Elastic Algorithm Service (EAS) of Platform for AI (PAI) provides the dedicated gateway feature to meet your requirements for security isolation and access control. Dedicated gateways allow you to configure networks in a flexible manner and configure whitelists and custom domain names for access over virtual private clouds (VPCs) and the Internet. Dedicated gateways can also help you reduce network risks in high-concurrency and high-throughput business scenarios. This topic describes how to use dedicated gateways.
Billing
The dedicated gateway feature supports the pay-as-you-go and subscription billing methods. For more information, see Billing of EAS. When you use dedicated gateways, you are charged PrivateLink fees, including instance fees and data transfer fees. For more information, see Billing overview.
Procedure
Internet access: By default, you cannot access the dedicated gateway over the Internet. You can enable Internet access and configure a whitelist to manage access.
VPC access: After you attach a dedicated gateway to a VPC, devices in the VPC can access the dedicated gateway by using a private endpoint. You can configure a whitelist to further manage access.
Access over a custom domain name: You can configure custom domain names and certificates to provide services over the Internet.
After you create a dedicated gateway, you can change the gateway specifications and the number of gateway nodes. The changes take effect in approximately 3 to 5 minutes.
You can configure a dedicated gateway as the default gateway. If you want to deploy a service and configure a dedicated gateway for the service, the system automatically selects the default dedicated gateway.
By default, the logging and monitoring features are disabled. To enable the logging and monitoring features, click Enable Now on the Logs tab or the Monitoring tab of the dedicated gateway details page.
Step 1: Create a dedicated gateway
Log on to the PAI console. Select a region on the top of the page. Then, select the desired workspace and click Enter Elastic Algorithm Service (EAS).
On the Elastic Algorithm Service (EAS) page, click the Dedicated Gateway tab. On the tab that appears, click Create Dedicated Gateway and select Create Dedicated Gateway (Subscription) or Create Dedicated Gateway (Pay-as-you-go) based on your business requirements.
On the EAS dedicated gateway prepay page, configure the parameters. For more information about how to configure gateway specifications, see Appendix: Capacity and QPS of dedicated gateways. After you configure gateway specifications, you can view the unit price of the specifications in the lower-right corner of the page.
After you configure the parameters, click Buy Now. Confirm the order and complete the payment by following the on-screen instructions.
You can view the dedicated gateway that you purchased in the dedicated gateway list. After the status changes to Running, you can use the dedicated gateway.
Step 2: Configure access control
Configure Internet access
Enable Internet access.
On the Dedicated Gateway tab, click the name of the dedicated gateway.
In the Gateway Access Control section of the dedicated gateway details page, click the Internet tab.
Turn on Access Portal. In the Enable Internet Access message, click OK.
After the status changes to Activated, Internet access is enabled for the dedicated gateway.
Configure a whitelist for Internet access.
By default, you cannot access the dedicated gateway over the Internet after the status of Internet access changes to Activated. You must perform the following steps to add CIDR blocks to the whitelist:
On the Internet tab, click Add to Whitelist.
In the Add to Whitelist panel, configure the parameters described in the following table and click Confirm.
Parameter
Description
CIDR Block
Configure the CIDR blocks that you want to add to the whitelist, such as 192.0.2.0/24. Separate multiple CIDR blocks with commas (,) or line breaks. If you want to enable access from all IP addresses, add 0.0.0.0/0.
Note
Specify a description to identify a whitelist.
You can click Add to add new whitelists. You can add up to 15 CIDR blocks.
Check the Internet connectivity of the dedicated gateway. For example, add the public IP address of an on-premises device to the whitelist.
On the Internet tab, find the endpoint.
Access the endpoint from an on-premises terminal. The following output indicates that the IP address is allowed to access the dedicated gateway over the Internet.
Disable Internet access.
On the Internet tab, turn off Access Portal to disable Internet access for the dedicated gateway.
Access the endpoint from an on-premises terminal. The following output indicates that Internet access is disabled.
Configure VPC access
Add a VPC.
On the Dedicated Gateway tab of the Elastic Algorithm Service (EAS) page, click the name of the dedicated gateway.
In the Gateway Access Control section of the dedicated gateway details page, click the VPC tab. On the VPC tab, click Add VPC.
In the Add VPC dialog box, select a VPC (ID) and a vSwitch. If no VPC and vSwitch are available, you can click Create VPC and Create vSwitch. Then, click OK.
NoteIf the following error message appears when you add a VPC, select a vSwitch in a supported zone.
Vswitch vsw-2zeqwh8hv0gb96zcd**** in zone cn-beijing-g is not supported, supported zones: [cn-beijing-i cn-beijing-l cn-beijing-k]After the status changes to Running, the VPC is added.
Configure a whitelist for VPC access.
After the VPC is added, the system automatically adds a whitelist with the entry 0.0.0.0/0 to the VPC, which allows connection from all CIDR blocks in the VPC. To modify the whitelist, perform the following steps:
In the VPC list, find the desired VPC and click Modify Whitelist in the Configure Whitelist column.
