To allow an Elastic Algorithm Service (EAS) service to call public APIs, download files from the internet, connect to a database, or access other external services, configure a Virtual Private Cloud (VPC) for network connectivity.
How it works
After you configure a VPC for an EAS service, the system creates an Elastic Network Interface (ENI) for each service instance. Each ENI consumes a Private IP address from the specified vSwitch. This process grants the service instance a network identity within the VPC, enabling private network communication with other resources in the VPC or internet access through a NAT Gateway.
Billing
Configuring a VPC for an EAS service is free. However, you are charged for the NAT Gateway and Elastic IP Address (EIP) used for internet access. For more information, see NAT Gateway billing and EIP billing overview.
Before you begin: Network planning and preparation
Plan your network connection method and prepare the required VPC, vSwitch, and Security Group. To create these resources, see Create a VPC and a vSwitch and Use security groups.
All outbound traffic from EAS services is subject to Security Group rules. Ensure that the outbound rules of your Security Group allow the EAS service to access the target service.
For private network communication, the most direct method is to deploy the EAS service and the target service in the same VPC. If the target service is in a different VPC, you must also establish network connectivity using products such as VPC Peering Connection or Cloud Enterprise Network (CEN).
Procedure
Step 1: Configure a VPC for the EAS service
Configuring a VPC for an EAS service is required to enable private network communication or internet access. EAS supports VPC configuration at the service level and the resource group level:
Service level: Specify a VPC for a single service. This has the highest priority.
Resource group level: Set a default VPC for services deployed using a dedicated resource group. If both service-level and resource-group-level configurations exist, the service-level configuration takes precedence.
Service-level configuration
Configure in the console
When you create or update a service, configure the VPC in the Network Information section. Select a VPC from the drop-down list, then configure the vSwitch and Security Group.
Configure using the eascmd client
In the service's JSON configuration file, add or modify the
cloud.networkingfield with the IDs of your VPC, vSwitch, and Security Group. The following example shows the network-related fields:{ "cloud": { "networking": { "vpc_id": "your-vpc-id", "vswitch_id": "your-switch-id", "security_group_id": "your-security-group-id" } } }You can find the IDs on the VPC and vSwitch pages in the VPC console and on the Security Groups page in the ECS console.
For more information, see Command reference. Use the
createormodifycommand to apply the new configuration.
Resource-group-level configuration
Console: On the Resource Group page, configure the VPC information for the entire resource group. Select the target resource group and click Enable VPC Configuration in the Actions column.
eascmd client: For more information, see Configure a VPC for a resource group.
Step 2: Configure an Internet NAT gateway and an SNAT entry (for public network access only)
If the EAS service needs to access the Internet, you must use a NAT Gateway and an EIP. For more information, see Use the SNAT feature of an Internet NAT gateway to access the Internet.
Create an Internet NAT gateway and bind an EIP: Go to the Internet NAT Gateway purchase page. Select the region and VPC where your EAS service is located, and bind an EIP to it. This EIP becomes the single public IP address that your EAS service uses for internet access.
Configure an SNAT entry: In the NAT gateway that you created, create an SNAT entry. Set SNAT Entry to VPC. This configuration directs all traffic from the VPC to the internet through the NAT gateway.
Step 3: Configure a whitelist (optional)
To connect to a target service that has IP address or Security Group whitelist restrictions, add the IP address range or Security Group ID of the EAS service to the target service's whitelist. The following sections describe how to obtain the private and public IP addresses of an EAS service.
Obtain a private IP address
EAS instances are dynamically scheduled. After a restart or update, new instances may be created on new physical nodes and be assigned a new Private IP address from the vSwitch address pool. Therefore, access control policies that rely on IP addresses should use the vSwitch CIDR block instead of a hardcoded IP address of a single instance.
Log on to the VPC console and find the IPv4 CIDR block on the vSwitch page.
Obtain a public IP address
Log on to the VPC console. On the page, find the gateway configured for EAS. The bound EIP is displayed in the EIP column.
Production considerations
IP address planning: Plan a dedicated vSwitch with a sufficient number of IP addresses for your EAS service. The minimum number of required IP addresses is
Number of stable instances + Number of extra instances for rolling updates + Reserved buffer IPs. Insufficient IP addresses will cause service creation or scaling to fail.Security group isolation: Use separate Security Groups for different services or environments (for example, development, testing, and production). Follow the principle of least privilege by opening only the necessary ports and access sources.
Cost optimization: To optimize costs, if your EAS service needs to access the internet to download models or files, upload the resources to OSS in the same region and mount the OSS volume during deployment. This avoids costs associated with public network traffic.
FAQ
Q: Why can't my EAS service access the internet by default?
EAS services are isolated from the public internet by default to ensure security and stability. In a shared environment, uncontrolled internet access can lead to unpredictable bandwidth contention, which can affect service performance and availability. To enable internet access, you must configure the service to run within a VPC and set up a NAT Gateway.
Q: How do I test if my EAS service has internet connectivity?
You can add a test command to your service's startup configuration. In the Command field, include a network utility like curl -I -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/120.0.0.0" --connect-timeout 5 https://www.aliyun.com.
After deployment, check the instance's real-time log. A response containing a status code like 200 OK confirms the internet connection is working. A timeout or connection error indicates a configuration issue.
Q: Why can't my EAS service connect to other cloud services (e.g., an RDS database) in the same VPC?
This usually indicates a misconfiguration in your network settings. Check the following items to resolve the issue:
VPC configuration: Ensure your EAS service and the target service (e.g., your RDS instance) are deployed in the same VPC.
Security group rules: Confirm that the outbound rules of the security group attached to your EAS service allow traffic to the target service's private IP address and port.
Access restrictions of the destination cloud product: If the target service uses an IP whitelist or a security group for access control, ensure it allows inbound connections from the vSwitch CIDR block or the Security Group ID of your EAS service. It is recommended to use the vSwitch CIDR block, as instance private IPs are dynamic and can change after a restart.
Q: Why is my EAS service still unable to access the internet after configuring a NAT Gateway?
If your EAS service cannot access the internet after setting up a NAT Gateway, the problem is likely with the SNAT entry, VPC route table, or security group rules. Check the following configurations:
Verify the SNAT Entry: In your NAT Gateway console, confirm that the SNAT entry is configured to handle traffic from the correct vSwitch—the one used for your EAS service deployment.
Check the VPC Route Table: Go to the VPC console and inspect the route table associated with your vSwitch. Ensure a route exists with the destination CIDR block set to
0.0.0.0/0and its next hop pointing to your NAT Gateway.Inspect Security Group Outbound Rules: Confirm that the outbound rules of the security group attached to your EAS service allow all egress traffic. The default rule, which allows traffic to
0.0.0.0/0, is sufficient for internet access.