AI Gateway - Edge Security Acceleration - Alibaba Cloud Documentation Center

AI Gateway is a unified API proxy service provided by ESA that deploys AI interface forwarding capabilities on edge nodes to provide observability, security protection, and performance optimization for your AI applications.

Features

AI Gateway acts as a proxy layer between your applications and AI service providers, providing the following core features:

Unified access: Connect to multiple AI service providers through a singleendpoint. Compatible with the OpenAI API standard, it allows you to switch between different models without modifying your existing code.
Performance optimization: Its intelligent cache returns results for repeated requests, reducing response latency and lowering upstream API call costs.
Security: Provides multiple layers of security, including rate limiting, IP allowlist, and API key authentication, to protect your AI services from abuse and attacks.
High availability: Ensures business continuity with automatic failover and request retries. When the primary provider's service is unavailable, AI Gateway automatically switches to a backup provider.
Observability: Provides real-time monitoring of request count, token usage, response time, and cost statistics. It also offers detailed request logs and audit trails.

How it works

AI Gateway is deployed on the global edge nodes of ESA. The request processing flow is as follows:

Request reception: The client application sends an API request to the nearest edge node through a unifiedendpoint.
Authentication: The edge node authenticates requests using methods such as an API token or IP allowlist.
Request routing: AI Gateway forwards the request to a specified AI service provider based on your configured routing rules, such as Alibaba Cloud Model Studio or OpenAI.
Result caching: The edge node caches the upstream response and returns it to the client.
Monitoring and logging: RecordsSampled Logs and metrics such asRequests,Token Usage, andError Count.

Routing mechanism: Use themodelparameter to specify the target AI model in the format{provider}/{model-name}. For example:

openai/gpt-4o: Calls the OpenAI GPT-4o model.
deepseek/deepseek-chat: Calls the DeepSeek chat model.
qwen/qwen-plus: Calls the Qwen Plus model from Alibaba Cloud Model Studio.

Use cases

Multi-model comparison testing

Scenario: You need to compare the performance, response speed, and cost of models from different providers before selecting the best one.

Solution: Use the unified interface of AI Gateway to quickly switch between different models for testing by simply changing themodelparameter. This eliminates the need to modify application code or manage multiple API keys.

Example:

import OpenAI from "openai";

const client = new OpenAI({
  defaultHeaders: {
    "esa_aigw_auth": `Bearer ESA_API_TOKEN`,
  },
  baseURL: "https://YOUR_DOMAIN/v1",
});

const response = await client.chat.completions.create({
  model: "qwen/qwen-plus",  // Specify the model to use
  messages: [{ role: "user", content: "What is Edge Security Acceleration?" }],
});

Active-standby failover

Scenario: Relying on a single AI service provider carries a risk of service disruption. You need to ensure business continuity.

Solution: Configure failover rules to automatically switch to a backup provider when the primary provider's service is unavailable. It also supports request retries.

Configuration example:

import OpenAI from "openai";

const client = new OpenAI({
  defaultHeaders: {
    "esa_aigw_auth": `Bearer ESA_API_TOKEN`,
    "x-ai-route-metadata": "YOUR_IFELSE_CONDITION_RULE",  // Required when an If...Else condition is configured
  },
  baseURL: "https://api.example.com/v1",
});

const response = await client.chat.completions.create({
  model: "dynamic/ai-test",  // Route configuration
  messages: [
    { role: "user", content: "Hello!" }
  ],
});

console.log(response.choices[0].message.content);

Security and compliance

Scenario: Enterprise applications must meet data security and compliance audit requirements.

Solution: AI Gateway provides features such as encrypted API key storage, request log retention, sensitive data masking, and access audit trails to meet compliance requirements.

Usage notes

API key management: You must configure your upstream providers' API keys in AI Gateway. Securely store and rotate your keys regularly. The keys are stored encrypted inESA.
Model compatibility: The unified interface follows the OpenAI API standard. Some provider-specific features may not be supported.
Monitoring data latency: Monitoring metrics may have a delay of 1 to 5 minutes. For scenarios that require high real-time visibility, we recommend using log analysis as a supplement.

Procedure

Prerequisites

You have added a domain name to ESA.
You have obtained an API key from an upstream AI service provider, such as aModel Studio API Key.

