All Products
Search
Document Center

Platform For AI:Fully-managed dedicated gateway

Last Updated:Jun 25, 2026

Shared gateways, with their shared bandwidth and fixed access policies, often fail to meet the high isolation and elasticity demands of high-concurrency applications. To address this challenge, Elastic Algorithm Service (EAS) offers a fully-managed dedicated gateway. It offers flexible public and private network access control, supports custom domains, and offers dedicated bandwidth to ensure service stability and reliability.

Key features

  • Access control: Control public and private network access using an allowlist.

  • Custom domain access: Configure custom domains and certificates to expose your services.

  • Cross-account VPC access: Allows servers in another account's Virtual Private Cloud (VPC) within the same region to access EAS services through a private endpoint.

  • Cross-region VPC access: Allows cross-region VPCs to access EAS services through the gateway's private endpoint once a network connection is established.

  • Authoritative DNS: Provides authoritative DNS resolution when calling EAS services from other clouds or on-premises data centers, provided a network connection to Alibaba Cloud is established.

Billing

  • Gateway fees: Supports pay-as-you-go and subscription billing. For more information, see Elastic Algorithm Service (EAS) billing.

  • Additional costs:

    • Private network access: Incurs additional PrivateLink costs, including instance fees and data processing fees. For details, see the PrivateLink billing overview.

    • Public network access: Cloud Data Transfer (CDT) bills for public network traffic generated by the service. For details, see the CDT console.

1. Create a fully-managed dedicated gateway

  1. Log on to the PAI console. Select a region on the top of the page. Then, select the desired workspace and click Elastic Algorithm Service (EAS).

  2. On the Inference Gateway tab, click Create Dedicated Gateway, and then select Fully managed dedicated gateway.

  3. On the EAS dedicated gateway purchase page, configure the parameters. Refer to Appendix: Dedicated gateway capacity planning to select a Gateway Specification that ensures service stability.

  4. After configuring the parameters, click Buy Now. Follow the on-screen instructions to confirm your order and complete the payment.

    You can view your purchased fully-managed dedicated gateway in the inference gateway list. You can start using the gateway when its Status is Running.

Note
  • After you create a fully-managed dedicated gateway, you can update the gateway specification and replica count. The changes take about 3 to 5 minutes to take effect.

  • You can set a dedicated gateway as the default gateway. The system will automatically select it when you deploy new services.

2. Bind a service to the dedicated gateway

This section demonstrates how to deploy a new service and bind it to the gateway. For an existing service, you can update it to change the bound gateway.

  1. Log on to the PAI console. Select a region on the top of the page. Then, select the desired workspace and click Elastic Algorithm Service (EAS).

  2. On the Inference Service tab, click Deploy Service. In the Custom Model Deployment section, click Custom Deployment.

  3. In the Network Information section, select Dedicated Gateway and choose your created gateway from the drop-down list.

3. Enable network access

3.1 Configure public network access

  1. On the Inference Gateway tab, click the name of the target fully-managed dedicated gateway to go to its details page.

  2. In the Gateway Access Control section, on the Internet tab, enable the Access Portal toggle. When the status is Activated, the public access channel is open.

  3. By default, the gateway is not publicly accessible. Click Add to Whitelist and enter the public IP CIDR blocks that are allowed access (for example, 192.0.2.0/24).

    • Separate entries with a comma (,) or a newline.

    • To allow access from all public IP addresses, add the 0.0.0.0/0 CIDR block. You can add up to 15 CIDR blocks.

  4. Verify the public network connectivity of the fully-managed dedicated gateway.

    1. On the Internet tab, find the Endpoint. On the Gateway Access Control page, click the Public Network tab, view the Domain Name Address (for example, gw-c***s.aliyuncs.com), and confirm that the Access Entry status is Enabled.

    2. From a device within an allowed CIDR block, ping the domain name. The following output indicates a successful connection.

