Remote connection: Direct SSH connection - Platform For AI

A direct SSH connection provides a stable and fast way to connect to your Data Science Workshop (DSW) instance from a local terminal or Visual Studio Code (VSCode).

Scope

Supported instance types:
- Pay-as-you-go DSW instances created in the Public Resource Group. The instance specification cannot start with ecs.ebm.
- DSW instances created using a Lingjun resource.
Public connection limit:
When you connect to a DSW instance from the public internet, Platform for AI (PAI) automatically configures DNAT rules for each Internet NAT Gateway. You do not need to configure them manually.
Each Internet NAT Gateway supports up to 100 DNAT rules, allowing for up to 100 concurrent DSW instance connections. For more information about quotas, see Quotas.

Billing

To connect to a DSW instance from the public internet, configure an NAT Gateway and an Elastic IP Address (EIP). The Internet NAT Gateway and EIP are cloud products that are billed separately and will continue to incur charges even when the DSW instance is stopped. To avoid unnecessary charges, delete these resources promptly when you no longer need them.

Procedure

Step 1: Enable internal DNS resolution

Enable internal DNS resolution. DSW instances are typically deployed in a Virtual Private Cloud (VPC) environment, where services rely on internal domain names for efficient and secure communication. When you connect to a DSW instance via SSH, the Internal DNS Resolution service resolves the domain name to the instance's internal IP address. This resolution is essential for a successful connection.

Step 2: Generate an SSH public key

Run the following command on your client machine to generate a public key. You will be prompted to set a passphrase for logging into the DSW instance. If you plan to use the remote_ikernel tool to connect to the instance (as shown in the use case in this article), do not set a passphrase. Instead, press Enter to proceed.

(Recommended) Generate the key pair in the default directory:
```
ssh-keygen
```
This command generates a public key (id_rsa.pub) and a private key (id_rsa) in the following default directories. If an SSH key pair already exists in the location, the files will be overwritten. The default paths for different operating systems are:
- Windows: C:\Users\<username>\.ssh
- Linux: /root/.ssh for the root user, or /home/<username>/.ssh for a regular user.
- macOS: /Users/<username>/.ssh

Generate the key pair in a custom directory:

ssh-keygen -f /your/path/example_rsa # This generates example_rsa.pub and example_rsa in /your/path

Step 3: Configure SSH parameters for the DSW instance

When you create a DSW instance, configure the following network-related parameters.

For an existing instance, click Change Configuration, modify the parameters, and then click OK.

Configure the VPC, vSwitch, and Security Group

If you create a DSW instance using the Public Resource Group, you need to configure a Virtual Private Cloud (VPC), a vSwitch, and a Security Group. Follow these steps to create them. For more information, see Create a VPC and a vSwitch and Manage security groups.

Create a VPC, vSwitch, and security group

On the DSW configuration page, click Create VPC.
Configure the VPC Name, IPv4 CIDR Block, and vSwitch information. You can keep the default values for other parameters. Then, click OK to create the VPC and vSwitch.
Return to the DSW configuration page, and for VPC Configuration, select the VPC that you just created.
Click Create Security Group. You can keep the default parameter values and then click Create. Return to the DSW configuration page and select the security group you just created for the Security Group setting.
Ensure that the security group allows inbound access on port 22.

Configure SSH-related parameters

Enable SSH: Turn on this switch.
SSH Public Key: Copy the content of the id_rsa.pub public key file generated in Step 2 into this text box.
If you need to support both login from within the VPC and from the public internet, you must add the public keys of multiple clients. Add each key on a new line. You can add up to 10 public keys.
Custom Service: After you turn on the Enable SSH switch, a Custom Service named SSH appears.
- Listener Port: The port that the service in the DSW instance listens on. The default is 22.
- Service Access Method:
  - Access Within VPC: This method is enabled by default. You can access the service in the DSW instance from other terminals within the VPC, such as an ECS Instance.
  - Public Access: Select this option to add public access. You must also configure an Internet NAT Gateway and an Elastic IP Address.
- Public Access Port: The port that allows access from the public internet, which corresponds to the -p parameter in the SSH command. For example: 1024.
NAT Gateway: This parameter is required for public access. Select an Internet NAT gateway created for the current VPC.
Elastic IP Address: This parameter is required for public access. Select an elastic IP address (EIP) created for the current NAT Gateway.

Refer to the following to create an Internet NAT Gateway and an EIP:

Create an Internet NAT Gateway and an Elastic IP Address

Click Create NAT Gateway.
On the NAT Gateway creation page, configure the parameters as needed or use the default values. Then, click Create Elastic IP Address.
On the EIP creation page, configure the parameters as needed or use the default values, then click Buy Now.
Return to the NAT Gateway creation page. For Elastic IP Address Instance, select the instance you just created, and then click Purchase Now to create the Internet NAT Gateway.

