Shared gateways, with their shared bandwidth and fixed access policies, often fail to meet the high isolation and elasticity demands of high-concurrency applications. To address this challenge, Elastic Algorithm Service (EAS) offers a fully-managed dedicated gateway. It offers flexible public and private network access control, supports custom domains, and offers dedicated bandwidth to ensure service stability and reliability.
Key features
Access control: Control public and private network access using an allowlist.
Custom domain access: Configure custom domains and certificates to expose your services.
Cross-account VPC access: Allows servers in another account's Virtual Private Cloud (VPC) within the same region to access EAS services through a private endpoint.
Cross-region VPC access: Allows cross-region VPCs to access EAS services through the gateway's private endpoint once a network connection is established.
Authoritative DNS: Provides authoritative DNS resolution when calling EAS services from other clouds or on-premises data centers, provided a network connection to Alibaba Cloud is established.
Billing
Gateway fees: Supports pay-as-you-go and subscription billing. For more information, see Elastic Algorithm Service (EAS) billing.
Additional costs:
Private network access: Incurs additional PrivateLink costs, including instance fees and data processing fees. For details, see the PrivateLink billing overview.
Public network access: Cloud Data Transfer (CDT) bills for public network traffic generated by the service. For details, see the CDT console.
1. Create a fully-managed dedicated gateway
Log on to the PAI console. Select a region on the top of the page. Then, select the desired workspace and click Elastic Algorithm Service (EAS).
On the Inference Gateway tab, click Create Dedicated Gateway, and then select Fully managed dedicated gateway.
On the EAS dedicated gateway purchase page, configure the parameters. Refer to Appendix: Dedicated gateway capacity planning to select a Gateway Specification that ensures service stability.
After configuring the parameters, click Buy Now. Follow the on-screen instructions to confirm your order and complete the payment.
You can view your purchased fully-managed dedicated gateway in the inference gateway list. You can start using the gateway when its Status is Running.
After you create a fully-managed dedicated gateway, you can update the gateway specification and replica count. The changes take about 3 to 5 minutes to take effect.
You can set a dedicated gateway as the default gateway. The system will automatically select it when you deploy new services.
2. Bind a service to the dedicated gateway
This section demonstrates how to deploy a new service and bind it to the gateway. For an existing service, you can update it to change the bound gateway.
Log on to the PAI console. Select a region on the top of the page. Then, select the desired workspace and click Elastic Algorithm Service (EAS).
On the Inference Service tab, click Deploy Service. In the Custom Model Deployment section, click Custom Deployment.
In the Network Information section, select Dedicated Gateway and choose your created gateway from the drop-down list.
3. Enable network access
3.1 Configure public network access
On the Inference Gateway tab, click the name of the target fully-managed dedicated gateway to go to its details page.
In the Gateway Access Control section, on the Internet tab, enable the Access Portal toggle. When the status is Activated, the public access channel is open.
By default, the gateway is not publicly accessible. Click Add to Whitelist and enter the public IP CIDR blocks that are allowed access (for example, 192.0.2.0/24).
Separate entries with a comma (,) or a newline.
To allow access from all public IP addresses, add the 0.0.0.0/0 CIDR block. You can add up to 15 CIDR blocks.
Verify the public network connectivity of the fully-managed dedicated gateway.
On the Internet tab, find the Endpoint. On the Gateway Access Control page, click the Public Network tab, view the Domain Name Address (for example,
gw-c***s.aliyuncs.com), and confirm that the Access Entry status is Enabled.From a device within an allowed CIDR block, ping the domain name. The following output indicates a successful connection.
C:\Users\xxx>ping gw-cxxx.cn-beijing.pai-eas.aliyuncs.com Pinging nlb-w0ncxxx.cn-beijing.nlb.aliyuncs.com [xxx] with 32 bytes of data: Reply from xxx: bytes=32 time=24ms TTL=89 Reply from xxx: bytes=32 time=29ms TTL=89 Reply from xxx: bytes=32 time=24ms TTL=89 Reply from xxx: bytes=32 time=24ms TTL=89 Ping statistics for xxx: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 24ms, Maximum = 29ms, Average = 25ms
To disable public network access, on the Internet tab, disable the Access Portal toggle.
From your local terminal, try to access the domain name. The
pingcommand may still succeed by resolving the NLB IP, but atelnetconnection to port 80 will fail, indicating the public access channel is closed.C:\Users\xxx> ping gw-ccqv77ddlxxx-xxx.cn-beijing.pai-eas.aliyuncs.com Pinging gw-ccq xxx cn-beijing.pai-eas.aliyuncs.com [47.xxx.xxx.xxx] with 32 bytes of data: Reply from xxx: bytes=32 time=26ms TTL=89 Reply from xxx: bytes=32 time=26ms TTL=89 Reply from xxx: bytes=32 time=27ms TTL=89 Reply from xxx: bytes=32 time=26ms TTL=89 Ping statistics for 47.xxx.xxx.xxx: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 26ms, Maximum = 27ms, Average = 26ms(base) niki@xxx ~ % telnet gw-ccqxxx.cn-beijing.pai-eas.aliyuncs.com 80 Trying 47.xx.xx.xxx... telnet: connect to address 47.xx.xx.xxx: Bad file descriptor telnet: Unable to connect to remote host
3.2 Configure private network access
On the Inference Gateway tab, click the name of the target fully-managed dedicated gateway to go to its details page.