      C:\Users\xxx>ping gw-cxxx.cn-beijing.pai-eas.aliyuncs.com
      
      Pinging nlb-w0ncxxx.cn-beijing.nlb.aliyuncs.com [xxx] with 32 bytes of data:
      Reply from xxx: bytes=32 time=24ms TTL=89
      Reply from xxx: bytes=32 time=29ms TTL=89
      Reply from xxx: bytes=32 time=24ms TTL=89
      Reply from xxx: bytes=32 time=24ms TTL=89
      
      Ping statistics for xxx:
          Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
      Approximate round trip times in milli-seconds:
          Minimum = 24ms, Maximum = 29ms, Average = 25ms
  5. To disable public network access, on the Internet tab, disable the Access Portal toggle.

    From your local terminal, try to access the domain name. The ping command may still succeed by resolving the NLB IP, but a telnet connection to port 80 will fail, indicating the public access channel is closed.

    C:\Users\xxx> ping gw-ccqv77ddlxxx-xxx.cn-beijing.pai-eas.aliyuncs.com
    
    Pinging gw-ccq xxx cn-beijing.pai-eas.aliyuncs.com [47.xxx.xxx.xxx] with 32 bytes of data:
    Reply from xxx: bytes=32 time=26ms TTL=89
    Reply from xxx: bytes=32 time=26ms TTL=89
    Reply from xxx: bytes=32 time=27ms TTL=89
    Reply from xxx: bytes=32 time=26ms TTL=89
    
    Ping statistics for 47.xxx.xxx.xxx:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 26ms, Maximum = 27ms, Average = 26ms
    (base) niki@xxx ~ % telnet gw-ccqxxx.cn-beijing.pai-eas.aliyuncs.com 80
    Trying 47.xx.xx.xxx...
    telnet: connect to address 47.xx.xx.xxx: Bad file descriptor
    telnet: Unable to connect to remote host

3.2 Configure private network access

  1. On the Inference Gateway tab, click the name of the target fully-managed dedicated gateway to go to its details page.

  2. In the Gateway Access Control section, on the VPC tab, click Add VPC and select the VPC and vSwitch that you want to connect.

    • You can add a VPC from a different account in the same region. After you add a VPC that belongs to Account B (Account B must have PAI-EAS, PrivateLink, and PrivateZone enabled), servers in that VPC can access EAS services that use this dedicated gateway by using the VPC endpoint.

      Note

      This is an allowlisted feature. To enable it, please submit a ticket.

      In the Add VPC dialog box, enter the Account ID (for cross-account scenarios, enter the target account's UID), VPC (ID), and vSwitch ID. The vSwitch must be in an availability zone supported by the gateway (for example, cn-hangzhou-j, cn-hangzhou-k, or cn-hangzhou-i). You can enable the Authoritative DNS toggle as needed, and then click OK.

    • Enables authoritative DNS for the gateway domain. This allows clients from other clouds or on-premises data centers to resolve the service address after establishing a network connection with Alibaba Cloud. Currently, you can enable authoritative DNS in the configuration of only one VPC.

  3. When you add a VPC, the system configures a default allowlist of 0.0.0.0/0, permitting access from all IPs within that VPC. You can Modify Whitelist as needed.

  4. Verify the dedicated gateway's private network connectivity.

    1. On the VPC tab, find the Endpoint. On the Access Control page, select the VPC tab, and obtain the gateway domain name from the Domain Name column (for example, gw-xxx.eas.aliyuncs.com).

    2. From a terminal within the VPC, access the domain name. The following output indicates that connectivity is working as expected.

      Note

      Within the VPC, you can access the dedicated gateway from any availability zone by configuring the allowlist. Access is not limited to the availability zone of the vSwitch added to the gateway.

      [root@iZ2xxx ~]# ping gw-567lydxxx-vpc.cn-beijing.pai-eas.aliyuncs.com
      PING ep-2zeixxx.epsrv-2zemwo87lxxx.cn-beijing.privatelink.aliyuncs.com (192.xxx.xxx.xxx) 56(84) bytes of data.
      64 bytes from 192.xxx.xxx.11: icmp_seq=1 ttl=102 time=1.11 ms
      64 bytes from 192.xxx.xxx.11: icmp_seq=2 ttl=102 time=1.05 ms
      64 bytes from 192.xxx.xxx.11: icmp_seq=3 ttl=102 time=0.572 ms
      64 bytes from 192.xxx.xxx.11: icmp_seq=4 ttl=102 time=0.515 ms
      64 bytes from 192.xxx.xxx.11: icmp_seq=5 ttl=102 time=0.519 ms
      64 bytes from 192.xxx.xxx.11: icmp_seq=6 ttl=102 time=0.514 ms
      64 bytes from 192.xxx.xxx.11: icmp_seq=7 ttl=102 time=0.508 ms
      ^C
      --- ep-2zeixxx.epsrv-2zemwo87lxxx.cn-beijing.privatelink.aliyuncs.com ping statistics ---
      7 packets transmitted, 7 received, 0% packet loss, time 6111ms
      rtt min/avg/max/mdev = 0.508/0.682/1.107/0.252 ms
  5. To disable VPC access, find the VPC in the list and click Delete in the Configure vSwitch column.

