    Table 3 Parameters for configuring a VPC endpoint

    Parameter

    Example Value

    Description

    Region

    LA-Mexico City1

    Specifies the region where the VPC endpoint will be used to connect a VPC endpoint service.

    Resources in different regions cannot communicate with each other over an intranet. For lower latency and faster access, select the region nearest to where your services will be accessed.

    Billing Mode

    Pay-per-use

    Specifies the billing mode of the VPC endpoint. You are billed by how long you use each VPC endpoint. VPC endpoints can be used or deleted at any time.

    Only pay-per-use billing is supported.

    Service Category

    Cloud services

    There are two options:

    • Cloud services: Select it if the target VPC endpoint service is a cloud service.
    • Find a service by name: Select it if the target VPC endpoint service is your private service.

    Select Cloud services in the LA-Mexico City1, LA-Sao Paulo1, and LA-Santiago regions and Find a service by name in other regions.

    Service List

    com.myhuaweicloud.na-mexico-1.obs

    This parameter is available only when you select Cloud services for Service Category.

    The VPC endpoint service has been created by the O&M personnel and you can directly use it.

    Select the right OBS endpoint service for your region:

    • LA-Mexico City1: com.myhuaweicloud.na-mexico-1.obs
    • LA-Sao Paulo1: com.myhuaweicloud.sa-brazil-1.obs
    • LA-Santiago: com.myhuaweicloud.la-south-2.obs

    LA-Mexico City1: com.myhuaweicloud.na-mexico-1.obs

    VPC Endpoint Service Name

    -

    This parameter is available only when you select Find a service by name for Service Category.

    To access OBS as a gateway VPC endpoint service, you need to search for it by name. To obtain its name, submit a service ticket or contact the OBS O&M engineers.

    Enter the OBS endpoint service name and click Verify.

    VPC

    -

    Specifies the VPC where the VPC endpoint is to be deployed.

    Route Table

    -

    This parameter is available only when you create a VPC endpoint for accessing a gateway VPC endpoint service.

    NOTE:

    This parameter is available only in the regions where the route table function is enabled.

    You are advised to select all route tables. Otherwise, access may fail.

    Select the route tables in the VPC where the VPC endpoint is created as required.

    For details about how to add a route, see Adding a Custom Route in the Virtual Private Cloud User Guide.

    Policy

    -

    Specifies the VPC endpoint policy.

    VPC endpoint policies are a type of resource-based policies. You can configure a policy to control which principals can use the VPC endpoint to access VPC endpoint services.

    Tag (Optional)

    example_key1

    example_value1

    Specifies the tags that will be used to classify and identify the VPC endpoint.

    This parameter can be modified after you buy a VPC endpoint.

    Description (Optional)

    -

    Provides supplementary information about the VPC endpoint.
    Table 4 Tag requirements for VPC endpoints

    Parameter

    Requirement

    Tag key
    • Cannot be left blank.
    • Must be unique for each resource.
    • Can contain a maximum of 128 characters.
    • Can contain letters, digits, spaces, and any of the following characters: _.:=+-@. It cannot start or end with a space, or start with _sys_.

    Tag value
    • Can be left blank.
    • Can contain a maximum of 255 characters.
    • Can contain letters, digits, spaces, and any of the following characters: _.:=+-@. It cannot start or end with a space.
  4. Click Next.
  5. Confirm the VPC endpoint information and click Submit.

Step 3: Access OBS Through a VPC Endpoint

Your on-premises data center has been connected to your VPC using a VPN or Direct Connect connection.
  • The VPC subnet CIDR block that can be accessed through the VPN gateway must contain the OBS CIDR block. You can view the route tables of the VPC endpoint for accessing OBS to obtain the OBS CIDR block.

    For details about how to create a VPN connection, see Creating a VPN Gateway.

  • The VPC subnet CIDR block that can be accessed through the Direct Connect virtual gateway must contain the OBS CIDR block. You can view the route tables of the VPC endpoint for accessing OBS to obtain the OBS CIDR block.

    For details on how to enable Direct Connect, see Enabling Direct Connect.

  1. In the VPC endpoint list, click the ID of the VPC endpoint created for accessing DNS to view its IP address.
  2. Add DNS forwarding rules on the DNS server at your on-premises data center to forward requests for resolving OBS domain names to the VPC endpoint for accessing DNS.

