# bailian-access

Part of **BAILIAN**

# Bailian Platform, Security, and Operations Console Guide

## Operations Overview

| Operation | Console Navigation | Prerequisites | Description |
|-----------|--------------------|---------------|-------------|
| Create API Key | Console > Model Studio > API Key | Workspace created | Generate API keys for model access and authentication |
| Export API Key as Environment Variable | System Properties > Environment Variables | API key obtained | Set DASHSCOPE_API_KEY locally for secure SDK usage |
| Configure Async Task Callbacks | Console > EventBridge > Event rules | EventBridge access | Set up HTTP or RocketMQ callbacks for async tasks |
| Create Private Link Connection | Workspace Management > Secure Storage | Secure Storage workspace | Establish PrivateLink reverse endpoints for secure storage |
| Access APIs over Private Network | Console > VPC > Interface Endpoint | VPC and API key | Create interface endpoints for private API access |
| Configure VPC Resources | Workspace Management > Secure Storage | Secure Storage workspace | Set up OSS, AnalyticDB, and Elasticsearch in VPC |
| Configure MSE Cloud Native Gateway | Console > MSE > Cloud Native Gateway | Gateway created | Route traffic to VPC resources via MSE gateway |
| Configure Zone IP Addresses | Business Space Management > Zone IP | Endpoint configured | Map NLB VIPs to availability zones for private routing |
| Manage Workspace Permissions | Console > Workspaces | Workspace created | Assign RBAC roles and manage user access |
| Manage Team Members and SSO | Token Plan (Team Edition) | Team plan activated | Add members, assign seats, and configure SSO |
| Enable AI Guardrail | Security management > Content moderation | Guardrail purchased | Turn on input and output content moderation |
| Enable Model Monitoring | Console > Model Telemetry | Workspace access | Turn on advanced metrics, logs, and alerts |
| View Model Usage Statistics | Console > Model Usage | Workspace access | Track token consumption, quotas, and billing units |
| Create Batch Inference Task | Console > Batch Inference | Pay-as-you-go enabled | Upload JSONL files for async bulk data processing |

## Operation Steps

### Create API Key

**Navigation**: Console > Model Studio > API Key

**Prerequisites**:
- Alibaba Cloud account or RAM user with administrator permissions
- Workspace created in the target region

1. Go to the Model Studio console and switch to the target region.
   - Element: **Region Switch** (dropdown) — upper-right corner
2. Navigate to the API Key page under the Workbench tab.
   - Element: **API Key** (menu) — left-side navigation pane
3. Click the button to generate a new key.
   - Element: **Create API Key** (button) — main content area
4. Select the default workspace for the key.
   - Element: **Home Business Space** (dropdown) — dialog box
5. Choose the permission setting for the API key.
   - Element: **Permission** (radio) — dialog box
   - Notes: If 'Custom' is selected, configure IP address whitelist or access scope.
6. Enter a description to identify the key's purpose.
   - Element: **Description** (text_input) — dialog box
7. Copy the full API key immediately after creation.
   - Element: **Copy icon** (button) — next to the API key
   - Notes: The full key is shown only once and cannot be retrieved later if lost.

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| Home Business Space | dropdown | Yes | Default Workspace | Selects the workspace associated with the API key |
| Permission | radio | Yes | All, Custom | Controls access scope of the API key to models and applications |
| Description | text_input | No | — | Helps identify the purpose of the API key |

### Export API Key as Environment Variable

**Navigation**: Start menu > Edit the system environment variables

**Prerequisites**:
- API key obtained from the console

1. Search for the system environment variables settings.
   - Element: **Edit the system environment variables** (link) — Start menu search bar
2. Open the environment variables configuration.
   - Element: **Environment Variables** (button) — System Properties window
3. Create a new system variable.
   - Element: **New** (button) — System Variables section
4. Set the variable name to DASHSCOPE_API_KEY and enter your API key as the value.
   - Element: **Variable name** (text_input) — New Environment Variable dialog
   - Notes: The variable value must be replaced with your actual API key.
5. Apply the settings and close all windows.
   - Element: **OK** (button) — Multiple dialog windows
   - Notes: Changes require a new terminal session to take effect.

