You can configure a virtual private cloud (VPC) for your EAS service to enable Internet access, communication with other resources within the VPC, or direct connections from an ECS instance to an EAS instance without a gateway.
How it works
When you configure the network for an EAS service, the system automatically creates an elastic network interface (ENI) for each service instance in the specified vSwitch. Each ENI is assigned a private IP address from the vSwitch. This configuration enables network communication with other resources in the VPC and allows Internet access through a NAT Gateway in the VPC.
Billing
Configuring a network for an EAS service is free. However, you are charged for dependent cloud products. For example, NAT Gateway and elastic IP addresses (EIPs), which are used for Internet access, are billable services. For more information about billing, see Billing.
Core step: Configure a VPC for an EAS service
You must configure a VPC for an EAS service to enable internal network communication or Internet access.
Before you begin, make sure that you have an active VPC, vSwitch, and security group. For more information about how to create these resources, see Create a VPC and a vSwitch and Create a security group.
You can configure a VPC at the service level or the resource group level. If you configure a VPC at both levels, the service-level configuration takes precedence.
Service-level configuration
Configure in the console
When you create or update a service, go to the Network Information section to configure the VPC. After you select a VPC from the drop-down list, you must also configure the vSwitch and security group.
Configure using the eascmd client
In the JSON configuration file for the service, add or modify the
cloud.networkingfield. In this field, specify the IDs of the VPC, vSwitch, and security group. You can obtain the IDs from the VPC and vSwitch list pages in the VPC console and from the Security Groups page in the ECS console.The following code provides an example of the configuration:
{ "metadata": { "name": "service_name", "instance": 1, "workspace_id": "21***" }, "cloud": { "computing": { "instances": [ { "type": "ecs.gn6e-c12g1.3xlarge" } ] }, "networking": { "vpc_id": "vpc-bp1uepgqtar*****", "vswitch_id": "vsw-bp1glkxase*****", "security_group_id": "sg-bp1brugkivv*****" } }, "containers": [ { "image": "eas-registry-vpc.cn-hangzhou.cr.aliyuncs.com/pai-eas/python-inference:py39-ubuntu2004", "script": "python app.py", "port": 8000 } ] }Use the
createormodifycommand to deploy or update the service. The following example shows the commands for the 64-bit version of Windows:To create a service:
# Replace <service.json> with the name of your JSON configuration file. eascmdwin64.exe create <service.json>To update a service:
# Replace <service_name> with the name of the EAS service to update. Replace <service.json> with the name of your updated JSON configuration file. eascmdwin64.exe modify <service_name> -s <service.json>
Resource group-level configuration
Console: On the Resource Group page, select the target resource group and click Enable VPC Configuration in the Actions column.
eascmd client: For more information, see Configure a VPC for a resource group.
Scenarios and configuration guide
Bidirectional communication within a VPC
This section describes the following two scenarios:
EAS service accesses internal resources: The EAS service needs to access resources, such as RDS and Redis, that are in the same VPC.
VPC direct connection: An ECS instance directly accesses the EAS service without requiring a gateway.
Follow these steps:
Configure a VPC for the EAS service. Make sure that the EAS service and the target resources, such as ECS and RDS, are in the same VPC.
Add security group rules. Make sure that the security group rules allow network communication between the EAS service and the target resources.
Add the internal IP address of the EAS service to the whitelist of the target resource.
If a target service that the EAS service needs to access, such as a database, has IP whitelist restrictions, you must add the vSwitch CIDR block of the EAS service to the whitelist.
ImportantEAS instances are dynamically scheduled. After a restart or update, a new instance may be created on a different physical node and obtain a new private IP address from the vSwitch address pool. Therefore, access control policies that rely on IP addresses must use the vSwitch CIDR block or security group ID instead of a hardcoded IP address of a single instance.
Log in to the VPC console and locate the corresponding IPv4 CIDR block on the VSwitches page.
EAS service accesses the Internet
This scenario applies when an EAS service needs to call public APIs or download files from the Internet.
Follow these steps:
Use the SNAT feature of an Internet NAT gateway to access the Internet:
Create an Internet NAT gateway and attach an EIP: Go to the NAT Gateway console and create an Internet NAT gateway in the same region as the VPC. Then, attach an EIP to the NAT gateway. This EIP serves as the unified egress IP address for the EAS service to access the Internet.
Configure an SNAT entry: In the NAT gateway, create an SNAT entry. Set SNAT Entry Granularity to VSwitch, and select the vSwitch that is configured for the EAS service. This ensures that all traffic from this vSwitch accesses the Internet through the NAT Gateway.
Obtain the public IP address of the EAS service and configure a whitelist. If the target service that you want to access has IP whitelist restrictions, you must add the egress public IP address of the EAS service to its whitelist.
Log on to the VPC console. On the page, find the gateway that is configured for the EAS service. The attached EIP address is displayed in the gateway details.
Recommendations for production applications
IP address planning: Before you associate a VPC, confirm the number of available IP addresses in the selected vSwitch. Each EAS instance, including instances that are added during scale-out and scale-in operations, occupies one IP address. An insufficient number of available IP addresses causes service creation or scale-out to fail.
Security group isolation: Use separate security groups for different environments, such as development, testing, and production. Follow the principle of least privilege by opening only the required ports and access sources.
Cost optimization:
Use an internal OSS endpoint: To access the Internet only when the service starts, for example, to download a model, we recommend that you upload the resources to an OSS bucket in the same region and then access them through a VPC endpoint for OSS. This practice helps you avoid the costs that are associated with a NAT Gateway.
Start and stop the NAT Gateway as needed: If you no longer need Internet access after the service starts, you can pause or delete the NAT Gateway to save costs.
FAQ
Q: Why can't I access other cloud products after I configure a VPC?
Check the following items in order:
Network configuration: On the EAS service details page, confirm that the service is correctly associated with the VPC and vSwitch in which the target resource is located.
Security group rules: Check the security group of the target resource, such as an RDS instance. Make sure that its inbound rules grant access to the security group ID (recommended) or the vSwitch CIDR block that is used by the EAS service. For more information, see Use security groups.
Whitelist configuration: If the target resource has an IP whitelist, confirm that the correct IP address of the EAS service is added to the whitelist. This is the EIP for Internet access or the vSwitch CIDR block for internal network access.
Q: How can I quickly verify if the service can access the Internet?
You can add a curl command to the Command field in the service configuration to perform a temporary test.
The base image that is used for service deployment may not have curl pre-installed. If the command fails, you must first add the installation instruction.
# For Debian/Ubuntu images
apt-get update && apt-get install -y curl && curl -v https://www.aliyun.comAfter you deploy the service, view the real-time log of the instance. If you see an HTTP status code, such as 200 OK, and a successful TLS handshake message, the Internet connection is active.