After you create a Ray application, it cannot be accessed from external sources or the public network by default. This can lead to issues such as connection failures or the inability to call external APIs when you develop and run your Ray application. This document guides you through the basic configuration of a Ray application, including how to set security configurations, obtain connection addresses and application parameters, and enable public network access to use your Ray application securely and efficiently.
Security configuration
For security purposes, new Ray applications block access from all external IP addresses by default. You can configure an IP whitelist or an ECS security group to grant your development environment or application server access to the Ray application.
The application whitelist and the cluster whitelist are independent. Configure them separately.
Before you begin, go to the management page for the Ray application:
Log on to the PolarDB console. On the cluster details page, in the navigation pane on the left, click .
On the AI Applications page, click your Application ID to go to the application details page. Configure the settings on the Whitelist tab.
IP Whitelists
You can use an IP whitelist to access the Ray application from a fixed public IP address or a specific IP address in a VPC. Examples of fixed public IP addresses include the IP address of a local development machine or an office egress IP.
If an ECS instance needs to access the application, find its IP address on the Instance Details page of the ECS console and add the IP address to the IP whitelist.
If the ECS instance and the application are in the same VPC, add the private IP address of the ECS instance or its VPC CIDR block.
If your ECS instance and application are not in the same VPC, you can enter the public IP address of the ECS instance or add a rule to its security group.
If a local server, computer, or other cloud server needs to access the application, add its public IP address to the IP whitelist.
Steps
Click Add Whitelist, or click Configure for an existing IP whitelist group. The following rules apply:
Group name requirements: The name must be 2 to 120 characters in length. It can contain only lowercase letters, digits, and underscores (_). It must start with a letter and end with a letter or a digit.
IP format: You can enter a single IP address, such as
192.168.0.1, or an IP segment in CIDR format, such as192.168.0.0/24. Use a comma (,) to separate multiple IP addresses or segments. For example:192.168.0.1,192.168.0.0/24.Default rule: The application includes a default group named
default. The IP address in this group is set to127.0.0.1, which allows only local access and blocks all external access.High-risk setting: Setting the IP address to
0.0.0.0/0allows any IP address to access your cluster. This creates a security risk. Use this setting with caution and only for testing or in special scenarios.
Security Groups
You can use ECS security groups to grant access to all ECS instances within the same security group. This method is recommended for Auto Scaling groups because their IP addresses may change dynamically. This method simplifies centralized management and dynamic authorization for access to the Ray application.
For more information about ECS security groups and how to configure them, see ECS Security Groups.
You can also add the IP addresses of ECS instances to the IP Whitelists. ECS instances specified in the IP list or included in the security groups can access the Ray application.
Procedure
Click Select Security Groups to associate the required ECS security group with the Ray application.
Get Ray application endpoints
By default, a new Ray application has a VPC private endpoint for secure and efficient communication between cloud resources. To debug code in a local environment or connect with external tools, you can request a public endpoint to allow access from the public network to the Ray application.
Procedure
Log on to the PolarDB console. On the cluster details page, in the navigation pane on the left, click .
On the AI Applications page, click your Application ID to go to the application details page. On the Basic Information tab, find the Application Connection section in the Topology area. View the Public Endpoint or Private Endpoint.
The Public Endpoint must be requested separately. Click the Request button to obtain one.
The Public Endpoint provides only an IP address and a port. It does not provide a domain name. If you need a domain name, you can associate one with the endpoint.
Application endpoint descriptions
Dashboard: The endpoint for the Ray Dashboard.
Jupyter (Notebook): The endpoint for the Ray Notebook. For more information, see Ray Notebook User Guide.
Get Ray application configuration information
A Ray application's configuration information includes the logon username and password for the Dashboard and the logon password for Jupyter Notebook. You can view and modify these settings on the Configure page as needed.
Steps
Log on to the PolarDB console. On the cluster details page, in the navigation pane on the left, click .
On the AI Applications page, click your Application ID to go to the application details page. Configure the settings on the Configure tab.
(Optional) To modify parameter values, click the Modify button in the upper-left corner.
Modifying some parameters automatically restarts the Ray application. Perform this operation during off-peak hours.
Parameter descriptions
Parameter name |
Parameter description |
|
The logon username for the Ray Dashboard. |
|
The logon password for the Ray Dashboard. |
|
The token used to log on to Jupyter Notebook and make API calls. |
|
Controls whether JSON Web Token (JWT) authentication is enabled when you submit a job to the Ray application. |
|
The key to access the Ray application. |
|
The anonymous key to access the Ray application. |
Enable public network access
By default, a Ray application cannot access external networks. To enable this access, you must configure a NAT Gateway for the VPC where the Ray application's cluster is located.
Configuration Steps
Create an Internet NAT gateway: Go to the NAT Gateway - Internet NAT Gateway purchase page to create a gateway. During creation, ensure that you select the same VPC and vSwitch as your PolarDB for PostgreSQL cluster.
Configure an SNAT entry: Go to the Internet NAT Gateway page. In the Actions column for the target gateway, click Configure SNAT, and then click Create SNAT Entry. Configure the parameters as follows:
Set SNAT Entry Granularity to VPC Granularity.
Select Elastic IP Address: From the drop-down list, select the elastic IP address (EIP) to use for public network access.
Enabling public network access incurs costs for the Internet NAT gateway and for data transfer. For more information about billing, see NAT Gateway billing.