### Configure Async Task Callbacks

**Navigation**: Console > EventBridge > Event buses > default > Event rules

**Prerequisites**:
- Access to the EventBridge console
- A public or VPC-accessible HTTP endpoint, or a RocketMQ instance

1. Log on to your Alibaba Cloud account and go to the EventBridge console.
   - Element: **EventBridge console** (link) — top navigation bar
2. Select the default event bus for cloud services.
   - Element: **Event buses** (menu) — left navigation panel
   - Notes: Model Studio uses the default event bus by default.
3. Search for asynchronous task completion events.
   - Element: **Event tracking** (button) — main content area
4. Filter by the Model Studio event source and type.
   - Element: **acs.dashscope** (dropdown) — query form
   - Notes: Search for and select 'acs.dashscope' and 'dashscope:System:AsyncTaskFinish'.
5. Start creating a new routing rule.
   - Element: **Create rule** (button) — top-right corner
6. Enter a custom rule name and description.
   - Element: **rule name** (text_input) — form fields
7. Configure the event pattern to match Model Studio async tasks.
   - Element: **Event source** (dropdown) — form fields
8. Select the target service type for the callback.
   - Element: **HTTP** (radio) — form fields
9. Enter the callback URL and configure network settings.
   - Element: **URL** (text_input) — form fields
   - Notes: For private network access, configure VPC, vSwitch, and SecurityGroup settings.
10. Save the rule to activate the callback.
    - Element: **Confirm** (button) — bottom of form

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| Rule name | text_input | Yes | — | A custom name for the event rule |
| Service type | radio | Yes | HTTP, Message Queue for RocketMQ | Select the type of event target |
| URL | text_input | Yes | — | The HTTP endpoint URL to receive notifications |
| Network type | dropdown | Yes | PublicNetwork, PrivateNetwork | Choose public or VPC accessibility |

### Create Private Link Connection

**Navigation**: Workspace Management > Secure Storage Workspace > Endpoint Configuration

**Prerequisites**:
- Activated Model Studio Secure Storage workspace
- Existing VPC in China (Beijing) region spanning zones G, H, or L

1. Go to the Workspace Management page.
   - Element: **Workspace Management** (link) — top navigation panel
2. Create a new secure workspace.
   - Element: **Add a Business Space** (button) — main content area
3. Set the workspace type to Secure Storage.
   - Element: **Space Type** (dropdown) — workspace creation form
4. Proceed to the endpoint configuration.
   - Element: **OK** (button) — bottom of modal dialog
5. Initiate the reverse endpoint creation.
   - Element: **Add Now** (button) — Endpoint Configuration page
6. Navigate to the Endpoint settings in the VPC console.
   - Element: **Endpoint** (menu) — left navigation panel
7. Switch to the reverse endpoint configuration.
   - Element: **Reverse Endpoint** (tab) — top of settings panel
8. Activate the PrivateLink service if using it for the first time.
   - Element: **Activate PrivateLink Service** (button) — dialog box
9. Start creating the endpoint.
   - Element: **Create Endpoint** (button) — top of form
10. Select the region and enter a node name.
    - Element: **Node Name** (text_input) — form fields
11. Select the endpoint type and service.
    - Element: **Endpoint Type** (dropdown) — form fields
    - Notes: Choose 'Reverse Endpoint' and validate the Endpoint Service address.
12. Configure the VPC, security group, and vSwitches.
    - Element: **Vpc** (text_input) — form fields section
13. Finalize the endpoint creation.
    - Element: **Confirm Creation** (button) — bottom of form
14. Return to the workspace and establish the connection.
    - Element: **Connection** (button) — endpoint configuration section
    - Notes: Wait for the status to change to Connected.

