Alibaba Cloud in 7 Days

Day #5 - OSS - CDN - SSL

May 12, 2018

Now that we have an Alibaba Cloud ECS instance running, DNS configured and SSL installed, let's look at the Alibaba Cloud storage options - Alibaba Object Storage Service (OSS) and Alibaba Cloud CDN.

Object Storage Service (OSS) is the equivalent of Amazon Simple Storage Service (S3). Alibaba Cloud CDN is the equivalent of Amazon CloudFront.

When building services in the Cloud, it is advantageous to use services that provide:

  • High Availability and Fault Tolerance
  • Improved Security and Resistance to Attacks
  • Improved Performance
  • Decreased Costs
  • Reduced Latencies

We will combine OSS and CDN to accomplish these objectives for part of our website. Later we will add auto scaling and load balancing to complete these objectives for the entire website.

Static assets such as PDFs, documents, images, CSS and JavaScript, etc. are best stored on a cloud storage service and delivered to customers via a CDN. Storage services are inexpensive compared to ECS instance disk costs, have higher reliability and usually provide higher bandwidth to customers. When a CDN is implemented as the website front-end, latency to customers can drop significantly. This is due to edge locations reducing latency and CDN caching. A side-effect is that HTML page load times are faster as modern browsers will overlap network requests of different parts of a web page.

Create an OSS Storage Bucket

Go to the Alibaba Console.

  • In the left panel click on Object Storage Service.
  • Towards the right side click the blue button Create Bucket.
  • A panel appears. Enter information similar to the following to setup your bucket.
  • Bucket Name: Enter a bucket name. I entered neoprime-cdn as this will be the CDN origin.
  • Region. Make sure that you select the correct region. I selected US West 1 (Silicon Valley).
  • Storage Class: I selected Standard Storage.
  • ACL: I selected Public Read. Be careful here. Everything that stored in this bucket will have public read access.
  • Click OK. The bucket will be created, and you will be taken back to the OSS Console.
Note: I plan to investigate if the bucket ACL can be left private and then grant permissions to CDN.

Upload a file to OSS

For my testing, I want the big Alibaba image to be located on OSS and delivered by CDN.

  • In the Alibaba OSS Console, click on the Files tab.
  • File Directory: I selected Current Directory.
  • File ACL: I selected Public Read.
  • Click the blue Upload button.
  • Drag and Drop or select upload them directly.
  • I selected the Alibaba image file for this section.
  • Once the file load completes, you will see your file in the OSS Console.
  • Click on the file name. A preview panel will open. Copy the File URL.
  • Paste the URL into your web browser. Verify that you can see the file in the browser.

Create a CDN

For this section, we will create a CDN that supports HTTPS. For HTTPS we will need the SSL certificate that Let's Encrypt created for us. In Day #3, one of the steps was to copy the certificate files to a safe location on your desktop.

Go to the Alibaba Console.

  • In the left panel click on Alibaba Cloud CDN.
  • On the right side of the console, click on Add Domain Name.
  • A panel appears. Enter information similar to the following to setup your CDN.
  • Domain Name: cdn.neoprime.xyz
  • Business Type: Small Image File
  • Origin Site Type: OSS Domain
  • Origin Site Type: Select the name of your OSS bucket: neoprime-cdn.oss-us-west-1.aliyncs.com
  • Acceleration Region: HK, Macao - See note below.
  • Click Next. Wait for the CDN to complete configuration.

When I selected Global for the Acceleration Region, I received this error message:
In compliance with the Peoples Republic of China (PRC) laws, purchasers of Internet related products offered in a region inside Mainland China are required to provide real-name registration information.

I then completed their Real-name registration.
Your real-name registration is under review. Generally it takes 1-2 days to complete the process. Once the review is complete, you will be notified via email and the console message center.

Update May 13, 2018:
I sent an email to Alibaba Support regarding this matter last night. This morning I had a reply. This is the second time that I have created a support ticket. Both times, I had an answer the next morning. This is excellent support.
Thank you for contacting Alibaba Cloud Customer Service. We've checked the issue you mentioned with all the provided information, here's the update: the real-name registration is not determined by the location of your origin, but where customer can visit your domain, in other words, the entry determines: if Mainlan China visitors can access your rersources via mainland China CDN nodes, the real-name registration is required.

Acceleration Region of "Global" includes Mainland China.

Create DNS Entries for the CDN

Alibaba Cloud requires that you create a DNS entry for the CDN. Remember in Day #3, we created the entry cdn.neoprime.xyz. This is the entry that we will now change to point to the CDN instead of the ECS instance.