In the Gateway Access Control section, on the VPC tab, click Add VPC and select the VPC and vSwitch that you want to connect.
You can add a VPC from a different account in the same region. After you add a VPC that belongs to Account B (Account B must have PAI-EAS, PrivateLink, and PrivateZone enabled), servers in that VPC can access EAS services that use this dedicated gateway by using the VPC endpoint.
NoteThis is an allowlisted feature. To enable it, please submit a ticket.
In the Add VPC dialog box, enter the Account ID (for cross-account scenarios, enter the target account's UID), VPC (ID), and vSwitch ID. The vSwitch must be in an availability zone supported by the gateway (for example, cn-hangzhou-j, cn-hangzhou-k, or cn-hangzhou-i). You can enable the Authoritative DNS toggle as needed, and then click OK.
Enables authoritative DNS for the gateway domain. This allows clients from other clouds or on-premises data centers to resolve the service address after establishing a network connection with Alibaba Cloud. Currently, you can enable authoritative DNS in the configuration of only one VPC.
When you add a VPC, the system configures a default allowlist of 0.0.0.0/0, permitting access from all IPs within that VPC. You can Modify Whitelist as needed.
Verify the dedicated gateway's private network connectivity.
On the VPC tab, find the Endpoint. On the Access Control page, select the VPC tab, and obtain the gateway domain name from the Domain Name column (for example,
gw-xxx.eas.aliyuncs.com).From a terminal within the VPC, access the domain name. The following output indicates that connectivity is working as expected.
NoteWithin the VPC, you can access the dedicated gateway from any availability zone by configuring the allowlist. Access is not limited to the availability zone of the vSwitch added to the gateway.
[root@iZ2xxx ~]# ping gw-567lydxxx-vpc.cn-beijing.pai-eas.aliyuncs.com PING ep-2zeixxx.epsrv-2zemwo87lxxx.cn-beijing.privatelink.aliyuncs.com (192.xxx.xxx.xxx) 56(84) bytes of data. 64 bytes from 192.xxx.xxx.11: icmp_seq=1 ttl=102 time=1.11 ms 64 bytes from 192.xxx.xxx.11: icmp_seq=2 ttl=102 time=1.05 ms 64 bytes from 192.xxx.xxx.11: icmp_seq=3 ttl=102 time=0.572 ms 64 bytes from 192.xxx.xxx.11: icmp_seq=4 ttl=102 time=0.515 ms 64 bytes from 192.xxx.xxx.11: icmp_seq=5 ttl=102 time=0.519 ms 64 bytes from 192.xxx.xxx.11: icmp_seq=6 ttl=102 time=0.514 ms 64 bytes from 192.xxx.xxx.11: icmp_seq=7 ttl=102 time=0.508 ms ^C --- ep-2zeixxx.epsrv-2zemwo87lxxx.cn-beijing.privatelink.aliyuncs.com ping statistics --- 7 packets transmitted, 7 received, 0% packet loss, time 6111ms rtt min/avg/max/mdev = 0.508/0.682/1.107/0.252 ms
To disable VPC access, find the VPC in the list and click Delete in the Configure vSwitch column.
From a terminal within the VPC, attempts to access the domain name will fail. The
pingandtelnetcommands will time out, indicating the private access channel for the dedicated gateway is closed.[root@iZ2zef8xxx ~]# ping gw-xxx-vpc.cn-beijing.pai-eas.aliyuncs.com PING ep-2zei6xxxlcb.epsrv-2zeute2zixxx.cn-beijing.privatelink.aliyuncs.com (1xxx) 56(84) bytes of data.[root@iZ2zcr0StvqwCommduccSU ~]# telnet gw-ccqvxxx-vpc.cn-beijing.pai-eas.aliyuncs.com 80 Trying 1xxx...
To enable cross-region VPC access, complete the preceding steps and then perform the following actions:
Establish a network connection between the VPCs by using Cloud Enterprise Network (CEN), a VPC peering connection, or another method.
Associate the dedicated gateway with the caller's cross-region VPC.
For detailed configuration steps, see Access a fully-managed dedicated gateway across VPCs.
4. Test service calls
On the Inference Service tab, find the target service and click Invocation Method in the Service Type column.
On the Dedicated Gateway tab, get the Internet Endpoint, VPC Endpoint, and Token.