Step 4: Install the SSH server

If your DSW instance uses an Official Pre-installed Image or a Custom Image based on an official one, the SSH server is already installed by default, and you can skip this step. Otherwise, you must manually install the SSH server.

Open the DSW instance.
In the DSW Terminal, run the following commands.
```
sudo apt-get update
sudo apt-get install openssh-server
sudo service ssh start
```
If the command fails and returns sudo: command not found, try running apt-get install sudo and then run the above commands again.
Run the following command to check the status of the SSH server.
```
service ssh status
```

Step 5: Connect to the DSW instance remotely

View the access endpoints.
On the DSW page, click the instance name to go to the instance details page. On the Instance Configuration tab, in the Access Configuration section, view the Public Endpoint and VPC Endpoint.
Note
If you did not select Public Access in the SSH configuration, only the VPC Endpoint is displayed.
Connect to the DSW instance.
Connect using SSH
- Public network access
  In your local command line or another terminal, use the public endpoint from Step 1 to connect to the DSW instance.
```
ssh root@xx.xx.xx.xx -p 1024 
# If the private key is not in the default path, specify its location
ssh -i /your/path/example_rsa root@xx.xx.xx.xx -p 1024 
```
  Important
  The value of the -p parameter, 1024, is the public access port configured for SSH.
- VPC access
  From another terminal within the VPC (such as an ECS Instance), use the VPC Endpoint from Step 1 to connect to the DSW instance.
```
ssh root@dsw-notebook-xxxx.dsw-xxxx.dsw.pai.alibaba.com -p 22
# If the private key is not in the default path, specify its location
ssh -i /your/path/example_rsa root@dsw-notebook-xxxx.dsw-xxxx.dsw.pai.alibaba.com -p 22
```
Connect using a local VSCode
1. Open VSCode and install the Remote - SSH Extension from the Extensions marketplace.
2. Click the icon in the bottom-left corner , opening the Remote-SSH pop-up. Select Connect to Host... > Add New SSH Host....
3. Enter the SSH connection command.
```
ssh root@xx.xx.xx.xx -p 1024 
# If the private key is not in the default path, specify its location
ssh -i /your/path/example_rsa root@xx.xx.xx.xx -p 1024 
```
4. Click Connect in the bottom-right corner. The bottom-left corner will show that the connection is successful.
5. Open a directory in the DSW instance to start remote development and debugging.
6. During runtime, you can connect to the kernel in the DSW instance.

Use case: Run local notebook code on a DSW instance

Prerequisites

You have completed the SSH direct connection configuration from Step 1 to Step 4 of this article, and you did not set a passphrase when generating the SSH public key.

Steps

In your local terminal, install the remote_ikernel tool, perform initial configuration, and add a remote kernel.

pip install remote_ikernel

remote_ikernel manage --add \
--kernel_cmd="ipython kernel -f {connection_file}" \  # No modification needed
--name="Remote Python" \
--interface=ssh \
--host=root@*.*.*.*:1024  # Change this to your host address. If the private key is not in the default path, set it to --host="-i /your/path/example_rsa root@*.*.*.*:1024"

If the following output is displayed, the remote kernel was added successfully.

Added kernel ['rik_ssh_root_121_40_*_*_1024_remotepython']: SSH root@121.40.*.*:1024 Remote Python.

To view the remote kernel configuration, run the following command.

remote_ikernel manage --show

In your local VSCode, open a notebook file. Click the kernel selection in the top-right corner, and you can find and select "Remote Python" in the search box.

FAQ

Q: What's the difference between a direct SSH connection and the ProxyClient agent for connecting to a DSW instance?

	Option A: Direct SSH connection (Recommended)	Option B: ProxyClient proxy
Features	Requires configuration of network components like VPC and NAT Gateway. The connection is faster and more stable.	No additional network components are needed. However, the connection may be slower and less stable.
Supported instances	Pay-as-you-go DSW instances created in the Public Resource Group. The instance specification cannot start with `ecs.ebm`. DSW instances created using a Lingjun resource.	All instance types.
Authentication method	Uses an SSH public or private key for authentication.	First, authenticate using ProxyClient by providing your Alibaba Cloud AccessKey and other information. Then, authenticate using an SSH public or private key.
Access path	Access via the public internet (requires configuring an Internet NAT Gateway and an EIP). Access via the internal network within the user's VPC.	Access via the public internet.
Configuration method	Remote connection: Connect directly using SSH	Remote connection: ProxyClient method
How it works	PAI automatically creates a DNAT rule on the NAT Gateway to forward public SSH requests to your DSW instance.	PAI's proxy server relays all traffic.
Billing reminder	When public access is required, the Internet NAT Gateway and EIP incur charges continuously, even when the DSW instance is stopped. If you no longer need them, delete them promptly.	This configuration does not generate additional costs.

