All Products
Search

This Product

    Platform For AI:Access services in instances over the Internet

    Document Center

    Platform For AI:Access services in instances over the Internet

    Last Updated:Nov 13, 2025

    When you deploy web services (such as model APIs or WebUIs) in a Data Science Workshop (DSW) instance and want to access them directly in a browser, share them with collaborators without login, or need to call them from external networks, DSW provides the custom service feature, that allows Internet access to your services. Note: This feature is mainly intended for development and testing.

    Important notes

    • Additional fees: Internet access requires NAT Gateway and Elastic IP Address (EIP). These are separate services and can cause extra fees.

    • Supported instance types: Supports instances using public resource groups (with instance types not starting with ecs.ebm) and Lingjun instances. Each instance can have up to 5 custom services.

    • Service interruption when DSW stops: When a DSW instance is stopped, its internal services (and Internet access capabilities) will become unavailable.

    • EAS recommended for production: For stable, highly available services with elastic scaling support in production environments, deploy your models to Elastic Algorithm Service (EAS).

    How it works

    To make services inside a DSW instance (such as an API running on port 9000) accessible from the Internet, the following resources are required:

    1. Elastic IP Address (EIP): Provides a fixed public IP address (121.40.**.**). This is the endpoint for Internet access.

    2. NAT Gateway: Resides within your VPC, it maps Internet requests (EIP:port) to the DSW instance (private IP:port).

    3. Security group: Acts as a firewall for the DSW instance. You must explicitly add rules to allow Internet traffic to access specific ports your service is listening on (such as 9000). This is a key step for successful access.

    Core flow: Internet user (browser/tool) -> EIP:port -> NAT Gateway -> vSwitch -> Security group rule check -> DSW instance private IP:port -> Your service

    Billing information

    • NAT Gateway and EIP start billing from creation.

    • Even if the DSW instance is stopped, as long as the NAT Gateway and EIP are not deleted, they will continue to generate fees.

    • The DSW instance itself is billed based on its status (pay-as-you-go instances are not billed when stopped).

    How to configure Internet access

    Configure Internet access when creating a DSW instance

    1. Create a DSW instance and configure the following key network parameters.

      • In the Network Information section, select your VPC and security group.

      • Find Custom Services, click Add, enter the actual Port number that the service is listening on (such as 9000), select Access over Internet, and then select your NAT Gateway and EIP.

        image

    2. Configure inbound rules for the listening port in the selected security group. Key parameters are as follows. For more information, see Add a security group rule.

      • Action: Allow

      • Protocol Type: Select based on your service (such as TCP)

      • Port Range: Enter the listening port you configured (such as 9000/9000)

      • Authorization Object: 0.0.0.0/0 (allows access from all Internet IPs, for testing) or restrict IPs as needed. For production environments, we recommend strictly limiting source IPs.

        image

    Configure Internet access for existing DSW instances

    For existing DSW instances, you can modify Internet access configurations using the following two methods.

    Note: If you need to add or change VPC, NAT Gateway, or other components, you still need to use Change Settings and restart the instance.

    image

    Configure on the instance details page

    On the DSW instance list page, click the instance name to enter the details page and modify the Internet access configuration.

    image

    image

    Configure within the DSW instance

    In the DSW development environment, click Configuration at the top of the page to modify custom services.

    image

    image

    image

    Test connectivity

    1. In the DSW Terminal, run the following commands to start Python's built-in HTTP server.

      # Create an HTML file with test content
echo 'Hello, World!' > index.html

# Start Python's built-in HTTP server (listening on port 9000)
python -m http.server 9000 --bind 0.0.0.0

    2. On the instance details page, view the Access Configuration to get the access address.

      image

      For Internet access, copy the public access address 121.40.**.**:9000 and access it in a browser. When Hello, World! is returned, the service access configuration is successful.

    Recommendations for production

    • For development and testing only: The DSW Internet access feature is designed for temporary testing and collaborative debugging.

    • Deploy to EAS for production: For officially released inference services, deploy to PAI-EAS. EAS provides:

      • High availability and load balancing.

      • Automatic elastic scaling to handle traffic fluctuations.

      • Comprehensive alert monitoring, version management, and canary release.

      • More optimized Internet access integration and billing methods. For more information, see Deploy a model as an online service.

    • Cost savings:

      • After stopping a DSW instance: The DSW instance itself (pay-as-you-go) stops billing. However, billing of NAT Gateway and EIP will continue as long as they exist.

      • When Internet access is no longer needed: If you determine you no longer need it, be sure to delete the NAT Gateway and EIP to stop related charges. You can do this in the VPC console and EIP console.

    FAQ

    Q: Internet access is configured, but browser access/external connection fails (Cannot reach the site/Connection refused/Timeout)?

    • Step 1: Check security group rules (most common cause)

      • Confirm that the security group has added inbound rules.

      • Check if the rule Port Range includes your configured port (such as 9000)

      • Check if the rule Authorization Object includes your public IP or 0.0.0.0/0

      • Check if the rule Protocol Type (TCP/UDP) is correct

    • Step 2: Confirm the service is running and listening on the correct port

      • In the DSW instance Terminal, use netstat -tunlp | grep <port number> (such as netstat -tunlp | grep 9000) to check if the port is being listened to.

      • Ensure your application service process has started and is listening on the configured port.

    • Step 3: Check NAT Gateway and EIP status

      • In the VPC console, confirm the NAT Gateway status is Running.

      • In the EIP console, confirm the associated EIP status is Allocated and not in arrears.

    • Step 4: Local testing: Inside the DSW instance, try using curl http://localhost:<port number> or curl http://<instance private IP>:<port number> to see if the service responds.

    • Step 5: Use network diagnostic tools:

      • Alibaba Cloud VPC provides Network Intelligence Service to help troubleshoot path issues (requires activation).

      • Use telnet <EIP> <port> inside the DSW instance to test port connectivity (requires installing telnet first).

    • Will Internet access configuration still incur charges after stopping DSW?

      • Yes, after a DSW instance is stopped, the instance itself (pay-as-you-go) stops billing. However, the associated NAT Gateway and EIP resources will continue to be billed independently as long as they are not deleted. Be sure to manually delete them to save costs.

    • Can one EIP map multiple ports?

      • Yes. Multiple service ports configured on the same DSW instance (up to 5) can all be mapped through the same EIP and NAT Gateway. Access using EIP:different ports.