Use Certificate Management Service to deploy an SSL certificate for a PAI-EAS dedicated gateway, bind a custom domain name, and enable HTTPS encryption with automatic renewal to ensure data security.-Certificate Management Service(SSL Certificate)-阿里云帮助中心

You can bind a custom domain name to a dedicated gateway in Elastic Algorithm Service (EAS) and deploy an SSL Certificate to PAI-EAS using Digital Certificate Manager. This enables HTTPS encryption to secure your data in transit.

Business scenario

By default, a PAI-EAS model service provides an Alibaba Cloud public endpoint. In a production environment, you can use a custom domain name, such as api.your-company.com, to provide services and enable HTTPS encryption. This protects the privacy and integrity of data in transit.

Applicability

A fully managed dedicated gateway has been created in PAI-EAS and its status is Running. For more information about how to create a fully managed gateway, see Create a fully managed dedicated gateway.
You have requested or uploaded an SSL certificate using Digital Certificate Management Service, and the certificate status is Issued. To purchase and request a certificate, see Purchase a commercial certificate and Request a certificate.
Important
The domain name of the certificate must exactly match the custom domain name that you plan to use.

Solution architecture

The solution involves deploying an SSL Certificate to a fully managed dedicated gateway in PAI-EAS using Digital Certificate Manager. Then, DNS resolution is used to point the custom domain name to the gateway.

Workflow:

An end user sends an HTTPS request to the custom domain name (api.your-company.com).
The DNS service resolves the custom domain name to the public IP address of the PAI-EAS dedicated gateway through a CNAME record.
The request reaches the PAI-EAS dedicated gateway. An SSL Certificate that matches the custom domain name has been deployed to the gateway by Digital Certificate Manager.
The gateway uses the certificate to establish a secure HTTPS connection. It then forwards the decrypted request to the backend model service.

Procedure

Step 1: Configure PAI-EAS

Create a fully managed dedicated gateway

Important

If a fully managed dedicated gateway already exists in PAI-EAS, skip this step and go to Configure a public custom domain name.

Go to the Elastic Algorithm Service (EAS) page. On the Inference Gateway tab, click Create Dedicated Gateway.
In the Create Dedicated Gateway panel, select Fully managed dedicated gateway.
On the purchase page for the PAI-EAS dedicated gateway, configure the parameters and click Buy Now. Follow the on-screen instructions to confirm the order and complete the payment.
Note
You can view the purchased fully managed dedicated gateway in the inference gateway list. The gateway is ready to use when its Status is Running.
On the Inference Gateway tab, click the name of the target fully managed dedicated gateway to open its details page. Configure the settings in the Gateway Access Control section.
Note
This topic uses public network configuration as an example. For more information about other configurations, see Public network access control.

Configure a public custom domain name

On the dedicated gateway details page, switch to the Domain Name tab, click Create Domain Name, and configure the parameters as shown in the following figure.
If a service has been deployed using this dedicated gateway, you must wait for a few minutes (less than 5 minutes) for the custom public domain name settings to take effect. To verify that the settings have taken effect, check the service invocation information. The settings are effective if the domain name of the public invocation address is the same as the custom public domain name that is configured for the gateway.
Configure public domain name resolution. Add a CNAME record for the custom public domain name to point it to the public domain name of the dedicated gateway.
1. On the Gateway tab of the dedicated gateway, find and copy the public endpoint.
2. The following steps use Alibaba Cloud DNS as an example. The procedure is similar for other cloud providers. For more information, see Add a domain name and Add a DNS record.
  1. Go to the Public Zone DNS page. On the Public Zone tab, find your custom domain name and click it to open the DNS Settings page. If your domain name is not registered with Alibaba Cloud, you must add it manually. Then, click Add Record.
  2. Set Record Type to CNAME. Set Host to your custom domain name. Set Record Value to the public domain name of the dedicated gateway that you obtained in the previous step.

