Platform For AI:Improve Internet access speed by using a private gateway

Prerequisites

• You have created a Virtual Private Cloud (VPC) and a vSwitch for the DSW instance. To avoid conflicts with PAI cluster CIDR blocks, we recommend using the 192.168.0.0/16 CIDR block for your VPC. For more information, see Create and manage a VPC.

• You have created a Security Group for the VPC. For more information, see Create a security group.

Billing

Internet NAT Gateway and Elastic IP Address (EIP) are cloud services that are billed independently. These services are billed continuously, even when the DSW instance is stopped. Therefore, delete these resources promptly when you no longer need them to avoid further charges.

Procedure

This topic uses a DSW instance as an example. The same procedure applies to DLC instances.

1. Create an Internet NAT gateway. Log on to the NAT Gateway console and create an Internet NAT Gateway. The key parameters are described below. For detailed steps, see Create an Internet NAT gateway.

   If you have multiple Internet NAT gateways in your VPC, see Deployment solutions for multiple Internet NAT gateways in the same VPC for network design and deployment solutions.

   Parameter	Description
   Region	Select the same region as your VPC. If you do not specify a region, the system uses the region of your VPC by default.
   Network and Zone	Select the VPC and vSwitch for your DSW instance.
   EIP	If no EIP instances are available, click Purchase EIP and follow the on-screen instructions. We recommend setting the Maximum Bandwidth as high as possible.

2. Create an SNAT entry. On the Internet NAT Gateway page, select the gateway you created. Then, navigate to the SNAT tab and click Create SNAT Entry. When creating the entry, select Specify VPC and choose to use a single IP address. If you have purchased multiple IP addresses, you can choose to use multiple IP addresses. For detailed steps, see Create an SNAT entry.

3. Configure the instance network parameters. Log on to the PAI console. In the upper-left corner, select the same Region as your VPC. On the DSW instance creation page, configure the network parameters. For an existing instance, click Change Settings to open the configuration page. The key parameters are described below. For information about other parameters, see Create a DSW instance.

   Parameter	Description
   VPC	This parameter is available only when you select the public resource group for Resource Group. Select the VPC, vSwitch, and Security Group that you created.
   Security Group
   vSwitch
   Internet Gateway	Select Private Gateway. The DSW instance uses the Private Internet Gateway to access the internet. If you select Private Gateway without a configured Internet NAT Gateway, EIP, and SNAT entry, the instance cannot access the internet.

4. Test the network connectivity.

   1. Open the DSW instance and click Open in the menu bar.

   2. Run the ping www.aliyun.com command to test the network connectivity.

      A successful reply confirms that the instance can access the internet through the Private Internet Gateway. The output below indicates a successful connection.

      PING www.aliyun.com.w.cdngslb.com (47.118.XX.XX) 56(84) bytes of data.
      64 bytes from 47.118.XX.XX (47.118.XX.XX): icmp_seq=1 ttl=59 time=5.96 ms
      64 bytes from 47.118.XX.XX (47.118.XX.XX): icmp_seq=2 ttl=59 time=5.83 ms
      64 bytes from 47.118.XX.XX (47.118.XX.XX): icmp_seq=3 ttl=59 time=5.83 ms
      64 bytes from 47.118.XX.XX (47.118.XX.XX): icmp_seq=4 ttl=59 time=5.84 ms
      64 bytes from 47.118.XX.XX (47.118.XX.XX): icmp_seq=5 ttl=59 time=5.86 ms

Appendix: Configure an instance to deny Internet access

If your security requirements prohibit internet access for resources like DSW and DLC instances, you can set the Internet Gateway to Private Gateway when you configure the instance. Do not create an Internet NAT Gateway or an SNAT entry. This ensures that the instance can only access data within the VPC and cannot access the internet.