Configuring the Standard Dedicated Resource Pool to Access the Internet

Scenario

When you use a dedicated resource pool to create a job, for example, a training job, if the dedicated resource pool needs to access the Internet during job runtime, interconnect with VPC for VPC peering connection between the dedicated resource pool and the ECS bound with an EIP. Then, configure a public network NAT gateway for the ECS. In this way, the dedicated resource pool can access the Internet directly.

Billing

When configuring the public network of a standard resource pool, you need to purchase EIPs and public NAT gateways. EIPs are billed by bandwidth and reserved EIP fee. For details, see EIP Pricing Details. NAT gateways are billed based on the gateway type, specifications, and running duration. For details, see NAT Gateway Pricing Details.

Prerequisites

• You have obtained the ECS where the SNAT function is to be deployed.
• The ECS where the SNAT function is to be deployed runs the Linux OS.
• The ECS where the SNAT function is to be deployed has only one network interface card (NIC) configured.

Step 1: Interconnecting with the VPC

To interconnect with multiple VPCs is to establish network links between them or between a VPC and another network environment. This enables resource sharing and secure communication between VPCs.

With VPC interconnection, you can access resources across VPCs, share resources efficiently, improve data transfer speed, and maintain continuous services.

By interconnecting with VPCs, dedicated resource pools can communicate with ECSs that have EIPs bound.

1. Log in to the ModelArts console. In the navigation pane on the left, choose Network under Resource Management.
2. Click Interconnect VPC in the Operation column of the target network.
   Figure 1 Interconnect VPC
   

3. In the displayed dialog box, click the button on the right of Interconnect VPC, and select an available VPC and subnet from the drop-down lists.
   The peer network to be interconnected cannot overlap with the current CIDR block.

   Figure 2 Parameters for interconnecting a VPC with a network
   

   • If no VPC is available, click Create VPC on the right to create a VPC.
   • If no subnet is available, click Create Subnet on the right to create a subnet.
   • A VPC can interconnect with at most 10 subnets. To add a subnet, click the plus sign (+).
   • To enable a dedicated resource pool to access the public network through a VPC, create a SNAT in the VPC, as the public network address is unknown. After the VPC is interconnected, by default, the public address cannot be forwarded to the SNAT of your VPC. Submit a service ticket and contact technical support to add a default route. Then, when you interconnect with a VPC, ModelArts 0.0.0.0/0 is used as the default route. In this case, you do not need to submit a service ticket. Add the default route for network configuration.

Step 2: Configuring a Public SNAT Gateway

Bind an EIP to an ECS, configure a public network NAT gateway on the ECS that has been bound to an EIP, and use the SNAT rule of the public network NAT gateway to access the Internet.

Configure and verify SNAT by referring to Using a Public NAT Gateway to Enable Servers to Share One or More EIPs to Access the Internet.

1. Buy an EIP.
   1. Go to the Buy EIP page.
   2. On the Buy EIP page, set the EIP name to EIP-A.

      Configure other EIP parameters as required. For details, see Assigning an EIP.

   3. Configure the parameters and click Next.

      Return to the EIP list to view EIP-A you have assigned.

2. Buy a public NAT gateway.
   1. Go to the Buy Public NAT Gateway page.
   2. On the Buy Public NAT Gateway page, configure required parameters.

