Directly connect to a DSW instance - Platform For AI - Alibaba Cloud Documentation Center

Data Science Workshop (DSW) offers an SSH direct connection method to address frequent reconnections and low speed issues encountered with the ProxyClient tool, providing a more stable and faster connection experience for DSW instances.

Limits

Supported DSW instance types:
- Pay-as-you-go DSW instances that are created by using public resource groups.
- DSW instances that are created by using Lingjun resources.
Limit on the number of DSW instances supported by an Internet NAT gateway.
When you use an Internet NAT gateway to connect to a DSW instance, the system automatically creates DNAT entries on the Internet NAT gateway. The system can create up to 100 DNAT entries, which means that an Internet NAT gateway can support up to 100 DSW instances. For more information, see NAT Gateway quotas.

Preparations

To create a pay-as-you-go DSW instance by using the public resource group, complete the following preparations:
- Create a virtual private cloud (VPC) and a vSwitch. For more information, see Create and manage a VPC.
- Create a security group for the VPC. For more information, see Create a security group.
To create a DSW instance by using Lingjun resources in Platform for AI (PAI), you need to purchase Lingjun resources. For more information, see Lingjun resource quotas.
If you want to connect to a DSW instance over the Internet by using on-premises CLI or other clients, you must create an Internet NAT gateway for the VPC and associate an elastic IP address (EIP) with the Internet NAT gateway. For more information, see Create and manage an Internet NAT gateway and Associate an EIP with an Internet NAT gateway.
Enable Private DNS. For more information, see Activate Private DNS.

Step 1: Obtain an SSH public key

You need first generate a public key on the client. During this process, set a password for logging on to the DSW instance. If you want to use the remote_ikernel tool for connection (see Sample scenario), do not set a password and press Enter directly. Use the following command to generate a public key:

(Recommended) Generate the public key in the default path:
```
ssh-keygen -m PEM -t rsa -b 4096
```
After you run the command, a 4096-bit RSA public key (id_rsa.pub) and a private key (id_rsa) are generated in the following directories. If an SSH key pair already exists in the directories, the existing files are overwritten. Default directories for different systems:
- Windows: the C:\Users\<username>\.ssh or C:\user \<username>\.ssh directory.
- Linux: the /root/.ssh directory for the root user, and the /home/<username>/.ssh directory for general users.
- macOS: the /Users/<username>/.ssh directory.

Generate the public key in a custom directory:

ssh-keygen -m PEM -t rsa -b 4096 -f /your/path/example_rsa # Generates example_rsa.pub and example_rsa in /your/path

Step 2: Enable direct connection for a DSW instance

When creating a DSW instance, configure the following network-related parameters. For information about other parameters, see Create a DSW instance. For an existing instance, click Change Settings to modify the parameters, then click Yes to apply the changes.

Public resource group pay-as-you-go instance configuration

Parameter		Description
Network Information	VPC	Select existing VPC, vSwitch, and security group.
	Security Group
	vSwitch
	Internet Gateway	Select based on your usage scenario: Public Gateway: DSW instances in the cluster share public bandwidth. Private Gateway: Private bandwidth. You can select different bandwidths based on your needs. If you choose this option, you must create an Internet NAT gateway for the VPC associated with the DSW instance, associate an EIP with the Internet NAT gateway, and configure an SNAT entry to allow the DSW instance to access the Internet. For more information, see Enable Internet access for a DSW instance by using a private Internet NAT gateway.
Access Configuration	SSH Public Key	Enable SSH and manually enter the content of the public key file generated in Step 1 `id_rsa.pub` into this text box. Note To enable both VPC and Internet logon, add the public keys of multiple clients at the same time. Separate public keys by pressing Enter. Up to 10 public keys can be added.
Access Configuration	SSH Access Method	Access over VPC: This method is supported by default. You can remotely connect to the DSW instance through SSH from another terminal, such as an ECS instance within the VPC. Access over Internet: Configure the following parameters to enable remote SSH connection to the DSW instance from an on-premises CLI or another terminal. NAT Gateway: Choose the Internet NAT gateway created for the VPC. EIP: Select the EIP associated with the Internet NAT gateway.

Lingjun resource group instance configuration

Parameter		Description
SSH Configuration	SSH Public Key	Activate the SSH Configuration switch and manually input the content of the public key file generated in Step 1 `id_rsa.pub` into this text box. Note To enable both VPC and Internet logon, add the public keys of multiple clients simultaneously. Separate each public key by pressing Enter. You can add up to 10 public keys.
SSH Configuration	Logon Method	Logon Over A VPC: This method is supported by default. You can remotely connect to the DSW instance by using SSH from another terminal, such as an ECS instance within the VPC. Logon Over The Internet: Add this method to the VPC logon method. Select Logon Over The Internet and configure the following parameters to enable remote SSH connection to the DSW instance from an on-premises CLI or another terminal. NAT Gateway: Choose the Internet NAT gateway created for the VPC. Elastic IP Address: Select the EIP associated with the Internet NAT gateway.

