Connect VPC to Model Studio APIs Securely via PrivateLink - Alibaba Cloud Model Studio - Alibaba Cloud - Alibaba Cloud Model Studio

Create a PrivateLink endpoint to call model or application APIs directly from a virtual private cloud (VPC). It restricts all communication to the Alibaba Cloud internal network and not passing through the internet.

How it works

After you create an interface endpoint in a VPC, PrivateLink establishes a private, unidirectional connection between your VPC and Model Studio. This connection only allows resources in your VPC to access Model Studio. Model Studio cannot access resources in your VPC.

When computing resources in the VPC access the endpoint, traffic is forwarded to Model Studio through PrivateLink and does not pass through the internet.

The endpoint must be in the same region as the Model Studio service. To use a VPC in another region, see Cross-region private access.

Region:

Public cloud: Singapore, China (Beijing).
Private network access is not currently supported in the US (Virginia) region.

Access APIs using an endpoint

Step 1: Create an interface endpoint

Public cloud

Log on to the Endpoint console.
If this is your first time using endpoints, follow the on-screen instructions to activate PrivateLink.
On the Interface Endpoint tab, click Create Endpoint and configure the following parameters. Use the default values for other parameters.
- Region: Based on your Model Studio service region, select Singapore or China (Beijing).
- Endpoint Name: Enter a custom name, such as modelstudio-privatelink-endpoint.
- Endpoint Type: Select Interface Endpoint.
- Endpoint Service: Select Alibaba Cloud Service. In the search box, search for and select com.aliyuncs.dashscope.
- VPC: Select the VPC from which you want to access Model Studio. The endpoint is created in this VPC. Resources in the VPC, such as ECS instances and containers, can then access Model Studio through the endpoint.
- Zone and vSwitch: An endpoint elastic network interface (ENI) is created in the zone corresponding to the selected vSwitch. Select vSwitches in at least two different zones for high availability. If a zone fails, traffic is automatically switched to an ENI in another zone to prevent service interruption.
- Security Group: Select a security group to associate with the endpoint ENI. Ensure that the security group allows inbound access on port 80 (HTTP) and port 443 (HTTPS).
Click Create to complete the process.

Step 2: Get the endpoint service domain name

Public cloud

After the interface endpoint is created, get the service domain name from the details page.

The Default Domain Name supports only HTTP. For HTTPS, use a Custom Domain Name.

Step 3: Call and verify

Replace the domain name in the Model Studio API base_url with the endpoint service domain name from the previous step. Then, make the call from the corresponding VPC.

Public cloud

The following example shows how to call the Qwen text model in the Singapore region in OpenAI compatible mode:

Before: https://dashscope-intl.aliyuncs.com/compatible-mode/v1/chat/completions
After:
- Default Domain Name: http://ep-***.dashscope.ap-southeast-1.privatelink.aliyuncs.com/compatible-mode/v1/chat/completions
- Custom Domain Name: https://vpc-ap-southeast-1.dashscope.aliyuncs.com/compatible-mode/v1/chat/completions

Call example:

HTTP

# Replace the original domain name with the endpoint service domain name from the previous step.
curl -X POST http://ep-***.dashscope.ap-southeast-1.privatelink.aliyuncs.com/compatible-mode/v1/chat/completions \
-H "Authorization: Bearer $DASHSCOPE_API_KEY" \
-H "Content-Type: application/json" \
-d '{
    "model": "qwen-flash",
    "messages": [
        {
            "role": "system",
            "content": "You are a helpful assistant."
        },
        {
            "role": "user", 
            "content": "Who are you?"
        }
    ]
}'

OpenAI Python SDK

import os
from openai import OpenAI

client = OpenAI(
    api_key=os.getenv("DASHSCOPE_API_KEY"),
    # Replace the original domain name with the endpoint service domain name from the previous step.
    base_url="http://ep-***.dashscope.ap-southeast-1.privatelink.aliyuncs.com/compatible-mode/v1",
)
completion = client.chat.completions.create(
    model="qwen-flash",
    messages=[
        {'role': 'system', 'content': 'You are a helpful assistant.'},
        {'role': 'user', 'content': 'Who are you?'}],
)
print(completion.model_dump_json())

DashScope Python SDK

import os
from http import HTTPStatus
# Use DashScope SDK v1.14.0 or later.
import dashscope
from dashscope import Generation

# Replace the original domain name with the endpoint service domain name from the previous step.
dashscope.base_http_api_url = "http://ep-***.dashscope.ap-southeast-1.privatelink.aliyuncs.com/api/v1"
dashscope.api_key = os.getenv("DASHSCOPE_API_KEY")
messages = [{
    'role': 'user', 'content': 'Who are you?'
}]
response = Generation.call(
    model="qwen-flash",
    messages=messages,
    result_format='message'
)
if response.status_code == HTTPStatus.OK:
    print(response)
else:
    print('Request id: %s, Status code: %s, error code: %s, error message: %s' % (
        response.request_id, response.status_code,
        response.code, response.message
    ))