### Access Model Studio APIs over Private Network

**Navigation**: Console > VPC > Interface Endpoint

**Prerequisites**:
- VPC in the same region as the Model Studio service
- Security group allowing inbound traffic on ports 80 and 443

1. Log on to the Endpoint console.
   - Element: **Endpoint console** (link) — top navigation bar
2. Select the region where your Model Studio service is deployed.
   - Element: **Region dropdown** (dropdown) — top navigation bar
3. Start creating a new interface endpoint.
   - Element: **Create Endpoint** (button) — main content area
4. Enter a custom name for the endpoint.
   - Element: **Endpoint Name** (text_input) — form fields section
5. Select the endpoint type.
   - Element: **Endpoint Type** (dropdown) — form fields section
6. Search for and select the Model Studio endpoint service.
   - Element: **Endpoint Service** (dropdown) — form fields section
   - Notes: Must be com.aliyuncs.dashscope.
7. Select the VPC and vSwitches for high availability.
   - Element: **vSwitch** (checkbox) — form fields section
8. Associate a security group with the endpoint ENI.
   - Element: **Security Group** (dropdown) — form fields section
9. Finalize the endpoint creation.
   - Element: **Create** (button) — bottom of form
10. Obtain the domain name from the endpoint details.
    - Element: **Default Domain Name** (text_input) — endpoint details page
    - Notes: Use this domain name to replace the base_url in API calls.

### Configure VPC Resources

**Navigation**: Console > Workspace Management > Manage Secure Storage Workspace

**Prerequisites**:
- Availability zone IPs configured
- Secure storage workspace activated

1. Log on to the OSS console and create a bucket.
   - Element: **Create Bucket** (button) — main content area
2. Enter the bucket name and select the region.
   - Element: **Bucket name** (text_input) — Create Bucket panel
   - Notes: Enter 'bailian-safe-workspace-oss-access' and select China (Beijing).
3. Add the required access control tag.
   - Element: **Create Tag** (button) — Bucket Tags page
4. Set the tag key and value.
   - Element: **Tag key** (text_input) — Create Tag form
   - Notes: Key: bailian-safe-workspace-oss-access, Value: ReadAndWrite.
5. Save the tag and return to Workspace Management.
   - Element: **Save** (button) — Create Tag form
6. Open the secure storage workspace configuration.
   - Element: **Manage Secure Storage Workspace** (button) — Operations column
7. Navigate to the Resource Configuration page.
   - Element: **Next Step** (button) — top-right corner
8. Authorize and select the created OSS bucket.
   - Element: **Authorize** (button) — OSS configuration section
9. Log on to the AnalyticDB for PostgreSQL console and purchase an instance.
   - Element: **Purchase Instance** (button) — upper-right corner
10. Configure the ADB instance parameters and buy.
    - Element: **Region and availability zone** (dropdown) — purchase form
    - Notes: Select China (Beijing) and enable Vector engine optimization.
11. Return to Workspace Management and authorize the ADB instance.
    - Element: **Instance ID** (dropdown) — ADB configuration section
12. Log on to the Elasticsearch console and create an instance.
    - Element: **Create Instance** (button) — top-left corner
13. Configure the Elasticsearch instance and add the vSwitch CIDR to the allowlist.
    - Element: **Add IP allowlist group** (button) — allowlist configuration
14. Return to Workspace Management and enter the Elasticsearch credentials.
    - Element: **Instance ID** (text_input) — Elasticsearch configuration section
    - Notes: Username is 'elastic'.
15. Save the configuration to complete the setup.
    - Element: **Save** (button) — bottom of form