    The methods of configuring DNS forwarding rules vary depending on OSs. For details, see the DNS software operation guides.

    The following uses Bind, a common DNS software, as an example to show how you can configure forwarding rules on a UNIX server.

    Method 1: In the /etc/named.conf file, add the DNS forwarder configuration and set forwarders to the private IP address of the VPC endpoint for accessing DNS.

    options {
forward only;
forwarders{ xx.xx.xx.xx;};
};

    Method 2: In the /etc/named.rfc1912.zones file, add the following content, and set forwarders to the private IP address of the VPC endpoint for accessing DNS.

    The following uses the OBS endpoint and cluster address in the LA-Mexico City1 region as an example:

    zone "obs.na-mexico-1.myhuaweicloud.com" {
type forward;
forward only;
forwarders{ xx.xx.xx.xx;};
};
zone "obs.lz01.na-mexico-1.myhuaweicloud.com" {
type forward;
forward only;
forwarders{ xx.xx.xx.xx;};
};
    • If no DNS server is available at your on-premises data center, add the private IP address of the VPC endpoint for accessing DNS to the /etc/resolv.conf file.
    • obs.na-mexico-1.myhuaweicloud.com indicates the OBS endpoint in the LA-Mexico City1 region. You can obtain more information about this endpoint on the Regions and Endpoints page.
    • obs.lz01.na-mexico-1.myhuaweicloud.com indicates the address of the lz01 cluster where the OBS bucket is deployed. You can submit a service ticket or contact the OBS O&M personnel to obtain it.
    • xx.xx.xx.xx indicates the IP address of the VPC endpoint for accessing DNS in step 1.
  3. Add a route destined for DNS over the VPN gateway or Direct Connect gateway.

    To access DNS over a VPN or Direct Connect connection, ensure that traffic from your on-premises data center to DNS is directed through the VPN gateway or Direct Connect gateway.

    Configure a permanent route at your on-premises data center and specify the IP address of the Direct Connect gateway or VPN gateway as the next hop for accessing DNS. The following is the example command for configuring such a route:

    route -p add xx.xx.xx.xx mask 255.255.255.255 xxx.xxx.xxx.xxx
    • xx.xx.xx.xx indicates the IP address of the VPC endpoint for accessing DNS in step 1.
    • xxx.xxx.xxx.xxx indicates the IP address of the Direct Connect gateway or VPN gateway at your on-premises data center.
    • The route command format varies depending on the OS. Use the correct format based on your OS.
  4. Add a route destined for OBS from the on-premises data center over the VPN gateway or Direct Connect gateway.

    Traffic from the VPC endpoint to OBS will be directed through 100.125.0.0/16, reserved as the private CIDR block for OBS. To access OBS over a VPN connection or Direct Connect connection, ensure that traffic from your on-premises data center to OBS is directed through the VPN gateway or Direct Connect gateway.

    Configure a permanent route at your on-premises data center and specify the Direct Connect gateway or VPN gateway as the next hop for accessing OBS. The following is the example command for configuring such a route:

    route -p add 100.125.0.0 mask 255.255.0.0 xxx.xxx.xxx.xxx
    • xxx.xxx.xxx.xxx indicates the IP address of the Direct Connect gateway or VPN gateway at your on-premises data center.
    • The route command format varies depending on the OS. Use the correct format based on your OS.
  5. At the on-premises data center, run the following command to verify the connectivity with OBS: 
    telnet bucketname.endpoint Port number

    bucketname.endpoint indicates the domain name of the OBS bucket. You can obtain the domain name by viewing the bucket information on the OBS console. For details, see Viewing Basic Information of a Bucket.

    In the command:

    • bucketname: indicates the bucket name.
    • endpoint: indicates the bucket endpoint (domain name) in the region where the bucket is deployed.
    • Port number: indicates the service port number, which can be 80 or 443.

    Example: telnet bucketname.obs.na-mexico-1.myhuaweicloud.com 80 or telnet bucketname.obs.na-mexico-1.myhuaweicloud.com 443

    You can obtain OBS endpoint information at Regions and Endpoints.