All Products
Search
Document Center

Platform For AI:Access services in an instance over the public network

Last Updated:Jun 30, 2026

If you have a service, such as a model API or a web UI, running in a DSW instance, you can expose it to the internet. DSW provides the custom service feature for configuring public network access. This feature lets you access the service directly from a browser, share a public URL with collaborators for testing without requiring a login, or call the service from an external application. Note: This feature is primarily intended for development and testing.

Important notes

  • Additional charges apply: Configuring public network access requires a NAT Gateway and an EIP. These products are billed separately.

  • Supported instance types: This feature supports instances in public resource groups (where the resource specification does not start with ecs.ebm) and Lingjun intelligent computing instances. You can configure a maximum of five custom services per instance.

  • Service interruption: Stopping a DSW instance also stops its internal services and disables their public network access.

  • Production environment recommendation: For a stable, highly available, and scalable production service, deploy your model to Elastic Algorithm Service (EAS).

How it works

To make a service within a DSW instance, such as an API on port 9000, accessible from the internet, the following resources work together:

  1. EIP: Provides a fixed public IP address (for example, 121.40.**.**), which serves as the public entry point for traffic.

  2. NAT Gateway: Resides within your VPC and maps requests from the public internet (to EIP:port) to the private DSW instance (at private IP:port).

  3. Security group: Acts as a virtual firewall for your DSW instance. You must explicitly add an inbound rule that allows traffic to the specific listening port of your service (for example, 9000). This is a critical step for connectivity.

Core workflow: Public user (browser/tool) -> EIP:port -> NAT Gateway -> vSwitch -> security group rule check -> DSW instance private IP:port -> Your service

Billing

  • Billing for a NAT Gateway and an EIP starts when they are created.

  • Even if the DSW instance is stopped, as long as the NAT Gateway and EIP are not deleted, they continue to incur charges.

  • Charges for the DSW instance depend on its running status (a pay-as-you-go instance does not incur charges when stopped).

Configure public network access

Configure public access when creating an instance

  1. Create a DSW instance and configure the following key network parameters.

    • In the Network Information section, select a VPC and a security group. You can create them by following the steps below. For more information, see Create a VPC and vSwitch and Manage security groups. Note: The VPC and security group must be in the same region as the DSW instance.

      Create VPC, vSwitch, and security group

      1. On the DSW configuration page, click Create VPC.

        imageConfigure the VPC name, IPv4 CIDR block, and vSwitch information. Keep the default values for other parameters and click OK to create the VPC and vSwitch.

        image

      2. Select the VPC you just created from the VPC Settings list.

      3. Click Create Security Group, keep the default values for the parameters, and then click Create. Then, return to the DSW configuration page and select the security group you just created from the Security Group ID list.

        image

        Make sure that the security group allows inbound access on port 22.

        image

    • Find the Service Access and Port Configuration section, click Add, enter a Service Name and the Listener Port (for example, 9000). Select the Access over Internet checkbox and set the Internet Access Port (for example, 9000). Click DNAT+EIP, and then select your NAT Gateway and EIP. You can create a NAT Gateway and an EIP by following the steps below. Note: The NAT Gateway and EIP must be in the same region as the DSW instance.

      Create a NAT gateway and an EIP

      1. Click Create NAT Gateway.

        image

        On the NAT gateway creation page, configure the parameters or use the default values. Then, click Create EIP.

        image

      2. On the elastic IP address creation page, configure the parameters or use the default values. Then, click Buy Now.

      3. Return to the NAT gateway creation page. For Elastic IP Address Instance, select the instance that you just created. Then, click Buy Now to create the NAT gateway.

      Alternatively, you can select the NLB option. When creating the NLB, set the instance network type to Public and select the same VPC as your DSW instance. For detailed instructions, see Use NLB to achieve load balancing for IPv4 services.

      Note

      If multiple DSW instances share the same DNAT and EIP (or NLB), you must use different public access ports for each instance.

  2. In the selected security group, configure an inbound rule for the service's listening port. For detailed instructions, see Create a security group. Set the following parameters:

    • Action: Allow

    • Protocol Type: Select based on your service (for example, TCP).

    • Port Range: Enter the listening port you configured (for example, 9000/9000).

    • Source: 0.0.0.0/0 (allows access from all public IP addresses for testing) or a specific IP range as needed. For production environments, we strongly recommend restricting the source IP address range.

      After you complete the configuration, a rule appears in the inbound rules list of the security group. The rule's protocol is Custom TCP, its port range is 9000/9000, and its source is 0.0.0.0/0.

Configure public access for an existing instance

To configure public network access for an existing DSW instance, use one of the following methods.