### Configure MSE Cloud Native Gateway

**Navigation**: Console > MSE > Cloud Native Gateway > Gateway List > Route Management

**Prerequisites**:
- Gateway created
- VPC resources configured

1. Log on to the MSE Gateway Management console.
   - Element: **MSE Gateway Management console** (link) — top navigation
2. Select the created gateway from the list.
   - Element: **Cloud Native Gateway > Gateway List** (menu) — left-side navigation pane
3. Navigate to the route management section.
   - Element: **Route Management** (tab) — left-side navigation pane
4. Create a new backend service.
   - Element: **Create Service** (button) — main content area
5. Configure the service parameters using Elasticsearch details.
   - Element: **Service source, Service name, Service port, Domain list, TLS mode** (section) — form fields
   - Notes: TLS mode must be set to 'Close'.
6. Save the service and wait for the health check to pass.
   - Element: **OK** (button) — bottom of the form
7. Create a new route for the gateway.
   - Element: **Create Route** (button) — main content area
8. Configure the route parameters.
   - Element: **Route name, Domain, Path, Route destination, Backend service** (section) — form fields
   - Notes: Set path to '/' and select the previously created service.
9. Apply the route configuration.
   - Element: **Save and Publish** (button) — bottom of the form
10. Return to Model Studio and activate the secure storage space.
    - Element: **Activate** (button) — bottom of the page

### Configure Zone IP Addresses

**Navigation**: Console > Business Space Management > Manage Bailian Secure Storage Space > Zone IP Configuration

**Prerequisites**:
- Bailian Secure Storage business space activated
- Endpoint configured and connection initiated

1. Log on to the MSE Gateway Management console and create a gateway.
   - Element: **Create Gateway** (button) — upper-left corner of Gateway List page
2. Configure the gateway parameters.
   - Element: **Gateway name** (text_input) — purchase page
   - Notes: Select '2-Core 4G', 2 nodes, NLB ingress, and at least two zones.
3. Purchase and enable the gateway.
   - Element: **Buy Now** (button) — bottom of purchase page
4. Open the gateway details and click the NLB instance ID.
   - Element: **NLB** (link) — Gateway Entry tab
5. Obtain the VIPs and vSwitch CIDR blocks from the NLB details.
   - Element: **vSwitch ID** (link) — NLB details page
6. Go to the Business Space Management page and open the secure storage space.
   - Element: **Manage Bailian Secure Storage Space** (button) — Operations column
7. Navigate to the Zone IP Configuration page.
   - Element: **Next** (button) — bottom of page
8. Enter the VIPs for the corresponding zones and save.
   - Element: **Save** (button) — bottom of page
9. Go to the Security Group console and add an inbound rule.
   - Element: **Add Rule** (button) — Inbound tab
   - Notes: Set Port Range to All (1/65535) and Source to the VIPs.
10. Save the security group rule.
    - Element: **Save** (button) — far right of rule row

### Manage Workspace Permissions

**Navigation**: Console > Workspaces > Permission Management

**Prerequisites**:
- Workspace already created

1. Log on to the Model Studio console and navigate to Workspaces.
   - Element: **Workspaces** (menu) — global management menu
2. Create a new workspace if needed.
   - Element: **Add a Business Space** (button) — upper-right corner
3. Enter the workspace name and confirm.
   - Element: **Workspace name input field** (text_input) — dialog box
4. Go to the Permission Management tab.
   - Element: **Permission Management** (tab) — left-side navigation pane
5. Edit permissions and assign the Administrator role.
   - Element: **Other** (tab) — Edit Permissions dialog
6. Apply the permission changes.
   - Element: **OK** (button) — Edit Permissions dialog

### Manage Team Members and SSO

**Navigation**: Console > Token Plan (Team Edition) > Enter Management Platform

**Prerequisites**:
- SSO configuration cannot be edited while the organization has members
- Alibaba Cloud IDaaS EIAM instance activated (for SAML)

1. Enter the team management platform.
   - Element: **Enter Management Platform** (button) — top of the page
2. Add a new team member.
   - Element: **Add Member** (button) — Member Management section
3. Assign a seat to the member.
   - Element: **Subscription Overview** (tab) — main content area
4. Modify a member's role if necessary.
   - Element: **Change Role** (button) — operation column
5. Regenerate a member's API key.
   - Element: **Reset** (button) — operation column
6. Remove a member from the organization.
   - Element: **Remove from Organization** (button) — operation column
7. Edit SSO configuration settings.
   - Element: **Edit** (button) — SSO Configuration section
8. Assign or reclaim seats from the subscription overview.
   - Element: **Assign** (button) — Subscription Overview section

