All Products
Search

This Product

    Platform For AI:Configure a DSW instance to access the Internet by using a private NAT gateway

    Document Center

    Platform For AI:Configure a DSW instance to access the Internet by using a private NAT gateway

    Last Updated:Oct 25, 2023

    This topic describes how to create an Internet NAT gateway, associate an elastic IP address (EIP) with the Data Science Workshop (DSW) instance, and configure SNAT in the virtual private cloud (VPC) that is associated with a DSW instance. This allows the DSW instance to access the Internet by using a private Internet NAT gateway to accelerate the upload and download of training data and code.

    Prerequisites

    • A VPC and a vSwitch are created. We recommend that you use the 192.168.0.0/16 CIDR block for the VPC to avoid conflicts with the CIDR block of the Platform for AI (PAI). For more information, see Create and manage a VPC.

    • A security group is created for the VPC. For more information, see Create a security group.

    Background information

    When you develop algorithms and models in DSW, the DSW instances in the cluster use a shared Internet gateway and have limited bandwidth. This may result in low download speed when you pull large datasets or models. PAI provides a solution to the issue. The solution can help you connect DSW to your VPC and route requests from the Internet to a private NAT Internet gateway. To solve the bottleneck issue of the Internet egress bandwidth, you can associate an EIP with the DSW instance and select a bandwidth based on your business requirements.

    The following figure shows network architecture:

    image

    Procedure

    1. Create an Internet NAT gateway. The following table describes the key parameters. For more information about other parameters, see the "Step 1: Create an Internet NAT gateway" section in the Use the SNAT feature of an Internet NAT gateway to access the Internet topic.

      Parameter

      Description

      Region

      Make sure that the region is the same as the region where your VPC resides. If you do not specify a region, the region where your VPC resides is used as the default region.

      VPC

      Select an existing VPC, vSwitch, and security group. Make sure that the VPC and vSwitch are the same as the VPC and vSwitch that you configure for the DSW instance.

      Associate vSwitch

      Access Mode

      Select SNAT for All VPC Resources. An SNAT entry is automatically configured for your VPC.

      EIP

      If no EIP instance is available, click Purchase EIP and complete the configuration by following the on-screen instructions. Configure the Maximum Bandwidth parameter based on your business requirements. We recommend that you select a sufficient bandwidth and set the Metering Method parameter to Pay-By-Data-Transfer.

    2. On the Internet NAT Gateway page, click the name of the gateway that you created to go to the Basic Information tab. On the SNAT Management tab, check whether an SNAT entry is created. image.png

      If no SNAT entry is created, create an SNAT entry in the gateway. When you create an SNAT entry, select Specify VPC and set the Select Public IP Address parameter to Use Single IP. If you purchased multiple IP addresses, you can select Use Multiple IP. For more information about how to create an SNAT entry, see the "Step 3: Create an SNAT entry" section in the Use the SNAT feature of an Internet NAT gateway to access the Internet topic.

    3. Create a DSW instance in the region where the VPC resides. The following table describes the key parameters. For more information about other parameters, see Create and manage DSW instances.

      Parameter

      Description

      VPC

      This parameter is available only if you select the public resource group for Resource Group.

      Select the existing VPC, vSwitch, and security group.

      Security Group

      vSwitch

      Internet Access Gateway

      Select Private Gateway. The DSW instance accesses the Internet by using the private Internet NAT gateway. If you do not purchase an Internet NAT gateway, associate an EIP with the DSW instance, and configure an SNAT entry, the DSW instance cannot access the Internet.

    4. Test the connectivity.

      1. On the DSW page, find the DSW instance and click Launch in the Actions column. For more information, see Create and manage DSW instances.

      2. In the PAI-DSW development environment, click Terminal in the top navigation bar.

      3. Run the ping www.aliyun.com command to test the network connectivity.

        If a response packet is returned, the DSW instance can access the Internet by using the private Internet NAT gateway.

        The following response indicates that the DSW instance can access the Internet by using the private Internet NAT gateway. 

        PING www.aliyun.com.w.cdngslb.com (47.118.XX.XX) 56(84) bytes of data.
64 bytes from 47.118.XX.XX (47.118.XX.XX): icmp_seq=1 ttl=59 time=5.96 ms
64 bytes from 47.118.XX.XX (47.118.XX.XX): icmp_seq=2 ttl=59 time=5.83 ms
64 bytes from 47.118.XX.XX (47.118.XX.XX): icmp_seq=3 ttl=59 time=5.83 ms
64 bytes from 47.118.XX.XX (47.118.XX.XX): icmp_seq=4 ttl=59 time=5.84 ms
64 bytes from 47.118.XX.XX (47.118.XX.XX): icmp_seq=5 ttl=59 time=5.86 ms

    Appendix: Disable a DSW instance to access the Internet

    If you want to disable a DSW instance to access the Internet for security reasons, you can set the Internet Access Gateway parameter to a private gateway. Do not configure an egress network in the specified VPC when you create the DSW instance. The egress network includes an Internet NAT gateway and an SNAT entry. This ensures that the DSW instance can access only the data in the VPC and not the Internet.