Note: To add or change network resources such as a VPC or a NAT Gateway, you must use the Change Settings option, which requires restarting the instance.

Instance details page

On the DSW instance list page, click the instance name to open its details page, where you can modify the public network access configuration.

On the instance details page, in the Access Configurations section, find the Custom Service row and click the corresponding Modify button to configure public network access. If you need to open a port, you can find the Security Group ID (for example, sg-bp1g37d4lmajq...) in the Network Information section and add the required rule to that security group.

DSW instance

Inside the DSW development environment, you can click Change Settings at the top of the page to modify a custom service.

In the left navigation pane, click Access Configurations. In the custom service area, you can view configured services (such as the service name gradio and listening port 9000), their public access URLs, and their configuration status. Click Modify to edit the custom service.

In the left-side menu, click Network. The network details appear on the right. Find and note the Security Group ID (for example, sg-bp1g37d4lmajugsicmz2) for later use when configuring security group rules.

Test connectivity

  1. In the DSW Terminal, run the following commands to start Python’s built-in HTTP server.

    # Create an HTML file with test content
    echo 'Hello, World!' > index.html
    # Start Python's built-in HTTP server (listening on port 9000)
    python -m http.server 9000 --bind 0.0.0.0
  2. On the instance details page, get the access URL from the Access Configurations section.

    In the Access Configurations section, find the URL in the Public Access column. This URL is available once the Configuration Status is Ready.

    For example, copy the public access URL 121.40.**.**:9000 and open it in your browser. If Hello, World! is displayed, the service is configured correctly.

Production recommendations

  • For development and testing only: The public network access feature in DSW is designed for temporary testing and collaborative debugging.

  • Deploy to EAS for production: For production inference services, deploy them to Elastic Algorithm Service (EAS). EAS provides:

    • High availability and load balancing.

    • Auto scaling to handle traffic fluctuations.

    • Comprehensive monitoring, alerting, version management, and canary releases.

    • Optimized integration and billing for public network access. For more information, see Deploy a model as an online service.

  • Save costs:

    • When a DSW instance is stopped: A pay-as-you-go DSW instance stops incurring charges. However, the associated NAT Gateway and EIP continue to be billed as long as they exist.

    • If public network access is no longer needed: Be sure to delete the associated NAT Gateway and EIP to stop the related charges. You can do this from the VPC console and the EIP console.

FAQ

Q: I configured public network access, but I can't connect. I see errors like This site can't be reached, Connection refused, or Timeout.

  • Step 1: Check your security group rules. (Most common cause)

    • Verify that an inbound rule has been added to the security group.

    • Does the rule's port range include the port you configured (for example, 9000)?

    • Does the rule's source include your public IP address or 0.0.0.0/0?

    • Is the protocol type (TCP/UDP) correct?

  • Step 2: Confirm your service is running and listening on the correct port.

    • In the DSW instance Terminal, use netstat -tunlp | grep <port_number> (for example, netstat -tunlp | grep 9000) to check if a service is listening on the port.

    • Ensure your application process is running and listening on the configured port.

  • Step 3: Check the status of the NAT Gateway and EIP.

    • In the VPC console, confirm that the NAT Gateway status is Running.

    • In the EIP console, confirm that the EIP status is Associated and that your account has no overdue payments.

  • Step 4: Test locally. In the DSW instance, try using curl http://localhost:<port_number> or curl http://<instance_private_IP>:<port_number> to see if the service responds.

  • Step 5: Use network diagnostic tools.

    • Alibaba Cloud VPC provides Network Intelligence Service (NIS) to help diagnose path issues. NIS requires activation before use.

    • In the DSW instance, run telnet <EIP> <port> to test port connectivity. You may need to install telnet first if it is not installed.

Q: After I stop my DSW instance, will I still be charged for public network access?

Yes. A pay-as-you-go DSW instance stops incurring charges when it is stopped. However, the associated NAT Gateway and EIP are independent resources and will continue to be billed until deleted. Be sure to delete them manually to save costs.

Q: Can one EIP map to multiple ports?

Yes. You can map multiple service ports (up to five) from the same DSW instance through a single EIP and NAT Gateway. You can access each service by using EIP:different_port.

Q: Why can't I find the VPC or NAT Gateway I created in the dropdown list?

  • The most common reason is a region mismatch. Check that the current region selected in the upper-left corner of the DSW page is the same as the region of your VPC or NAT Gateway. DSW instances can only use VPCs and NAT Gateways from the same region.

  • The dropdown list has not updated. If you just created the VPC or NAT Gateway, wait for the resource creation to complete, and then click the refresh icon image on the DSW configuration page to reload the list.