Access services on instances over the Internet - Platform For AI

When you deploy a service in a DSW instance, such as a model API or WebUI, you might need to access it from a browser, share it with collaborators, or call it from an external network. The DSW Custom Service feature enables Public Network Access, exposing your service to the internet.

Important notes

Additional charges apply: Configuring public network access requires a NAT Gateway and Elastic IP Address (EIP). These are separate cloud products with their own billing.
Supported instance types: This feature is available for instances in the default resource group (where resource specifications do not start with ecs.ebm) and Lingjun intelligent computing instances. Configure a maximum of five custom services for each instance.
Service interruption on instance stop: Stopping a DSW instance also stops its internal services and disables public network access.
EAS recommended for production: For stable, highly available services with elastic scaling support in production environments, deploy your models to Elastic Algorithm Service (EAS).

How it works

To make a service, such as an API on port 9000 in a DSW instance, accessible from the internet, the following resources are required:

Elastic IP Address (EIP): Provides a fixed public IP address, such as 121.40.**.**. This is the entry point for public traffic.
NAT Gateway: Located within your Virtual Private Cloud (VPC), this gateway maps public requests from EIP:Port to your DSW instance's private IP and port (Private IP:Port).
Security group: Acts as a virtual firewall for your DSW instance. Add an explicit rule to allow public traffic to the specific port your service is listening on, such as 9000. This is a critical step for successful access.

Core flow: Internet user (browser/tool) -> EIP:port -> NAT Gateway -> vSwitch -> Security group rule check -> DSW instance private IP:port -> Your service

Billing

Billing for the NAT Gateway and EIP begins as soon as they are created.
Even if your DSW instance is stopped, the NAT Gateway and EIP continue to incur charges until they are deleted.
The DSW instance itself is billed based on its running state. Pay-as-you-go instances do not incur charges when stopped.

Configure public network access

Configure public network access during instance creation

Create a DSW instance and configure the following key network parameters.
- In the Network Information section, select your VPC and security group. For more information about how to create a VPC and a security group, see VPCs and vSwitches and Manage security groups. The VPC and Security Group must be in the same region as the DSW instance.
  Create a VPC, vSwitch, and security group
  1. On the DSW configuration page, click Create VPC.
    Configure the VPC Name, IPv4 CIDR Block, and vSwitch information. You can keep the default values for other parameters. Then, click OK to create the VPC and vSwitch.
  2. Return to the DSW configuration page, and for VPC Settings, select the VPC that you just created.
  3. Click Create Security Group. You can keep the default parameter values and then click Create. Return to the DSW configuration page and select the security group you just created for the Security Group ID setting.
    Ensure that the security group allows inbound access on port 22.
- Find Custom Services, click Add. Enter the actual Port number your service is listening on (for example, 9000). Select the Access over Internet checkbox, then choose your NAT Gateway and EIP. Note: The NAT Gateway and EIP must be in the same region as the DSW instance.
  Create an Internet NAT Gateway and an Elastic IP Address
  1. Click Create NAT Gateway.
    On the NAT Gateway creation page, configure the parameters as needed or use the default values. Then, click Create EIP.
  2. On the EIP creation page, configure the parameters as needed or use the default values, then click Buy Now.
  3. Return to the NAT Gateway creation page. For Elastic IP Address Instance, select the instance you just created, and then click Purchase Now to create the Internet NAT Gateway.
Add an inbound rule to the security group for your service's port. For more information, see Add a security group rule. Use the following key parameters:
- Action: Allow
- Protocol Type: Choose based on your service (for example, TCP)
- Port Range: Enter the listening port you configured (for example, 9000/9000)
- Authorization Object: 0.0.0.0/0 (allows access from all public IPs for testing) or a specific IP address range. For production environments, we strongly recommend restricting the source IP addresses.

Configure public network access for an existing DSW instance

Modify the public access configuration for an existing DSW instance in two ways.

Note: If you need to add or change a VPC or NAT Gateway, you must use the Change Settings option, which requires an instance restart.

Configure public network access for an existing DSW instance

Modify the public access configuration for an existing DSW instance in two ways.

