If an Elastic Algorithm Service (EAS) service needs to call public APIs, download files from the public network, connect to an ApsaraDB RDS database, or access other external services, you must configure a virtual private cloud (VPC) for the service to establish network connectivity.
How it works
After you configure a VPC for an EAS service, the system creates an Elastic Network Interface (ENI) for each service instance. The ENI uses a private IP address from the specified vSwitch, which gives the service instance a network identity within the VPC. This allows the service instance to communicate with other resources in the VPC or access the public network through a NAT Gateway.
Billing
Configuring a VPC for an EAS service is free. However, the NAT Gateway and elastic IP addresses (EIPs) used for public network access are billable. For more information, see NAT Gateway billing and EIP billing overview.
Before you begin: Network planning and preparation
Before you configure the network, plan your network connectivity and prepare the required VPC, vSwitch, and security group. To create these resources, see Create a VPC and a vSwitch and Use security groups.
All outbound traffic from EAS services is controlled by security group rules. Ensure that the outbound rules of the security group allow the EAS service to access the destination service.
For private network peering, the most direct method is to deploy the EAS service and the destination service in the same VPC. If the destination service is in a different VPC, you must also establish network connectivity using products such as VPC Peering Connection or Cloud Enterprise Network (CEN).
Procedure
Step 1: Configure a VPC for the EAS service
Configuring a VPC for an EAS service is the foundation for enabling private network peering or public network access. EAS supports VPC configuration at the service level and the resource group level:
Service level: Specify a VPC for a single service. This has the highest priority.
Resource group level: Set a default VPC for services that are deployed in a dedicated resource group. If configurations are set at both the service level and the resource group level, the service-level configuration takes precedence.
Service-level configuration
Configure in the console
When you create or update a service, configure the VPC in the Network Information section. Select a VPC, and then configure the vSwitch and security group.
Configure using the eascmd client
In the service's JSON configuration file, add or modify the
cloud.networkingfield. Enter the IDs of the VPC, vSwitch, and security group. The following code shows an example of the network-related fields:{ "cloud": { "networking": { "vpc_id": "your-vpc-id", "vswitch_id": "your-switch-id", "security_group_id": "your-security-group-id" } } }You can find the IDs on the VPC and vSwitch pages in the VPC console and on the Security Groups page in the ECS console.
For more information, see Command reference. Use the
createormodifycommand to create the service or modify the service configuration.
Resource-group-level configuration
Console: On the Resource Group page, configure the VPC information for the entire resource group. Select the target resource group and click Enable VPC Configuration in the Actions column.
eascmd client: For more information, see Configure a VPC for a resource group.
Step 2: Configure an Internet NAT gateway and an SNAT entry (for public network access only)
If the EAS service needs to access the Internet, you must use a NAT Gateway and an EIP. For more information, see Use the SNAT feature of an Internet NAT gateway to access the Internet.
Create an Internet NAT gateway and bind an EIP: Go to the Internet NAT Gateway purchase page. Select the region and VPC where the EAS service is located and bind an EIP to the gateway. This EIP serves as the unified egress IP address for the EAS service to access the public network.
Configure an SNAT entry: In the NAT gateway that you created, create an SNAT entry. Set SNAT Entry Granularity to VPC. This ensures that traffic from this VPC to the public network is sent through this NAT gateway.
Step 3: Configure a whitelist (optional)
If the destination service, on either a private network or the public network, has IP address or security group whitelist restrictions, you must add the IP address range or security group ID of the EAS service to the whitelist of the destination service. The following sections describe how to obtain the private and public IP addresses of the EAS service.
Obtain a private IP address
EAS instances are dynamically scheduled. After a restart or update, a new instance might be created on a new physical node and obtain a new private IP address from the vSwitch address pool. Therefore, access control policies that rely on IP addresses should use the vSwitch CIDR block instead of a hardcoded IP address of a single instance.
Log on to the VPC console and find the IPv4 CIDR block on the VSwitches page.
Obtain a public IP address
Log on to the VPC console. On the page, find the gateway configured for EAS. You can see the bound EIP address in the Elastic IP Address column.
Production considerations
IP address planning: Plan a dedicated vSwitch with a sufficient number of available IP addresses for the EAS service. The minimum number of required IP addresses is calculated as:
Number of running instances + Number of extra instances for rolling updates + Reserved buffer IPs. An insufficient number of IP addresses will cause service creation or scale-out to fail.Security group isolation: Use separate security groups for different services or environments, such as development, testing, and production. Follow the principle of least privilege and open only the necessary ports and access sources.
Cost optimization: If the EAS service needs to access the public network to download models or files, the best practice is to upload the resources to OSS in the same region and mount the OSS bucket during deployment. This avoids costs associated with public network access.
FAQ
Q: Why can't EAS access the public network by default?
By default, EAS services have restricted access to the public network, primarily for security and stability. Public egress bandwidth can be easily misused in a shared environment. Bandwidth resources are also uncertain and can fluctuate, which directly affects service performance and availability. If needed, you can configure public network access for your VPC.
Q: How can I quickly verify whether the service can access the public network?
You can add a network test command, such as curl -I --connect-timeout 5 https://www.aliyun.com, to the Command field in the service configuration.
After deployment, check the real-time log of the instance. If you see a status code such as 200, the public network connection is successful.
Q: After I configure a VPC, why can't my service access cloud products within the VPC over the private network?
Check the following items in order:
VPC configuration: Confirm that the EAS service and the destination service are in the same VPC.
Security group rules: Confirm that the outbound rules of the security group configured for the EAS service allow access to the destination service.
Access restrictions of the destination cloud product: If the destination cloud product uses an IP whitelist or security group to restrict external access, confirm that the vSwitch CIDR block or security group of the EAS service is correctly added.
Q: After I configure a NAT Gateway, why can't the service access the public network?
Check the following items in order:
SNAT rules: Confirm that the vSwitch in the SNAT entry is the same as the one specified when you deployed the EAS service.
VPC route table: In the VPC console, check the list of route entries. Confirm that a route exists with the destination CIDR block set to
0.0.0.0/0and the next hop pointing to the NAT Gateway.Security group outbound rules: Confirm that the outbound rules of the security group where the EAS service is located allow all public network access. By default, access to
0.0.0.0/0is allowed.