    From a terminal within the VPC, attempts to access the domain name will fail. The ping and telnet commands will time out, indicating the private access channel for the dedicated gateway is closed.

    [root@iZ2zef8xxx ~]# ping gw-xxx-vpc.cn-beijing.pai-eas.aliyuncs.com
    PING ep-2zei6xxxlcb.epsrv-2zeute2zixxx.cn-beijing.privatelink.aliyuncs.com (1xxx) 56(84) bytes of data.
    [root@iZ2zcr0StvqwCommduccSU ~]# telnet gw-ccqvxxx-vpc.cn-beijing.pai-eas.aliyuncs.com 80
    Trying 1xxx...
Note

To enable cross-region VPC access, complete the preceding steps and then perform the following actions:

  1. Establish a network connection between the VPCs by using Cloud Enterprise Network (CEN), a VPC peering connection, or another method.

  2. Associate the dedicated gateway with the caller's cross-region VPC.

For detailed configuration steps, see Access a fully-managed dedicated gateway across VPCs.

4. Test service calls

  1. On the Inference Service tab, find the target service and click Invocation Method in the Service Type column.

  2. On the Dedicated Gateway tab, get the Internet Endpoint, VPC Endpoint, and Token.

  3. Use the curl command to send a request and verify that the response is correct.

    • Public call: Run the command from any machine with public internet access.

    • Private call: Run the command from a terminal within the connected VPC.

    curl <endpoint_URL> -H'Authorization:<token>'

    The test API uses a GET request with no parameters. The expected response is True.

5. Configure a custom domain

1. (Optional) Prepare an SSL certificate

To access your service over HTTPS, you must first manage the SSL certificate for your custom domain in Digital Certificate Management Service.

  1. Log on to the Digital Certificate Management Service console and choose SSL Certificate Management.

  2. Choose Purchase Certificate or upload an existing certificate. For more information, see Purchase an SSL certificate and Upload an SSL certificate.

2. Configure the custom domain

Public custom domain
  1. On the dedicated gateway details page, switch to the Domain Name tab and click Create Domain Name. Configure the parameters as follows.

    In the Create Domain panel that appears, set Access Method to Public or VPC. Enter your custom domain in the Domain field, and select an SSL certificate from the Certificate drop-down list. If no certificate is available, click Purchase/Upload Certificate to go to the certificate management page.

    Note
    • If the service has already been deployed using this gateway, it may take up to 5 minutes for the public custom domain settings to take effect.

    • Check the service call information to confirm that the public endpoint now uses the public custom domain you configured for the gateway.

  2. Configure public DNS resolution.

    1. On the Gateway tab of the dedicated gateway, find the public domain name.

      On the Gateway Access Control page, click the Public Network tab and view the Domain Name (for example, gw-c***s.aliyuncs.com). Confirm that the Access Entry status is Enabled.

    2. Add a CNAME record for your public custom domain that points to the gateway's public domain name.

    For information on Alibaba Cloud's authoritative public DNS, see Domain management and Add a DNS record.
Private custom domain
  1. On the dedicated gateway details page, switch to the Domain Name tab and click Create Domain Name. Configure the parameters as follows.

    Set Access Method to VPC, enter your custom domain (for example, www.test.com) in the Domain field, select an SSL certificate from the Certificate drop-down list if needed, and then click OK.

  2. If the service has already been deployed using this gateway, wait about 5 minutes after successfully setting the private custom domain. Check the service call information. The configuration has taken effect when the VPC endpoint URL uses the private custom domain that you configured.

