All Products
Search

This Product

    Platform For AI:Use a dedicated gateway

    Document Center

    Platform For AI:Use a dedicated gateway

    Last Updated:Dec 12, 2024

    Elastic Algorithm Service (EAS) of Platform for AI (PAI) provides the dedicated gateway feature to meet requirements for security isolation and access control. Dedicated gateways allow you to configure networks in a flexible manner and configure whitelists for access over virtual private clouds (VPCs) and the Internet. Dedicated gateways can also help you reduce network risks in high-concurrency and high-throughput business scenarios. This topic describes how to use dedicated gateways.

    Billing

    The dedicated gateway feature uses both pay-as-you-go and subscription billing methods. For more information, see Billing of EAS. When using dedicated gateways, you are also charged for PrivateLink, including instance fees and data transfer fees. For more information, see Billing overview.

    Procedure

    image

    • After you enable Internet access for a dedicated gateway and configure a whitelist, you can access the dedicated gateway through the Internet endpoint.

    • After you configure a virtual private cloud (VPC) and a whitelist, devices in the VPC can access the dedicated gateway through the VPC endpoint.

    Step 1: Create a dedicated gateway

    1. Go to the Elastic Algorithm Service (EAS) page.

      1. Log on to the PAI console.

      2. In the left-side navigation pane, click Workspaces. On the Workspaces page, click the name of the workspace that you want to manage.

      3. In the left-side navigation pane, choose Model Deployment > Elastic Algorithm Service (EAS).

    2. On the Dedicated Gateway tab, click Create Dedicated Gateway. Select Create Dedicated Gateway (Subscription) or Create Dedicated Gateway (Pay-as-you-go)

    3. On the buy page, configure the following parameters.

      Parameter

      Description

      Region

      The region in which the dedicated gateway resides. You can select a region based on the on-screen instructions.

      Dedicated Gateway Name

      The name of the dedicated gateway.

      Gateway Specifications

      The specifications of the dedicated gateway. Valid values:

      • 2 vCPUs + 4 GB

      • 4 vCPUs + 8 GB

      • 8 vCPUs + 16 GB

      • 16 vCPUs + 32 GB

      You can select gateway specifications based on your business requirements. For more information, see Appendix: Capacity and QPS of dedicated gateways. After you select gateway specifications, you can view the unit price of the specifications in the lower-right corner of the page.

      Gateway Nodes

      The number of gateway nodes. You must configure at least two gateway nodes.

    4. After you configure the parameters, click Buy Now.

    5. On the Confirm Order page, select Terms of Service and click Activate Now.

      You can view the dedicated gateway that you purchased in the dedicated gateway list. After the Status changes to Running, you can use the dedicated gateway.

    Step 2: Configure access control

    Configure Internet access

    1. Enable Internet access.

      1. On the Dedicated Gateways tab, click the name of the dedicated gateway.

      2. In the Gateway Access Control section, select the Internet tab.

      3. Enable Access Portal. In the Enable Internet Access message, click OK.

        After the status changes to Activated, Internet access is enabled for the dedicated gateway. image

    2. Configure Internet whitelist

      By default, after the status of the Internet access changes to Activated, the dedicated gateway is inaccessible from the Internet. You must perform the following steps to add CIDR blocks to the whitelist:

      1. On the Internet tab, click Add to Whitelist.

      2. In the Add to Whitelist panel, configure the following parameters and click OK.

        Parameter

        Description

        CIDR Block

        Configure the CIDR blocks that you want to add to the whitelist, such as 192.0.2.0/24. Separate multiple CIDR blocks with commas (,) or line feeds. If you want to enable access from all addresses, add 0.0.0.0/0.

        Note

        Specify a description to identify a whitelist.

        You can click Add to add new whitelists. You can add up to 15 CIDR blocks.

    3. Verify Internet access connectivity. For example, add the public IP address of a local device to the whitelist.

      1. On the Internet tab, find the Endpoint. image

      2. Access the endpoint from a local terminal. The following output indicates that the IP address is allowed to access the dedicated gateway over the Internet.

        image

    4. Optional. Disable Internet access.

      1. On the Internet tab, disable Access Portal to disable Internet access for the dedicated gateway.

      2. Access the endpoint from a local terminal. The following output indicates that the Internet access is disabled. imageimage

    Configure VPC access

    1. Add a VPC.

      1. On the Dedicated Gateways tab, click the name of the dedicated gateway.

      2. In the Gateway Access Control section, select the VPC tab and click Add VPC.

      3. In the Add VPC dialog box, select a VPC (ID) and a vSwitch. If no VPC and vSwitch are available, you can click Create VPC and Create vSwitch. Then, click OK.

        Note

        If the following error message appears when you add a VPC, select a vSwitch in a supported zone. 

        Vswitch vsw-2zeqwh8hv0gb96zcd**** in zone cn-beijing-g is not supported, supported zones: [cn-beijing-i cn-beijing-l cn-beijing-k]

        If Status changes to Running, the VPC is added.