Go to the Alibaba Console.

  • In the left panel click on Alibaba Cloud DNS.
  • Click on Domain Names
  • Notice the DNS entry for your domain. To the right click on Resolve.
  • Find the CNAME entry for cdn. To the right click on Edit.
  • Change the Value field to the DNS name for your CDN.

Verify that you can access the image file from the CDN. For my CDN, the image file path is http://cdn.neoprime.xyz/alibaba-600x263.png

Also notice if your try to use the HTTPS path, it will fail: https://cdn.neoprime.xyz/alibaba-600x263.png. We have not setup SSL for our CDN. We will do this next.

Enable SSL for our CDN

Go to the Alibaba Console.

  • In the left panel click on Alibaba Cloud CDN.
  • Go to Domain Names.
  • Click on the CDN Domain Name or click Configure.
  • Scroll down to HTTPS Settings.
  • For HTTPS Settings, click on the Modify button
  • A panel appears. Enter information similar to the following to setup HTTPS.
  • Status; Select Enable.
  • Select certificate: Select Custom uploading.
  • Certificate name: I prefer to use the domain name. cdn.neoprime.xyz
  • We will now be using two of the files that we save from Let's Encrypt.
  • Using notepad, open fullchain.pem.
  • Select all text (CTRL-A) and then paste into Public Key (CTRL-V) in the panel.
  • Using notepad, open privkey.pem.
  • Select all text (CTRL-A) and then paste into Private Key (CTRL-V) in the panel.
  • Click OK
  • Generally, it takes 10 minutes for an updated HTTPS certificate to take effect across the network.
  • Scroll down to Advanced Settings.
  • I like to bandwidth limit my CDN. For Peak Bandwidth, I configure it to 5 Mbps just in case some hackers decide to attack my CDN. Pick a value that works for your situation. However, remember that limiting bandwidth for financial reasons makes DoS (denial of service) attacks easier.

The HTTPS path should now work: https://cdn.neoprime.xyz/alibaba-600x263.png. If not wait another 10 minutes. If you still have problems, double check your configuration.

Next Steps

Review your website files. Determine the static files that should be moved to OSS. Copy the files to OSS and then modify your HTML files to reference the CDN path. Browsers such as Chrome, support a debugger. Press F12 and select the Network tab. Press CTRL and F5 to reload your web page. This makes it easy to identify file loads that should be moved to cloud storage.


OSS pricing depends on several items (based upon region us-west-1):

  • Amount stored: $0.02 per GB. The first 5 GB is free.
  • Data Transfer to the Internet: $0.076 per GB. First 5 GB is free.
  • CDN Traffic: $0.076 per GB.
  • API Requests: GET/HEAD: $0.001 per 10,000 requests.

CDN has two pricing models. Pay-By-Bandwidth and Pay-By-Traffic. My review will just cover Pay-By-Traffic.

  • Amount stored: $0.02 per GB. The first 5 GB is free.
  • Downstream Traffic: $0.07 per GB.
  • HTTPS Requests: $0.03 per 10,000 requests.

Durablity and Availability

  • Availability: 3-Nines - 99.9% (43.2 minutes of downtime per month).
  • Durability: 11-Nines - 99.999999999


I found the Alibaba Cloud CDN easy to configure. The AWS CloudFront CDN has so many options that it can be hard to configure correctly if you do not really understand CloudFront. I did not perform any benchmarks on CDN. I just ensured that it worked correctly.


  • Very easy to configure.
  • Private bucket back-to-source authentication could be a good solution to the Public bucket problem.
  • Supports bandwidth limiting.
  • Reconfiguring the CDN is very fast. AWS CloudFront can take 10 minutes for some changes.
  • The CDN Console provides nice statistics and graphs showing the usage of a CDN.


  • You must upload your identity to Alibaba Console to enable global CDN.
  • Full-Site Domain CDN currently does not work.
  • Not as many options as AWS CloudFront.
  • AWS CloudFront has more flexibility for creating complex configurations.
  • AWS has a better SSL Certificate system.
  • AWS SSL Certificates are free. For Alibaba you must either purchase an SSL Certificate or create one by using a web server and Let's Encrypt type of method. This has several security risks and certificate renewal headaches.

15220 Main Street, Bellevue, WA 98007
T: 425-528-8500 - F: 425-528-8550 - E: neoprime@neoprime.io

Copyright 2018 NeoPrime LLC