All Products
Search

This Product

    Platform For AI:Improve internet access with a private NAT gateway

    Document Center

    Platform For AI:Improve internet access with a private NAT gateway

    Last Updated:May 27, 2026

    DSW and DLC instances use a bandwidth-limited shared gateway by default, and VPC-based instances have no internet access. To enable dedicated high-speed access, create an Internet NAT Gateway for the VPC, bind an Elastic IP Address (EIP), and configure a Source Network Address Translation (SNAT) entry.

    Prerequisites

    • A VPC and vSwitch are created for the DSW instance. To avoid IP conflicts with PAI cluster CIDR blocks, we strongly recommend using the 192.168.0.0/16 CIDR block. Create and manage a VPC.

    • A security group is created for the VPC. Create a security group.

    Billing

    Internet NAT Gateway and Elastic IP Address (EIP) are billed separately. Charges continue to accrue even if your DSW instance is stopped. To avoid unwanted charges, delete these resources when you no longer need them.

    Procedure

    The following steps use a DSW instance as an example. The same procedure applies to DLC instances.

    1. Create an Internet NAT Gateway. In the NAT Gateway console, create an Internet NAT Gateway with the following key parameters. Create an Internet NAT gateway.

      If you have multiple Internet NAT Gateways in your VPC, see High-availability deployment for Internet NAT Gateways in a single zone for network design and deployment guidance.

      Parameter

      Description

      Region

      Select the same region as your VPC. If you do not specify a region, it defaults to your VPC's region.

      Network and Zone

      Select the VPC and vSwitch used by your DSW instance.

      EIP

      If no EIP is available, click Purchase EIP and follow the on-screen instructions. We recommend setting Peak Bandwidth to a high value.

    2. Create an SNAT entry. On the Internet NAT Gateway page, click the gateway name. On the SNAT tab, click Create SNAT Entry. Set the scope to VPC and select a single IP address, or multiple addresses if you purchased multiple EIPs. Create an SNAT entry.image.png

    3. Configure network parameters. Log on to the PAI console. In the upper-left corner, select the same region as your VPC. On the DSW instance creation page, configure the following network parameters. For an existing instance, click Change Settings. Create a DSW instance.

      Parameter

      Description

      VPC Settings

      This parameter can be configured only when you use a Resource Quota.

      Select the VPC, vSwitch, and security group that you created.

      Security Group ID

      vSwitch ID

      Internet Access Gateway

      Select Private Gateway. The instance then uses a private internet gateway. Without an Internet NAT Gateway, EIP, and SNAT entry configured, the instance cannot access the internet.

    4. Test the connectivity.

      1. Open your DSW instance and click Terminal in the top menu bar.

      2. Run ping www.aliyun.com to test connectivity.

        Reply packets confirm that the instance can access the internet through the private gateway.

        Expected output:

        PING www.aliyun.com.w.cdngslb.com (47.118.XX.XX) 56(84) bytes of data.
64 bytes from 47.118.XX.XX (47.118.XX.XX): icmp_seq=1 ttl=59 time=5.96 ms
64 bytes from 47.118.XX.XX (47.118.XX.XX): icmp_seq=2 ttl=59 time=5.83 ms
64 bytes from 47.118.XX.XX (47.118.XX.XX): icmp_seq=3 ttl=59 time=5.83 ms
64 bytes from 47.118.XX.XX (47.118.XX.XX): icmp_seq=4 ttl=59 time=5.84 ms
64 bytes from 47.118.XX.XX (47.118.XX.XX): icmp_seq=5 ttl=59 time=5.86 ms

    Appendix: Prevent an instance from accessing the internet

    To block internet access for DSW or DLC instances, set Private Gateway to Private Gateway during instance configuration without creating an Internet NAT Gateway, EIP, or SNAT entry. The instance can then access only data within the VPC.