Q: Can I connect to a DSW instance from a local IDE like PyCharm using SSH?

Yes, any IDE that uses the native SSH protocol is supported. However, be aware that IDEs like PyCharm may automatically download and install server-side components onto the DSW instance. For this to work, you must ensure your DSW instance has public internet access.

Q: How can I troubleshoot SSH connection failures, timeouts, or key rejections when connecting to a DSW instance?

SSH connection issues are typically caused by misconfigurations in your network, authentication, or server-side setup. Follow these steps to diagnose the problem.

Why is my SSH connection to the DSW instance's public IP failing or timing out?
- Verify VPC Connectivity: First, try connecting to the instance using its VPC address from within the same VPC. If this also fails, troubleshoot the VPC connection first (see next point).
- Check NAT Gateway Routing: If the VPC connection works but the public one fails, the issue is likely with your NAT Gateway setup.
  - Multiple NAT Gateways: If you have more than one Internet NAT Gateway in your VPC, ensure your DSW instance's vSwitch is correctly routed to the NAT Gateway you configured for SSH. Refer to Deployment solutions for multiple Internet NAT gateways in the same VPC for correct routing table configuration.
  - Single NAT Gateway: Use the Self-service Troubleshooting. Enter your local public IP, the DSW instance's EIP, and the public port to analyze reachability.
Why is my SSH connection to the DSW instance's VPC address failing?
- Check SSH Server Status: If you are using a custom image, confirm that an SSH server (like openssh-server) is installed, running, and enabled. For more information, see Step 4: Install the SSH server.
- Check Security Group Rules: Ensure the security group attached to your instance allows inbound traffic on TCP port 22 from your source IP.
- If these steps don't resolve the issue, please contact your business manager for further assistance.
Connection timed out or unreachable:
- Direct SSH (Internet): Check the Internet NAT gateway and security group rules configured for the DSW instance. Ensure that the correct port is open to the internet.
- Direct SSH (VPC): If you are connecting from an ECS instance within the same VPC, check the security group rules to ensure that traffic is allowed between the instances. You can also try enabling the private DNS resolution service for the VPC.
Why am I getting a "Permission denied" or "Server refused our key" error?
- Verify Public Key: Ensure the public key (.pub file content) was copied completely and correctly into the DSW instance's SSH configuration.
- Verify Private Key: Make sure your SSH command is using the correct corresponding private key. If your private key is not in the default location (~/.ssh/id_rsa), you must explicitly specify its path using the -i flag: ssh -i /path/to/your/private_key root@....
How do I fix SSH connection failures from VS Code?
- Check Extension: Confirm the Remote - SSH extension is installed and enabled in VS Code.
- Verify Command: When adding a new host, ensure the full SSH command is correct, including the user, host, and custom port (e.g., ssh root@xx.xx.xx.xx -p 1024).
- Diagnose in Terminal: If VS Code fails, try running the exact same SSH command directly in your local terminal. The error messages from the terminal will provide more specific details to help diagnose the issue.

Q: How can I find the public IP address for my DSW instance's SSH connection?

If you have configured public access using an Internet NAT Gateway, the public IP is the Elastic IP Address (EIP) associated with that gateway. Here's how to find it:

View the public IP address

On the DSW instance list page, click the instance name to go to its configuration page.
In the Network Information section, click the link next to Elastic IP Address. You will be redirected to the EIP console, where the IP address is displayed.

Q: Is it possible to create multiple users for separate SSH logins on a DSW instance?

No, DSW does not natively support multiple, isolated user accounts for SSH. By default, all SSH connections use the root user. While it is technically possible to create new users manually within the instance's operating system, this is not an officially supported practice and may lead to unexpected behavior.

Q: After connecting to my DSW instance with VS Code, why can't I see my project files in `/mnt/workspace`?

This happens because your IDE opens the user's home directory (/root) by default after an SSH login. Your project files are typically located on a separate, mounted data disk. In your IDE (like VS Code or PyCharm), use the File > Open Folder... menu to navigate to and open the correct working directory, such as /mnt/workspace, on the remote server. Your project files will then appear in the file explorer.

References

If you prefer not to configure additional network components, or if this direct connection method is unsuitable for your use case, consider using the ProxyClient method.