DashScope Java SDK

// Use DashScope SDK v2.12.0 or later.
import java.util.Arrays;

import com.alibaba.dashscope.aigc.generation.Generation;
import com.alibaba.dashscope.aigc.generation.GenerationParam;
import com.alibaba.dashscope.aigc.generation.GenerationResult;
import com.alibaba.dashscope.common.Message;
import com.alibaba.dashscope.common.Role;
import com.alibaba.dashscope.exception.ApiException;
import com.alibaba.dashscope.exception.InputRequiredException;
import com.alibaba.dashscope.exception.NoApiKeyException;
import com.alibaba.dashscope.protocol.Protocol;
import com.alibaba.dashscope.utils.JsonUtils;

public class Main {
    public static GenerationResult callWithMessage() throws ApiException, NoApiKeyException, InputRequiredException {
        // Replace the original domain name with the endpoint service domain name from the previous step.
        Generation gen = new Generation(Protocol.HTTP.getValue(), "http://ep-***.dashscope.ap-southeast-1.privatelink.aliyuncs.com/api/v1");
        Message systemMsg = Message.builder()
                .role(Role.SYSTEM.getValue())
                .content("You are a helpful assistant.")
                .build();
        Message userMsg = Message.builder()
                .role(Role.USER.getValue())
                .content("Who are you?")
                .build();
        GenerationParam param = GenerationParam.builder()
                .apiKey(System.getenv("DASHSCOPE_API_KEY"))
                .model("qwen-flash")
                .messages(Arrays.asList(systemMsg, userMsg))
                .resultFormat(GenerationParam.ResultFormat.MESSAGE)
                .build();
        return gen.call(param);
    }
    public static void main(String[] args) {
        try {
            GenerationResult result = callWithMessage();
            System.out.println(JsonUtils.toJson(result));
        } catch (ApiException | NoApiKeyException | InputRequiredException e) {
            // Print the error message.
            System.err.println("An error occurred while calling the generation service: " + e.getMessage());
        }
    }
}

Before making a call, you must get an API key. To pass the API key directly, replace $DASHSCOPE_API_KEY with your API key.

Cross-region private access

Endpoints must reside in the same region as the Model Studio service. To access the service privately from a VPC in another region, complete the following steps:

Follow the instructions in the previous section to configure access to Model Studio APIs using an endpoint.
Use Cloud Enterprise Network (CEN) to connect VPCs in different regions. Note:
- Select VPCs with non-overlapping CIDR blocks at both ends to avoid conflicts that could cause connection failures.
- To establish cross-region VPC connectivity between the Chinese mainland and other regions using CEN, your account must complete enterprise identity verification.
In the security group associated with the endpoint, add an inbound rule to allow traffic on ports 80 and 443 from resources in the requester VPC.

After the configuration is complete, accessing the endpoint’s default service domain name from the requester VPC routes traffic through the Transit Router (TR) to the endpoint in the region where Model Studio is deployed.

By default, the endpoint’s default service domain name is accessible directly from the interconnected cross-region VPC. However, the custom service domain name is valid only within the VPC where the endpoint is located. To access Model Studio APIs from the requester VPC using a custom domain name, see Quickly use private domain name resolution. Create a private domain name that matches the custom service domain name, and resolve it to the endpoint’s default service domain name using a CNAME record:

Add an authoritative zone that matches the custom domain name, such as vpc-ap-southeast-1.dashscope.aliyuncs.com. For Effective Scope, choose the requester VPC.
Add a DNS record: Set the record type to CNAME, enter @ for the hostname, and enter the endpoint’s default domain name for the record value, such as ep-***.dashscope.ap-southeast-1.privatelink.aliyuncs.com.
Note: When configuring private domain name resolution, do not use underscores (_) in the host record or the full domain name. A domain name can contain only letters, numbers, and hyphens (-), such as test-for-dns.dashscope.aliyuncs.com, not test_for_dns.dashscope.aliyuncs.com.

After the configuration is complete, you can access Model Studio APIs from the requester VPC using the custom service domain name. If you use a private domain name that differs from the custom service domain name, see Configure private domain name resolution.

Billing

Using PrivateLink, CEN, and Private Zone may incur additional fees:

FAQ

Why can't my ECS instance access Model Studio APIs through a private connection?
Follow these steps to troubleshoot:
1. Confirm that the resources are in the same VPC.
  If the ECS instance and the endpoint are in different VPCs, you must first configure VPC peering.
2. Check the security group associated with the endpoint. Confirm that an inbound rule has been added to allow access on port 80 (HTTP) or port 443 (HTTPS) from the CIDR block of the requester ECS instance.
3. Confirm the endpoint service domain name.
  Private access to the Model Studio through the default service domain name supports only HTTP.
Can an endpoint be accessed from the internet?
No. PrivateLink establishes private connections within the Alibaba Cloud internal network only. Endpoints do not have internet access, and endpoint ENIs cannot be associated with elastic IP addresses (EIPs).
Why do I receive an error when I call a model using my custom domain name with internal domain name resolution?
This issue usually occurs because the host record (or full domain name) used for internal domain name resolution contains invalid characters, such as an underscore (_). Domain names should only contain letters, numbers, and hyphens (-).
Configure the DNS record as follows:
1. Authoritative zone: In Private Hosted Zone, add a DNS record for the dashscope.aliyuncs.com authoritative domain name.
2. Host record: Set Record Type to CNAME, and enter your custom domain prefix, such as test-for-dns-right. Note: Host records cannot contain underscores (_).
  Correct example
  Incorrect example
3. Record value: Enter the default service domain name of the Model Studio endpoint, such as ep-***.dashscope.ap-southeast-1.privatelink.aliyuncs.com.
After the configuration is complete, call the model using https://test-for-dns-right.dashscope.aliyuncs.com/api/v1 (or https://test-for-dns-right.dashscope.aliyuncs.com/compatible-mode/v1/chat/completions for OpenAI compatible mode).
Using a domain name with an underscore, such as https://test_for_dns_wrong.dashscope.aliyuncs.com/api/v1, will result in a call error.

Correct example	Incorrect example