    2. Configure VPC whitelist.

      After the VPC is added, the system automatically adds a whitelist with the entry 0.0.0.0/0 to the VPC, which allows connection from all CIDR blocks in the VPC. To modify the whitelist, perform the following steps:

      1. In the VPC list, click Modify Whitelist in the Configure Whitelist column.

      2. In the Modify Whitelist panel, configure the following parameters.

        Parameter

        Description

        CIDR Block

        Delete 0.0.0.0/0 and add desired CIDR blocks, for example, 10.0.0.0/16. Separate multiple blocks with commas (,) or line breaks.

        Note

        Specify a description to identify a whitelist.

        You can click Add to add new whitelists. You can add up to 15 CIDR blocks.

      3. After the whitelist is added, click OK.

    3. Verify the VPC connectivity of the dedicated gateway.

      1. On the VPC tab, find the Endpoint. image

      2. Access the endpoint on a terminal that resides in the VPC. The following output indicates that the dedicated gateway can be accessed through the VPC whitelist.

        Note

        You can access the dedicated gateway from all zones in the VPC, not limited to the zone of the added vSwitch.

        image

    4. Optional. Disable VPC access.

      1. In the VPC list, click Delete in the Configure vSwitch column.

      2. Access the endpoint on a terminal that resides in the VPC. The following output indicates that VPC access is disabled.

        image

        image

    Step 3: Create a service and associate it with a dedicated gateway

    Associate a dedicated gateway when you deploy a service

    1. Go to the Elastic Algorithm Service (EAS) page.

      1. Log on to the PAI console.

      2. In the left-side navigation pane, click Workspaces. On the Workspaces page, click the name of the workspace that you want to manage.

      3. In the left-side navigation pane, choose Model Deployment > Elastic Algorithm Service (EAS).

    2. On the Inference Service tab, click Deploy Service. On the Deploy Service page, click Custom Deployment in the Custom Model Deployment section.

    3. In the Service Configuration section of the Create Service page, click Dedicated Gateway and select the dedicated gateway that you created. For information about other parameters, see Deploy a model service in the PAI console.

    4. After you configure the parameters, click Deploy.

      If Service Status changes to Running, the service is deployed.

    Test network connectivity

    After you configure the whitelist for the associated dedicated gateway, you can perform the following steps to verify network connectivity. For more information about how to configure a whitelist for a dedicated gateway, see Step 2: Configure access control.

    1. View service endpoints.

      1. In the service list, click the name of the service.

      2. In the Basic Information section, click View Endpoint Information.

      3. In the Invocation Method dialog box, view the endpoints on the Public Endpoint and VPC Endpoint tabs. image

    2. Verify the service endpoint connectivity.

      • Verify the public endpoint.

        On a local terminal, access the public service endpoint. You need to delete http:// at the beginning and / at the end. The following output indicates that the service can be accessed through the dedicated gateway public endpoint. image

      • Verify the VPC endpoint.

        On a terminal in the VPC, access the VPC service endpoint. You need to delete http:// at the beginning and / at the end. The following output indicates that the service can be accessed through the dedicated gateway VPC endpoint. image

    Manage a dedicated gateway

    image

    You can perform the following operations on the dedicated gateway you create:

    • View the details of a dedicated gateway

      On the Dedicated Gateway tab, click the name of the dedicated gateway. On the details page of the dedicated gateway, you can view the Basic Information, Gateway Information, and Gateway Access Control sections.

      • In the Gateway Information section, you can view information about the Instance Type, Nodes, and number of services that are associated with the dedicated gateway. Click the number of Associated Service. In the Associated Service panel, you can view the details of the service.e8cb3390c091d6233d01a747af36e011

      • In the Gateway Access Control section, you can view the whitelists that are configured for access over a VPC and the Internet. For more information about how to configure a whitelist for a dedicated gateway, see Step 2: Configure access control.

    • View the log and monitor metrics

      On the Dedicated Gateway tab, click the name of the desired dedicated gateway.

      • Go to the Log tab. If you are using for the first time, click Enable Now. On the dialog box that appears, activate the required items and click Enable.

      • Go to the Monitoring tab. If you are using for the first time, click Enable Now. On the dialog box that appears, activate the required items and click Enable.

    • Update a dedicated gateway

      On the Dedicated Gateway tab of the Elastic Algorithm Service (EAS) page, click Update in the Actions column to update the specifications and network points of a gateway. The changes take effect in about 3 to 5 minutes.

    • Set a dedicated gateway as the default gateway

      Click Set as Default in the Actions column of the dedicated gateway. If you want to deploy a service and configure a dedicated gateway for the service, the system automatically selects the dedicated gateway that you set as the default. You can also click Disable Default in the Actions column.

    • Configure a whitelist for a dedicated gateway

      Click Access Control in the Actions column of the dedicated gateway. For more information, see Step 2: Configure access control.

    • Delete a dedicated gateway

      Click Delete in the Actions column.

    References

    EAS provides the following methods to call services: Internet access, VPC access, and VPC direct connection For more information, see Overview.