To enable your Elastic Algorithm Service (EAS) to access the internet, communicate with resources in a VPC, or enable direct connections from Elastic Compute Service (ECS) instances without a gateway, configure a VPC for the service.
How it works
After you configure a network for an EAS service, the system automatically creates an elastic network interface (ENI) for each service instance in the specified vSwitch. This ENI uses a private IP address from the vSwitch, enabling network communication with other resources within the VPC or access to the internet through a NAT gateway in the VPC.
Billing
Configuring network settings for an EAS service is free, but the dependent cloud services are billed separately. For example, the NAT Gateway and Elastic IP Address (EIP) used for internet access are billable. For more information about billing, see Billing.
Core step: Configure a VPC for an EAS service
Configuring a VPC for an EAS service is the first step toward enabling internal network communication or internet access.
Before you begin, ensure you have an available VPC, vSwitch, and security group. To create these resources, see Create a VPC and a vSwitch and Create a security group.
EAS supports VPC configuration at both the service and resource group levels. If both are configured, the service-level configuration takes precedence.
Configure at the service level
Configure in the console
When you create or update a service, configure the VPC in the Network Information section. Select a VPC, and then select the corresponding vSwitch and security group.
Configure by using the eascmd client
In the service's JSON configuration file, add or modify the
cloud.networkingfield with the VPC ID, vSwitch ID, and security group ID. Find these IDs on the VPC and vSwitch pages in the VPC console and on the Security Groups page in the ECS console.The following code provides a configuration example:
{ "metadata": { "name": "service_name", "instance": 1, "workspace_id": "21***" }, "cloud": { "computing": { "instances": [ { "type": "ecs.gn6e-c12g1.3xlarge" } ] }, "networking": { "vpc_id": "vpc-bp1uepgqtar*****", "vswitch_id": "vsw-bp1glkxase*****", "security_group_id": "sg-bp1brugkivv*****" } }, "containers": [ { "image": "eas-registry-vpc.cn-hangzhou.cr.aliyuncs.com/pai-eas/python-inference:py39-ubuntu2004", "script": "python app.py", "port": 8000 } ] }Use the
createormodifycommand to deploy or update the service. The following example uses the Windows 64-bit version of eascmd:Create a service:
# Replace <service.json> with the name of your JSON configuration file. eascmdwin64.exe create <service.json>Update a service:
# Replace <service_name> with the name of the EAS service and <service.json> with the name of your JSON configuration file. eascmdwin64.exe modify <service_name> -s <service.json>
Configure at the resource group level
Console: On the Resource Group page, select the target resource group and click Enable VPC Configuration in the Actions column.
eascmd client: For more information, see Configure a VPC for a resource group.
Use cases and configuration guide
Configure bidirectional connectivity within a VPC
This includes two scenarios:
EAS accesses internal resources: The EAS service needs to access resources such as RDS or Redis within the same VPC.
High-speed direct connection from a VPC: ECS instances access the EAS service directly, without a gateway.
Follow these steps to configure the connection:
Configure a VPC for the EAS service. Ensure the EAS service and the target resources, such as ECS or RDS, are in the same VPC.
Configure security group rules. Ensure the security group rules allow network traffic between the EAS service and the target resources.
Add the internal IP address range of the EAS service to the allowlist of the target resource.
If a target service, such as a database, uses an IP-based allowlist, add the CIDR block of the vSwitch used by the EAS service to the allowlist.
ImportantEAS instances are dynamically scheduled. After a restart or update, a new instance might be created on a new physical node and obtain a new private IP address from the vSwitch address pool. Therefore, access control policies that rely on IP addresses should use the vSwitch CIDR block or security group ID instead of a hardcoded IP address of a single instance.
To find the CIDR block, log in to the VPC console and find the vSwitch's IPv4 CIDR block on the VSwitches page.
Enable internet access for an EAS service
This applies when an EAS service needs to call public APIs or download files from the internet.
Follow these steps to configure access:
Use SNAT to enable internet access:
Create an Internet NAT gateway and attach an EIP: Go to the NAT Gateway console to create a public NAT gateway in your VPC's region. Bind an EIP to the NAT gateway. This EIP serves as the unified public egress IP address for the EAS service.
Configure an SNAT entry: In the NAT gateway, create an SNAT entry. Set SNAT Entry Granularity to VSwitch and select the vSwitch used by the EAS service. This routes all traffic from the vSwitch to the internet through the NAT gateway.
Obtain the NAT Gateway's public IP address and configure the allowlist. If the target service has an IP-based allowlist, add the public egress IP address of the NAT gateway to its allowlist.
Log on to the VPC console. On the page, and find the NAT gateway configured for EAS. The EIP address is available in the gateway's details.
Production considerations
IP address planning: Before you associate a VPC, ensure that the selected vSwitch has enough available IP addresses. Each EAS instance, including those created during scaling, occupies one IP address. Insufficient IP addresses will cause service creation or scaling to fail.
Security group isolation: Use separate security groups for different environments, such as development, testing, and production. Follow the principle of least privilege by opening only the required ports and access sources.
Cost optimization:
Use internal Object Storage Service (OSS) endpoints: If a service only needs internet access during startup, for example to download models, upload the resources to OSS in the same region and access them through an internal VPC endpoint. This practice avoids costs associated with a NAT gateway.
Manage the NAT gateway on demand: If the service no longer needs to access the internet after it starts successfully, stop or delete the NAT gateway to save costs.
FAQ
Why can't my EAS service access other cloud products like RDS after VPC configuration?
This issue is typically caused by misconfigured security group rules or IP allowlists. Follow these steps to troubleshoot:
Verify network configuration: On the EAS service details page, confirm that the service is associated with the correct VPC and vSwitch where the target resource (e.g., an RDS instance) resides.
Check security group rules: Inspect the inbound rules of the target resource's security group. Ensure it allows traffic from either the security group ID of the EAS service (recommended) or the vSwitch CIDR block the service uses. For more information, see Use security groups.
Validate Allowlist Settings: If the target resource has an IP whitelist, confirm that the correct IP address of the EAS service is added to the whitelist. This is the EIP for Internet access or the vSwitch CIDR block for internal network access.
How can I quickly test if my EAS service has internet access?
You can add a curl command to the service's startup command for a quick test. In your service configuration, add the following to the Command field:
The base image for your service may not have curl pre-installed. The command above first installs it before running the test.
# For Debian/Ubuntu images
apt-get update && apt-get install -y curl && curl -v https://www.aliyun.comAfter deploying the service, check the instance's real-time logs. A successful connection is indicated by an HTTP status code like 200 OK and details of a successful TLS handshake.