Monitoring and alerts

To maintain gateway stability and promptly detect operational issues, we recommend that you enable logging, monitoring, and alerts.

Procedure

  1. Enable logging, monitoring, and alerts. On the gateway details page, go to the Logs, Monitoring, and Alert tabs and follow the on-screen instructions to enable each feature.

  2. Create an alert policy: After you enable alerts, the Create Alert Policy for EAS Dedicated Gateway button appears. Click this button. Refer to Manage alert rules to create alert rules for the gateway.

    Important

    The variable {{$labels.envoy_clusterid}} in the alert content displays the internal ID of a gateway instead of its user-defined name, which makes it difficult to quickly locate the specific gateway when you receive an alert. For easier identification, we strongly recommend that you manually modify the notification template to replace or supplement this variable with a recognizable gateway name when you create an alert rule. In the Alert Content field, enter an alert template. For example: PAI-EAS dedicated gateway {{$labels.envoy_clusterid}} node ({{$labels.pod_name}}) CPU utilization exceeds {{ $labels.metrics_params_value }}, current value {{ printf "%.2f" $value }}%. The {{$labels.envoy_clusterid}} variable represents the dedicated gateway cluster ID.

Alert metrics

Metric name

Definition and formula

Threshold and scenario

EAS dedicated gateway CPU utilization

The CPU utilization percentage of the gateway instance (Pod).

Recommendation: > 85% for 5 consecutive minutes.
Scenario: Sustained high utilization indicates that gateway resources are nearing their limit and may require scaling up.



EAS dedicated gateway memory utilization

The memory utilization percentage of the gateway instance (Pod).

Recommendation: > 85% for 5 consecutive minutes.
Scenario: Sustained high utilization can lead to OOMKilled events, affecting gateway stability.



EAS dedicated gateway overall success rate

(Number of requests with 2xx status codes / Total number of requests) * 100%.

Recommendation: < 99.9% for 1 consecutive minute.
Scenario: A drop in this metric typically indicates a critical issue with the backend service or gateway configuration.



EAS dedicated gateway certificate expiration

Monitors the number of days until the HTTPS certificate configured on the gateway expires.

Recommendation: Days remaining < 15.
Scenario: Prevents HTTPS service interruptions due to an expired certificate.



EAS dedicated gateway 4xx/5xx request ratio

(Number of 4xx or 5xx requests / Total number of requests) * 100%. We recommend that you configure separate alerts for 4xx and 5xx errors.

5xx Recommendation: > 1% for 1 consecutive minute.
4xx Recommendation: > 5% for 5 consecutive minutes.
Scenario: A spike in 5xx errors indicates serious server-side issues. A spike in 4xx errors may indicate client-side call anomalies or authentication problems.






EAS dedicated gateway average request RT

The average of all request response times within a statistical period, measured in milliseconds (ms).

Recommendation: Set based on your business baseline, for example, > 200ms for 3 consecutive minutes.
Scenario: An increased RT directly impacts user experience and warrants investigation.



EAS dedicated gateway request volume vs. yesterday

The percentage change in request volume over an N-minute period compared to the same N-minute period on the previous day.

Recommendation: < -50% for 10 consecutive minutes or > 200% for 10 consecutive minutes.
Scenario: Use this to detect sudden drops in traffic (potential service outage) or spikes (potential attack or promotional traffic).



EAS dedicated gateway request throttling

The total number of requests rejected by the gateway's rate-limiting policy during a statistical period.

Recommendation: > 10 times in 1 minute.
Scenario: Frequent throttling indicates that traffic has exceeded expectations. You may need to adjust your rate-limiting policy or scale up your resources.



Usage notes

When a service uses a dedicated gateway, auto scaling from zero is not supported. The minimum replica count must be 1 or higher.

FAQ

Q: Error when adding a VPCVswitch vsw-2zeqwh8hv0gb96zcd**** in zone cn-beijing-g is not supported, supported zones: [cn-beijing-i cn-beijing-l cn-beijing-k]

The selected vSwitch is in an unsupported availability zone. Choose a vSwitch in a supported availability zone.

Appendix: Network architecture

image