Note: If you need to add or change a VPC or NAT Gateway, you must use the Modify Configurations option, which requires an instance restart.

Configure within the DSW instance

In the DSW development environment, click Configuration at the top of the page to modify custom services.

Test the connection

In the DSW Terminal, run the following commands to start a simple HTTP server.

# Create an HTML file with test content
echo 'Hello, World!' > index.html

# Start Python's built-in HTTP server (listening on port 9000)
python -m http.server 9000 --bind 0.0.0.0

On the instance details page, find the Access Configurations section to get the access URL.
For Internet access, copy the public access address 121.40.**.**:9000 and access it in a browser. When Hello, World! is returned, the service access configuration is successful.

Recommendations for production use

For development and testing only: The Public Network Access feature in DSW is designed for temporary testing and collaborative debugging.
Deploy to PAI-EAS for production: For production-grade inference services, deploy them to PAI-EAS. EAS provides:
- High Availability (HA) and Load Balancing.
- Auto Scaling to handle traffic fluctuations.
- Comprehensive monitoring, alerting, version management, and Canary Release capabilities.
- A more optimized integration and billing model for public access. For more information, see Deploy a model as an online service.
Manage costs:
- When a DSW instance is stopped: A pay-as-you-go DSW instance stops incurring charges. However, the associated NAT Gateway and EIP continue to incur charges until they are deleted.
- To avoid further charges: Delete the NAT Gateway and EIP when they are no longer needed. Do this from the VPC console and EIP console.

FAQ

Q: How can I troubleshoot "Connection refused" or "Timeout" errors when accessing a DSW service over the public internet?

This issue is typically caused by misconfigured security group rules. Follow these steps to diagnose and resolve the problem:

Verify your security group rules. This is the most common cause of connection failures.
- Go to the security group associated with your DSW instance.
- Ensure an Inbound rule exists that allows traffic to your service's port.
- Port Range: The rule must include the port your service is listening on (e.g., 9000/9000).
- Source: The source IP range must allow your IP address. For testing, use 0.0.0.0/0. For production, restrict this to trusted IPs.
- Protocol Type: Make sure it matches your service's protocol (e.g., TCP).

Confirm the service is running and listening on the correct port.
- Open a terminal in your DSW instance and run the following command, replacing <port_number> with your service's port:netstat -tunlp | grep 9000)
- If this command returns no output, your application is either not running or is not bound to the correct port or interface.
Check NAT Gateway and EIP status
- Go to the VPC console and confirm that the NAT Gateway's status is Running.
- Go to the EIP console and confirm that the EIP's status is Associated and your account is not overdue.
Test the service locally from within the DSW instance.
- Use curl to send a request to your service from the instance's terminal. This bypasses all external network components.
```
# Replace <port_number> with your service's port
curl http://localhost:<port_number>
```
- If this command fails, the problem is with your application, not the network configuration.
Use network diagnostic tools for further troubleshooting.
- From inside the DSW instance, use telnet to check if the public port is reachable via the EIP. You may need to install telnet first.
```
telnet <Your_EIP_Address> <port_number>
```
- For a comprehensive diagnosis, consider using the Alibaba Cloud Network Intelligence Service.

Q: Do I still get charged for a NAT Gateway and EIP after stopping my pay-as-you-go DSW instance?

Yes, you will still be charged.

Billing for the NAT Gateway and Elastic IP (EIP) is separate from the DSW instance. Stopping a pay-as-you-go DSW instance only prevents the instance itself from incurring further charges. The associated NAT Gateway and EIP are independent resources and will continue to be billed as long as they exist.

To avoid ongoing charges, you must manually delete the NAT Gateway and release the EIP in their respective consoles when they are no longer needed.

Q: Is it possible to use a single EIP to expose multiple services on different ports from one DSW instance?

Yes. You can configure up to five different services on a single DSW instance to be accessible through the same NAT Gateway and EIP.

To set this up, add a new Custom Service entry for each port you want to expose. Each service will then be accessible via the same public EIP but on its own unique port.

For example, if you configure services on ports 9000 and 9001, you would access them as follows:

Service 1: http://<Your_EIP_Address>:9000
Service 2: http://<Your_EIP_Address>:9001