PrivateLink allows instances within a VPC to access PAI services over a private network. This eliminates the need for a public IP and avoids the security risks of data transmission over the public internet.
Background
PrivateLink is an Alibaba Cloud networking service. By creating an interface endpoint in your VPC, your instances can call PAI APIs without a public IP. All network traffic remains within the Alibaba Cloud internal network.
PrivateLink vs. VPC: A VPC (Virtual Private Cloud) is a private network space you create on Alibaba Cloud. PrivateLink is a service that creates private connections from your VPC to Alibaba Cloud services. It works by creating an "interface endpoint" within the VPC to ensure that traffic to Alibaba Cloud services is routed exclusively through the Alibaba Cloud internal network.
PAI services that support private access
The following PAI sub-services currently support private access through PrivateLink:
Service name | Endpoint service name | VPC endpoint | Supported regions |
PAI-AIWorkspace |
|
| China (Ulanqab), China (Hangzhou), and China (Beijing). Support for other regions will be announced in future updates. |
PAI-DLC |
|
| |
PAI-DSW |
|
|
Replace {RegionId} with the Region ID for your region, such as cn-wulanchabu, cn-hangzhou, or cn-beijing. For the Region IDs of other regions, see PAI-DLC Service Endpoints and PAI-DSW Service Endpoints.
Create an endpoint
Console
The following steps use the PAI-DLC service as an example.
Log on to the PrivateLink console and click Create endpoint on the Interface Endpoint tab.
On the endpoint page, configure the following parameters:
Basic information
Region: Select the region where the PAI service endpoint is located.
Endpoint Name: For example,
privateLink_dlc.
Type: Select Alibaba Cloud service.
Available services: Select the PAI service that you want to access based on the endpoint service name in the table above. For example, for PAI-DLC, search for and select
com.aliyuncs.privatelink.cn-hangzhou.pai-dlc.Network configurations
VPC: Select a VPC in the same region as the endpoint.
Availability Zone and VSwitch: To ensure high availability, select VSwitches in at least two different availability zones.
IP version: Only IPv4 is supported.
Security group: Associate a security group with the interface endpoint. This group controls inbound traffic to the elastic network interfaces in the endpoint's availability zones.
For more information about configurations and PrivateLink, see the following topics:
API
Call the CreateVpcEndpoint API to create an interface endpoint.
Test connectivity
After you create the endpoint, log on to an ECS instance in the same VPC to test connectivity.
Create an ECS instance. For the VPC, select the same VPC as the endpoint.
Test the connectivity to the interface endpoint.
On the endpoint details page, switch to the Zones and ENIs tab to get the IP address of the elastic network interface.
Connect to the ECS instance and run the following command. A successful ping response confirms that the ECS instance can reach the interface endpoint.
ping <ip-address-of-the-eni>
Test connectivity to the PAI service. The following example uses the PAI-DLC service in the China (Hangzhou) region:
# Test service access by using the VPC endpoint FQDN (Example: PAI-DLC in China (Hangzhou)) curl -sI https://pai-dlc-vpc.cn-hangzhou.aliyuncs.comA successful response is similar to the following:
Notes
When calling a PAI API using a VPC endpoint, the ECS instance must be in the same VPC as the interface endpoint. Otherwise, the call fails.
PAI-AIWorkspace is currently available in the China (Ulanqab), China (Hangzhou), and China (Beijing) regions. Support for other regions will be announced in future updates.
To ensure high availability, configure the interface endpoint across multiple availability zones. This prevents service disruptions from a single-zone failure.