Use the curl command to send a request and verify that the response is correct.
Public call: Run the command from any machine with public internet access.
Private call: Run the command from a terminal within the connected VPC.
curl <endpoint_URL> -H'Authorization:<token>'The test API uses a GET request with no parameters. The expected response is True.
5. Configure a custom domain
1. (Optional) Prepare an SSL certificate
To access your service over HTTPS, you must first manage the SSL certificate for your custom domain in Digital Certificate Management Service.
Log on to the Digital Certificate Management Service console and choose SSL Certificate Management.
Choose Purchase Certificate or upload an existing certificate. For more information, see Purchase an SSL certificate and Upload an SSL certificate.
2. Configure the custom domain
Public custom domain
On the dedicated gateway details page, switch to the Domain Name tab and click Create Domain Name. Configure the parameters as follows.
In the Create Domain panel that appears, set Access Method to Public or VPC. Enter your custom domain in the Domain field, and select an SSL certificate from the Certificate drop-down list. If no certificate is available, click Purchase/Upload Certificate to go to the certificate management page.
NoteIf the service has already been deployed using this gateway, it may take up to 5 minutes for the public custom domain settings to take effect.
Check the service call information to confirm that the public endpoint now uses the public custom domain you configured for the gateway.
Configure public DNS resolution.
On the Gateway tab of the dedicated gateway, find the public domain name.
On the Gateway Access Control page, click the Public Network tab and view the Domain Name (for example,
gw-c***s.aliyuncs.com). Confirm that the Access Entry status is Enabled.Add a CNAME record for your public custom domain that points to the gateway's public domain name.
For information on Alibaba Cloud's authoritative public DNS, see Domain management and Add a DNS record.
Private custom domain
On the dedicated gateway details page, switch to the Domain Name tab and click Create Domain Name. Configure the parameters as follows.
Set Access Method to VPC, enter your custom domain (for example,
www.test.com) in the Domain field, select an SSL certificate from the Certificate drop-down list if needed, and then click OK.If the service has already been deployed using this gateway, wait about 5 minutes after successfully setting the private custom domain. Check the service call information. The configuration has taken effect when the VPC endpoint URL uses the private custom domain that you configured.
Monitoring and alerts
To maintain gateway stability and promptly detect operational issues, we recommend that you enable logging, monitoring, and alerts.
Procedure
Enable logging, monitoring, and alerts. On the gateway details page, go to the Logs, Monitoring, and Alert tabs and follow the on-screen instructions to enable each feature.
Create an alert policy: After you enable alerts, the Create Alert Policy for EAS Dedicated Gateway button appears. Click this button. Refer to Manage alert rules to create alert rules for the gateway.
ImportantThe variable
{{$labels.envoy_clusterid}}in the alert content displays the internal ID of a gateway instead of its user-defined name, which makes it difficult to quickly locate the specific gateway when you receive an alert. For easier identification, we strongly recommend that you manually modify the notification template to replace or supplement this variable with a recognizable gateway name when you create an alert rule. In the Alert Content field, enter an alert template. For example:PAI-EAS dedicated gateway {{$labels.envoy_clusterid}} node ({{$labels.pod_name}}) CPU utilization exceeds {{ $labels.metrics_params_value }}, current value {{ printf "%.2f" $value }}%. The{{$labels.envoy_clusterid}}variable represents the dedicated gateway cluster ID.
Alert metrics
Metric name | Definition and formula | Threshold and scenario |
EAS dedicated gateway CPU utilization | The CPU utilization percentage of the gateway instance (Pod). | Recommendation: |
EAS dedicated gateway memory utilization | The memory utilization percentage of the gateway instance (Pod). | Recommendation: |
EAS dedicated gateway overall success rate |
| Recommendation: |
EAS dedicated gateway certificate expiration | Monitors the number of days until the HTTPS certificate configured on the gateway expires. | Recommendation: |
EAS dedicated gateway 4xx/5xx request ratio |
| 5xx Recommendation: |
EAS dedicated gateway average request RT | The average of all request response times within a statistical period, measured in milliseconds (ms). | Recommendation: Set based on your business baseline, for example, |
EAS dedicated gateway request volume vs. yesterday | The percentage change in request volume over an N-minute period compared to the same N-minute period on the previous day. | Recommendation: |
EAS dedicated gateway request throttling | The total number of requests rejected by the gateway's rate-limiting policy during a statistical period. | Recommendation: |
Usage notes
When a service uses a dedicated gateway, auto scaling from zero is not supported. The minimum replica count must be 1 or higher.
FAQ
Q: Error when adding a VPCVswitch vsw-2zeqwh8hv0gb96zcd**** in zone cn-beijing-g is not supported, supported zones: [cn-beijing-i cn-beijing-l cn-beijing-k]
The selected vSwitch is in an unsupported availability zone. Choose a vSwitch in a supported availability zone.