Step 3: Install the SSH server

If your DSW instance uses an official image or a custom image based on an official image, the SSH server is pre-installed, and you can skip this step. Otherwise, you must manually install the SSH server:

Go to the development environment of the DSW instance.
On the Terminal tab, run the following command.
```
sudo apt-get update
sudo apt-get install openssh-server
sudo service ssh start
```
If the command execution fails and the result is "sudo", it indicates that the command was not found. You can try executing apt-get install sudo and then run the above command again.
Check the SSH server status with the following command:
```
service ssh status
```

Step 4: Remotely connect to the DSW instance

View the access method.
On the Data Science Workshop (DSW) page, click the instance name to go to the details page of the instance. In the Access Configuration section of the Instance Settings tab, view Access over Internet and Access over VPC.
Note
If Access over Internet was not selected, only Access over VPC is displayed.
Establish a connection to the DSW instance.
Connect by using SSH
- Internet access
  Connect to the DSW instance from an on-premises CLI or another terminal by using the SSH command that you obtained in Step 1.
```
ssh root@xx.xx.xx.xx -p 1024 
# If the private key is not in the default path, specify the location of the private key
ssh -i /your/path/example_rsa root@xx.xx.xx.xx -p 1024 
```
- VPC access
  Connect to the DSW instance from another terminal such as an ECS instance in the VPC by using the SSH command that you obtained in Step 1.
```
ssh root@dsw-notebook-xxxx.dsw-xxxx.dsw.pai.alibaba.com -p 22
# If the private key is not in the default path, specify the location of the private key
ssh -i /your/path/example_rsa root@dsw-notebook-xxxx.dsw-xxxx.dsw.pai.alibaba.com -p 22
```
Connect by using local VSCode
1. Start VSCode and install the Remote - SSH plug-in in Extensions.
2. Click the lower-left corner , open the Remote-SSH pop-up window, and select Connect to Host... > Add New SSH Host....
3. Enter the SSH connection command.
```
ssh root@xx.xx.xx.xx -p 1024 
# If the private key is not in the default path, specify the location of the private key
ssh -i /your/path/example_rsa root@xx.xx.xx.xx -p 1024 
```
4. Click Connect in the lower-right corner. The instance IP address appears in the lower-left corner, showing that the DSW instance is connected.
5. Open the folder in the DSW instance to develop and debug.
6. You can also connect to the kernel of the DSW instance.

Sample scenario: Run local Notebook code on a DSW instance

Prerequisites

SSH direct connection is configured according to Step 1 to 3 and no password is set when generating the SSH public key.

Procedure

Install remote_ikernel in your local terminal and initialize it to add a remote kernel.

In this example, the remote kernel is named Remote Python.

pip install remote_ikernel

remote_ikernel manage --add \
--kernel_cmd="ipython kernel -f {connection_file}" \  # No modification is required
--name="Remote Python" \
--interface=ssh \
--host=root@*.*.*.*:1024  # Change this to your host address. If the private key is not in the default path, set it to --host="-i /your/path/example_rsa root@*.*.*.*:1024"

If the following message is returned, remote kernel is added.

Added kernel ['rik_ssh_root_121_40_*_*_1024_remotepython']: SSH root@121.40.*.*:1024 Remote Python.

To check the remote kernel configuration, run the following command:

remote_ikernel manage --show

Open a Notebook in your local VSCode. In the upper-right corner, switch the kernel to Remote Python.

FAQ

Can I use an on-premises Web IDE such as PyCharm to connect to a DSW instance?
In principle, all native SSH-based logon is supported. Take note that if you use PyCharm as a client, the automatic download and installation of the client are enabled for the DSW instance. Make sure that the specified DSW instance can access the Internet.
What do I do if I cannot access the instance by using the VPC endpoint?
- If you use a custom image, make sure that the SSH service is installed and enabled in the custom image. For more information, see Step 3: Install the SSH server.
- Make sure that an inbound rule that allows traffic over TCP port 22 exists in the security group of the instance.
- If the issue persists, contact your account manager for technical support.
What do I do if I cannot access the instance over the Internet?
- Make sure that you can access your DSW instance over the VPC endpoint.
- If you can access the instance over VPC, but not over the Internet, check whether you created multiple Internet NAT gateways in the VPC that you select.
  - If you created multiple Internet NAT gateways, check the relationships between the NAT gateways, vSwitches, and route tables based on the Deploy multiple Internet NAT gateways in one VPC topic. Make sure that the vSwitch that you specified for the DSW instance is correctly routed to the NAT gateway that you specified in the route table to allow your client to receive the response of your SSH request.
  - If you have only one Internet NAT gateway, see the "Network Connectivity" section in Troubleshooting to troubleshoot network connectivity issues. Enter the public IP address of your on-premises machine, the public EIP, and the port that is assigned to your DSW instance to analyze the network accessibility. The port that is assigned to your DSW instance can be obtained in the Logon over Internet section on the Instance Details page.

Reference

DSW allows you to use a proxy client to connect to DSW instances. For more information, see Use a proxy client to connect to a DSW instance.