Step 1: Create an AI Gateway

Navigate to theAI Gatewaypage.
On theAI Gatewaypage, clickCreate AI Gateway. In the creation panel, configure the following parameters and clickOK:
- Gateway Name: Enter a name for the gateway, such asmy-ai-gateway.
- Notes: (Optional) Enter a description for the gateway.

Step 2: Configure an API key

In your new AI Gateway application, click theAPI Key Managementtab, and then clickAdd API Key.
In the Add API Key panel, configure the following parameters and clickOK:
- Name: Enter a custom name for the API key, such asqwen-api.
- AI Service Provider: Select the corresponding AI service provider from the dropdown list.
- API Key: Enter the API key.

Step 3: Add a custom domain

In your new AI Gateway application, click theFeature Configurationtab, and then clickAdd Domain Name.
In the Add Domain section, enter a custom domain prefix, such asapi-gateway. Select the domain name suggested by the console, such asapi-gateway.example.com.
ClickOK.

Note

You can enable theIdentity Verificationfeature to verify the identity of all incoming requests.

Step 4: Test the AI Gateway

You can now test the gateway:

In your new AI Gateway application, click theCall Exampletab and select a model for which you have configured an API key.
Copy the sample code from the right panel. Replace theyour_domainplaceholder with yourcustom domain name. If you enabled authentication, you must also replace theesa_api_tokenplaceholder with the system-generatedAuthentication Token.
Run the sample code. The following example uses cURL:

Route configuration

You can configure routing rules to automatically match requests to models based on their characteristics. You can also add failover rules to automatically switch to a backup provider or another model from the same provider if the primary model service becomes unavailable.

In the AI Gateway application, select theRouting Configurationtab, clickAdd Route, and enter a customNameon the page that appears.
After creating the route configuration, find it in the route list and clickActionsin theEditcolumn.
On the edit page, you can configure the model route using the visual editor:
1. Configure routing conditions: Click the add iconbetween theStartandModel Servicenodes in the visual workflow. ClickAdd Conditionto automatically generate anIf...Elseflow. Click theIf...Elsebutton in theConfigureflow, and then clickAdd Conditionin the panel that appears on the right.
  - metadata.: Enter the key to be evaluated, such astest-key.
  - Logical operator: Select a logical operator, such as equals (==) or not equals (!=).
  - Value: Enter the value for metadata., such as ok.
  Note
  By default, the flow uses the primary provider if the condition evaluates totrueand the backup provider if it evaluates tofalse. You can manually edit the model configuration to change this behavior.
2. Configure the model service: Click the add iconon both thetrueandfalsebranches. ClickAdd Model Service(or clickAdd Conditionto add a nested condition). Then, clickModel Serviceon theConfigurenode and add the model information:
  - AI Service Provider: Select an AI service provider from the dropdown list, such asQwen.
  - Model Name: Select the corresponding model from the dropdown list, such asqwen3-max.
  - API key: Select anadded API key, such asqwen-api-key.
  You can clickAdd Fallback Modelto configure a backup model for failover.
After completing the configuration, clickSave and Deploy. Subsequent requests will be routed based on matching the routing conditions against thex-ai-route-metadataheader.

Analytics and logs

ESAcollects key data for all requests that pass through AI Gateway to help you analyze the operational status of your AI applications.

In the AI Gateway application, select theAnalyticstab.
Click the filter to select a time range. The dashboard displays the following information:
- Requests: The number of requests sent through this AI Gateway during the selected time period.
- Token Usage: The estimated number of tokens used by this AI Gateway during the selected time period.
- Error Count: The number of error requests from this AI Gateway during the selected time period.
- Sampled Logs: Detailed request and response information, includingEdge Status Code,Time,Model,Request, andResponse.

Supported providers

AI Gateway supports the following mainstream AI service providers. Support for other providers will be gradually introduced.

Provider	Capabilities	Examples
Alibaba Cloud Model Studio	Qwen series	`qwen/qwen-plus`, `qwen/qwen-turbo`
OpenAI	Chat Completions, Embeddings	`openai/gpt-4o`
DeepSeek	DeepSeek series	`deepseek/deepseek-chat`

Note

Some provider-specific features, such as function calling and streaming responses, may require additional configuration or have compatibility limitations. For details, refer to the API documentation of each provider.

Billing

AI Gateway is available on aFree Versionby default. This tier is suitable for most developers and personal projects. A paid tier for enterprise users with production applications will be introduced in the future.

Feature	Free Tier
Gateway applications	1
Bindable domains	1
Route configurations	1
Monitoring history	Past 24 hours