Expose services running in a DSW instance to the internet by configuring public network access through a NAT Gateway and EIP.
Limits
Additional charges: Public network access requires a NAT Gateway and an Elastic IP Address (EIP). These resources are billed independently.
Supported instance types: Only instances in public resource groups (resource specifications not starting with
ecs.ebm) and Lingjun intelligent computing instances are supported. Maximum five custom services per instance.Instance stop disrupts access: Stopping a DSW instance also stops all its internal services and public network access.
Use EAS for production: For stable, scalable production services, deploy your model to Elastic Algorithm Service (EAS).
How it works
To make a service in a DSW instance (for example, an API on port 9000) accessible from the internet, the following resources are required:
Elastic IP Address (EIP): A fixed public IP address (for example,
121.40.**.**) that serves as the entry point for public traffic.NAT Gateway: Maps public requests from
EIP:portto the DSW instance's private address (private IP:port) within your VPC.Security group: Controls inbound traffic to the DSW instance. Add an inbound rule to allow traffic on your service port (for example,
9000).
Core workflow: Internet user (browser/tool) -> EIP:port -> NAT Gateway -> vSwitch -> security group rule check -> DSW instance private IP:port -> Your service
Billing
NAT Gateway and EIP billing starts at creation.
Even when the DSW instance is stopped, the NAT Gateway and EIP continue to incur charges until deleted.
Pay-as-you-go DSW instances do not incur charges when stopped.
Configure public network access
Configure during instance creation
Create a DSW instance and configure the following network parameters.
In the Network Information section, select a VPC and security group. For more information, see Create a VPC and vSwitch and Manage security groups. The VPC and security group must be in the same region as the DSW instance.
Create a VPC, vSwitch, and security group
On the DSW configuration page, click Create VPC.
Configure the VPC name, IPv4 CIDR block, and vSwitch information. You can use the default values for other parameters. Then, click OK to create the VPC and vSwitch.
Return to the DSW configuration page and select the VPC you just created in the VPC Settings field.
Click Create Security Group. You can use the default parameters and click OK to create it. Then, return to the DSW configuration page and select the security group you just created for the Security Group ID field.
Ensure that the security group allows inbound access on port 22.
Find the Custom Services section and click Add. Enter the Port that your service listens on (for example,
9000), select the Access over Internet checkbox, and then select a NAT Gateway and EIP. The NAT Gateway and EIP must be in the same region as the DSW instance.Click Create NAT Gateway.
On the NAT Gateway creation page, configure the parameters as needed or use the default values. Then, click Create EIP.
On the Elastic IP Address creation page, configure the parameters as needed or use the default values, then click Buy Now.
Return to the NAT Gateway creation page, select the instance you just created for the EIP Instance field, and then click Buy Now to create the NAT Gateway.
In the security group, configure an inbound rule for the service port. For detailed steps, see Add a security group rule. Set the following parameters:
Action: Allow
Protocol Type: Select based on your service (for example,
TCP)Port Range: Enter the listening port you configured (for example,
9000/9000)Source:
0.0.0.0/0(allows all public IPs for testing) or a restricted IP range. For production environments, restrict the source IP addresses.
Configure for an existing instance
Modify the public network access configuration for an existing DSW instance in two ways.
Note: To add or change resources such as a VPC or NAT Gateway, use the Change Settings option, which requires an instance restart.
From the details page
On the DSW instance list page, click an instance name to open the details page and modify public network access.
From the DSW instance
In the DSW development environment, click Change Settings at the top of the page to modify custom services.
Test connectivity
In DSW Terminal, run the following commands to start a simple HTTP server.
# Create an HTML file with test content echo 'Hello, World!' > index.html # Start Python's built-in HTTP server (listening on port 9000) python -m http.server 9000 --bind 0.0.0.0On the instance details page, find the Access Configurations section to get the access URL.
Copy the public access address
121.40.**.**:9000and open it in a browser. IfHello, World!appears, the configuration is correct.
Production recommendations
Development and testing only: DSW public network access is designed for temporary testing and collaborative debugging.
Deploy to EAS for production: For production-grade inference services, deploy them to Elastic Algorithm Service (EAS). EAS provides:
High availability and load balancing.
Auto scaling to handle traffic fluctuations.
Monitoring, alerting, version management, and canary releases.
Optimized billing for public network access. For more information, see Deploy a model as an online service.
Save costs:
When a DSW instance is stopped: A pay-as-you-go DSW instance stops incurring charges, but the associated NAT Gateway and EIP continue to incur charges as long as they exist.
If you no longer need public network access: Delete the NAT Gateway and EIP to stop the associated charges. You can do this in the VPC console and the EIP console.
FAQ
Q: I have configured public network access, but browser access or external connections fail (This site can't be reached/Connection refused/Timeout)?
Step 1: Check your security group rules. Security group misconfiguration is the most common cause of connection failures.
Verify that an inbound rule exists in the security group.
Verify that the Port Range in the rule includes the port you configured (for example,
9000).Verify that the rule's source includes your public IP address or
0.0.0.0/0.Verify that the Protocol Type (TCP/UDP) is correct.
Step 2: Confirm the service is running and listening on the correct port.
In the DSW instance Terminal, use
netstat -tunlp | grep <port_number>(for example,netstat -tunlp | grep 9000) to check if a service is listening on the port.Verify that the application process is running and listening on the configured port.
Step 3: Check the status of the NAT Gateway and EIP.
In the VPC console, confirm that the NAT Gateway status is Running.
In the EIP console, confirm that the EIP status is Associated and that your account has no overdue payments.
Step 4: Test locally. In the DSW instance, try using
curl http://localhost:<port_number>orcurl http://<instance_private_IP>:<port_number>to see if the service responds.Step 5: Use network diagnostic tools.
Alibaba Cloud VPC provides Network Intelligence Service (NIS) to diagnose path issues. NIS requires activation before use.
In the DSW instance, run
telnet <EIP> <port>to test port connectivity. Installtelnetfirst if it is not available.
Q: Does public access incur charges when stopped?
Yes. A stopped pay-as-you-go DSW instance stops incurring charges. However, the associated NAT Gateway and EIP are independent resources and continue to be billed until deleted.
Q: Can one EIP map to multiple ports?
Yes. A single DSW instance supports up to five services, all accessible through the same EIP and NAT Gateway. Use EIP:different_port to access each service.
Q: Why is my VPC or NAT Gateway not listed?
Region mismatch. Verify that the region selected in the top-left corner of the DSW page matches the region of your VPC or NAT Gateway. DSW only supports VPCs and NAT Gateways in the same region.
Stale list. If you just created the VPC or NAT Gateway, wait for resource creation to complete, then click the refresh icon
on the DSW configuration page to reload the list.