In the Modify Whitelist panel, configure the parameters described in the following table.
Parameter
Description
CIDR Block
Delete 0.0.0.0/0 and add the desired CIDR blocks. Example: 10.0.0.0/16. Separate multiple CIDR blocks with commas (,) or line breaks.
Note
Specify a description to identify a whitelist.
You can click Add to add new whitelists. You can add up to 15 CIDR blocks.
After you configure the whitelist, click Confirm.
Check the VPC connectivity of the dedicated gateway.
On the VPC tab, find the endpoint.
Access the endpoint on a terminal that resides in the VPC. The following output indicates that the dedicated gateway can be accessed by using the VPC whitelist.
NoteYou can access the dedicated gateway not only from the zone in which the vSwitch is attached to the dedicated gateway but from all zones in the VPC.
Disable VPC access.
In the VPC list, click Delete in the Configure vSwitch column.
Access the endpoint on a terminal that resides in the VPC. The following output indicates that VPC access is disabled.
Step 3: Create a service and associate the service with the dedicated gateway
Log on to the PAI console. Select a region on the top of the page. Then, select the desired workspace and click Enter Elastic Algorithm Service (EAS).
On the Inference Service tab of the Elastic Algorithm Service (EAS) page, click Deploy Service. On the Deploy Service page, click Custom Deployment in the Custom Model Deployment section.
In the Features section of the Custom Deployment page, turn on Dedicated Gateway and select the dedicated gateway that you created. For information about other parameters, see Deploy a model service in the PAI console.
After you configure the parameters, click Deploy.
After the service status changes to Running, the service is deployed.
Step 4: (Optional) Use a custom domain name for the dedicated gateway
(Optional) Manage digital certificates
If you use HTTPS to access services, you must maintain an SSL certificate for a custom domain name in Certificate Management Service before you can configure the custom domain name for the dedicated gateway.
Log on to the Certificate Management Service console. In the left-side navigation pane, choose Certificate Management > SSL Certificate Management.
If the custom domain name does not have a certificate, you can purchase a certificate or upload an existing certificate. For more information, see Purchase SSL certificates and Upload a certificate.
Specify a custom domain name for Internet access
On the dedicated gateway details page, click the Domain Name tab. On the Domain Name tab, click Create Domain Name. In the Create Domain Name panel, configure the custom domain name based on the configurations shown in the following figure.
If you deployed a service by using the dedicated gateway, you must wait for a few minutes (5 minutes at most) to allow the configuration to take effect after you configure the custom domain name for Internet access. View the service calling information. If the domain name in the public endpoint is the custom domain name that you configured for Internet access, the custom domain name has taken effect.
Configure Internet access. Add a CNAME Domain Name System (DNS) record for the custom domain name to point the custom domain name to the public endpoint of the dedicated gateway.
On the Gateway tab of the dedicated gateway details page, view the public endpoint of the dedicated gateway.
In this example, Alibaba Cloud authoritative DNS resolution is used (similar to other cloud vendors). Log on to the Alibaba Cloud DNS console. On the Authoritative Domain Names tab of the Authoritative DNS Resolution page, find the custom domain name that you want to manage (you must manually add a domain name that is not registered on Alibaba Cloud) and click DNS Settings in the Actions column. On the page that appears, click Add DNS Record. In the Add DNS Record dialog box, set Record Type to CNAME, Hostname to the custom domain name, and Record Value to the public endpoint, of the dedicated gateway, that you obtained in Step a. For more information, see Add a domain name and Add DNS records.
Specify a custom domain name for VPC access
On the details page of the dedicated gateway, click the Domain Name tab. On the Domain Name tab, click Create Domain Name. In the Create Domain Name panel, configure the custom domain name based on the configurations shown in the following figure.
If you deployed a service by using the dedicated gateway, you must wait for a few minutes (5 minutes at most) to allow the configuration to take effect after you configure the domain name for VPC access. View the service calling information. If the domain name in the private endpoint is the custom domain name that you configured for VPC access, the custom domain name has taken effect.
Step 5: Call the service
On the Inference Service tab of the Elastic Algorithm Service (EAS) page, find the desired service and click Invocation Method in the Service Type column. In the Invocation Method dialog box, view the public and private endpoints on the Public Endpoint and VPC Endpoint tabs.
Run the curl command to initiate a request and check whether the command output is returned as expected.
Call the service by using the public endpoint: You can call the service on an on-premises terminal by using the endpoint and token on the Public Endpoint tab.
Call the service by using the private endpoint: You can call the service on a terminal that resides in the VPC by using the endpoint and token on the VPC Endpoint tab.
curl <URL> -H'Authorization:<Token>'The following example describes a GET request that does not contain parameters and for which True is returned as expected.
References
EAS provides the following methods for calling services: Internet access, VPC access, and VPC direct connection. For more information, see Overview.