      Table 1 Parameters for configuring a public NAT gateway

      Parameter	Example	Description
      Region	CN North-Beijing4	The region where the public NAT gateway is located.
      Billing Mode	Pay-per-use	The billing mode of the public NAT gateway.
      Specifications	Small	The specifications of the public NAT gateway. The value can be Extra-large, Large, Medium, or Small. For details about specifications, click Learn more on the page.
      Name	public-nat-01	Name of the public NAT gateway. Enter up to 64 characters. Only letters, digits, underscores (_), hyphens (-), and periods (.) are allowed.
      VPC	VPC-A	The VPC that the public NAT gateway belongs to. The selected VPC cannot be changed after the public NAT gateway is purchased. NOTE: To allow traffic to pass through the public NAT gateway, a route to the public NAT gateway in the VPC is required. When you buy a public NAT gateway, a default route 0.0.0.0/0 to the public NAT gateway is automatically added to the default route table of the VPC. If the default route 0.0.0.0/0 already exists in the default route table of the VPC before you buy the public NAT gateway, the default route that points to the public NAT gateway will fail to be added automatically. In this case, perform the following operations after the public NAT gateway is bought: Manually add a different route that points to the gateway or create a default route 0.0.0.0/0 pointing to the gateway in the new routing table.
      Subnet	Subnet-A01	The subnet that the public NAT gateway belongs to. The subnet must have at least one available IP address. The selected subnet cannot be changed after the public NAT gateway is purchased. The NAT gateway will be deployed in the selected subnet. The NAT gateway works for the entire VPC where it is deployed. To enable communications over the Internet, add SNAT or DNAT rules.
      (Optional) Advanced Settings	-	Click the drop-down arrow to configure advanced parameters of the public NAT gateway.
      SNAT Connection TCP Timeout (s)	900	The timeout period of a TCP connection established using the SNAT rule. If no data is exchanged within this period, the TCP connection will be closed. Value range: 40 to 7200
      SNAT Connection UDP Timeout (s)	300	The timeout period of a UDP connection established using the SNAT rule. If no data is exchanged within this period, the UDP connection will be closed. Value range: 40 to 7200
      SNAT Connection ICMP Timeout (s)	10	The timeout period of an ICMP connection established using the SNAT rule. If no data is exchanged within this period, the ICMP connection will be closed. Value range: 10 to 7200
      TCP TIME_WAIT (s)	5	How long the side that actively closed the TCP connection is in the TIME_WAIT state. Value range: 0 to 1800
      Description	Not required	Supplementary information about the public NAT gateway. Enter up to 255 characters. Angle brackets (<>) are not allowed.
      Tag	Not required	The identifier of the public NAT gateway. A tag is a key-value pair. You can add up to 20 tags to each NAT gateway.

   3. Click Next. On the displayed page, confirm the public NAT gateway specifications.
   4. If you do not need to modify the information, click Submit.

      On the Public NAT Gateways page, you can view the created public NAT gateway in the list.

3. Add an SNAT rule.
   1. On the displayed page, click the name of the public NAT gateway on which you need to add an SNAT rule.
   2. In the SNAT Rules tab, click Add SNAT Rule.
   3. Configure the required parameters. Table 2 describes the parameters.

      Table 2 SNAT parameters

      Parameter	Example	Description
      Scenario	Direct Connect/Cloud Connect	If SNAT is used to access the Internet, select Direct Connect or Cloud Connect. The value indicates that the server in the local data center of Direct Connect or VPN uses the SNAT rule to access the Internet.
      CIDR Block	Existing	On-premises servers whose IP address in this CIDR block can access the Internet through the SNAT rule. Set this parameter to the default ModelArts dedicated resource pool CIDR block 192.168.20.0/24. Select a CIDR block from the drop-down list.
      Public IP Address Type	EIP	Used to access the Internet.
      Monitor	-	Monitoring of the number of SNAT connections. You can set alarm rules to monitor your SNAT connections and keep informed of any changes in a timely manner.
      Description	Not required	Supplementary information about the SNAT rule. Enter up to 255 characters. Angle brackets (<>) are not allowed.

   4. Click OK.
4. In the SNAT Rules tab, view details of the SNAT rule.
   If Status of the SNAT rule is Running, the SNAT rule has been created.

   Figure 3 Verifying that the SNAT rule has been added
   

Step 3: Adding Routes for VPC Peering Connection

After VPC is interconnected, jobs in the dedicated resource pool cannot be forwarded to the SNAT of the user VPC by default. You need to add a default route for the VPC peering connection on ModelArts.

If the default route is not enabled in Step 1: Interconnecting with the VPC, submit a service ticket to contact technical support to add a default route for VPC peering connection.

If the default route is enabled in Step 1: Interconnecting with the VPC, when you interconnect with a VPC, ModelArts 0.0.0.0/0 is used as the default route. In this case, you do not need to submit a service ticket. Add the default route for network configuration.

(Optional) Checking the Number of Available IP Addresses

Log in to the ModelArts console. In the navigation pane on the left, choose Network. Then, locate the target network and choose More > View Available IP Addresses in the Operation column.

Figure 4 Viewing available IP addresses

On the resource pool details page, you can view the number of available IP addresses bound to the network.

Figure 5 Viewing available IP addresses

FAQ

How Do I Add a VPC Peering Connection Between a Dedicated Resource Pool and an SFS in ModelArts?

Interconnect a VPC with a ModelArts resource pool so that the resource pool and SFS share the same VPC. When you create a training job, the SFS option will be available.

For details about how to interconnect with a VPC, see Interconnecting a VPC with a ModelArts Network.