Step 2: Configure Certificate Management Service

If you are using the deployment service for the first time, follow the on-screen instructions to grant permissions. After authorization, you can create deployment tasks. For more information about authorization, see Grant permissions to access cloud resources.
Go to the Cloud Product Deployment page and click Create Task.
On the Configure Basic Information page, configure Task Name, Contact, and Deployment Time, and then click Next.
On the Select Certificate page, select the certificate to deploy and click Next.
On the Select Resource page, select the resource for deployment under Platform for AI, and then click Preview and Submit.
Note
If you cannot find the target resource in the corresponding cloud product, confirm the following:
- In the Total Resources section, check whether resource synchronization is complete. If resources are still synchronizing, wait for the process to finish.
- If you still cannot find the resource after synchronization is complete, check whether the prerequisites for certificate deployment are met.
In the Task Preview panel, review the certificate and resource information. If everything is correct, click Submit.
The preview page shows the number of matching certificates for the cloud product and the number of deployment credits that will be consumed. If the number of matching certificates is 0, the selected certificate does not match the cloud resource, which will cause the deployment to fail. In this case, carefully check the selected certificate.

Step 3: Verify HTTPS access

Go to the Cloud Product Deployment page, find the deployment task, and click Details in the Actions column.
On the Platform for AI tab, check the Task Status column. A status of Deployed indicates that the deployment was successful.
In a browser, access https://api.your-company.com. If a lock icon appears in the address bar and you can view the correct certificate information, the configuration is successful.

Certificate lifecycle management

Automatic renewal and deployment:
For certificates issued by Alibaba Cloud, you can enable the Certificate Hosting feature in the CAS console. When a certificate is automatically renewed and a new one is issued, CAS automatically deploys the new certificate to the PAI-EAS gateway using a Cloud Product Certificate Deployment task. This process provides fully automatic updates.
Manual update:
Uploaded certificates cannot be automatically renewed. Before a certificate expires, you must manually obtain a new one, upload the certificate in the CAS console, and then create a new deployment task to complete the update.

Costs and risks

Costs:
- SSL Certificate fees: The purchase cost of the certificate.
- Certificate deployment fees: When you deploy an uploaded certificate (a certificate not issued by Alibaba Cloud), each deployment consumes one deployment credit. Deploying certificates issued by Alibaba Cloud to other Alibaba Cloud products is free. If you do not have enough deployment credits, purchase deployment credits. The cost is CNY 30 per credit, and they are valid for one year.
Key risks:
- Certificate and domain name mismatch: The domain name bound to the SSL Certificate must exactly match the custom domain name configured for the PAI-EAS gateway. Otherwise, the deployment will fail or client certificate authentication will fail.
- DNS resolution latency: Changes to DNS records take time to propagate globally (depending on the TTL setting). Before the changes fully take effect, access from some regions might fail.
- Certificate expiration: An expired SSL Certificate will interrupt HTTPS access. Pay attention to the certificate lifecycle. Renew and deploy the certificate before it expires to avoid service interruptions.

Troubleshooting

Why did the deployment task fail with the message "Number of matching certificates is 0"?

Cause:
The domain name of the selected SSL Certificate does not match the custom domain name configured on the PAI-EAS gateway. For example, you attempted to deploy a certificate for www.your-company.com to a gateway that is configured with the domain name api.your-company.com.
Solution:
Check and ensure that the domain name strings in both configurations are identical. For a wildcard certificate (such as *.your-company.com), ensure that the custom domain name is a direct subdomain (such as api.your-company.com) and not a multi-level subdomain (such as test.api.your-company.com).

The deployment task failed. How do I view the failure reason?

Go to the Cloud Product Deployment page and navigate to the deployment task details page. Click View Failure Cause and analyze the log information. For example, if the failure is caused by a RAM permission issue, grant the necessary permissions to the operating account. If the log indicates an internal product error, submit a ticket and attach a screenshot of the failure reason.

How do I roll back a deployment if issues occur after deployment?

Go to the Cloud Product Deployment page and navigate to the deployment task details page. Click Rollback to revoke the deployment operation and restore the gateway to its state before the deployment.