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| Username | text_input | Yes | — | Letters, digits, underscores; no leading digit |
| Role | dropdown | Yes | Owner, Administrator, Member | Select the role for the new member |
| Configuration Name | text_input | Yes | — | Name for the SSO configuration |
| DingTalk Application AppKey | text_input | Yes | — | AppKey from DingTalk Open Platform |

### Enable AI Guardrail

**Navigation**: Security management > Content moderation settings

**Prerequisites**:
- AI guardrail service purchased
- DASHSCOPE_API_KEY set as environment variable

1. Go to the AI guardrail Purchase page and create a subscription.
   - Element: **Purchase** (link) — top navigation panel
2. Navigate to the Security management page.
   - Element: **Security management** (link) — left navigation panel
3. Enable the content moderation settings.
   - Element: **Enable content moderation settings** (button) — main content area
4. Confirm the service-linked role authorization.
   - Element: **Confirm** (button) — confirmation dialog

### Enable Model Monitoring

**Navigation**: Console > Model Studio > Model Telemetry

**Prerequisites**:
- Alibaba Cloud account with sufficient permissions

1. Log on to the console with your account.
   - Element: **Log on** (button) — top-right corner
2. Go to the Monitoring page in the target workspace.
   - Element: **Monitoring** (link) — left navigation panel
3. Enable advanced monitoring features.
   - Element: **Enable advanced monitoring** (button) — upper-right corner
   - Notes: Only available in China (Beijing), Singapore, and US (Virginia) regions.
4. Turn on performance and usage metrics monitoring.
   - Element: **Performance and Usage Metrics Monitoring** (toggle) — Advanced Monitoring section
5. Create alert rules for the models.
   - Element: **Create Alert Rules** (button) — top-right corner
6. Select the model and template, then create the alert.
   - Element: **Create** (button) — dialog box
7. View inference logs for supported models.
   - Element: **Logs** (button) — Operation column

### View Model Usage Statistics

**Navigation**: Console > Model Studio > Model Usage > Usage Statistics

**Prerequisites**:
- Account with access to Model Studio console

1. Go to the Model Usage statistics page.
   - Element: **Model Usage: Usage Statistics** (link) — top navigation panel
2. Select the model type tab.
   - Element: **Large Language Models** (tab) — main content area
3. Select a time range for the data.
   - Element: **Time Range** (dropdown) — top-right corner of the page
4. Filter data by model name.
   - Element: **Search box** (text_input) — right side of the page
   - Notes: Example: qwen-plus. Data latency is approximately 1 hour.

### Create Batch Inference Task

**Navigation**: Console > Batch Inference

**Prerequisites**:
- Model Studio activated
- Pay-as-you-go billing enabled

1. Start a new batch inference task.
   - Element: **Create Batch Inference Task** (button) — top of the page
2. Enter task details and upload the JSONL file.
   - Element: **Task Name** (text_input) — dialog box
   - Notes: Click 'Download Template' to get a sample JSONL file.
3. Set the maximum wait time for the task.
   - Element: **Maximum Wait Time** (dropdown) — dialog box
4. Upload the UTF-8 encoded JSONL file.
   - Element: **Upload File** (button) — dialog box
   - Notes: Max 50,000 lines, total size up to 500MB.
5. Submit the task for processing.
   - Element: **Confirm** (button) — bottom of dialog
6. Monitor the task progress in the list.
   - Element: **Progress** (panel) — task list page
7. Cancel a running task if needed.
   - Element: **Actions Column** (menu) — task list page
8. Check error details for failed tasks.
   - Element: **Status** (icon) — task list page
   - Notes: Hover to view error details and download the error file.
9. Download the output file upon completion.
   - Element: **View Results** (button) — task list page

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| Task Name | text_input | Yes | — | Unique identifier for the batch task |
| Description | textarea | No | — | Optional detailed description |
| Maximum Wait Time | dropdown | Yes | 1 Day, 2 Days ... 14 Days | Task expiration time if not completed |
| Upload File | button | Yes | — | UTF-8 JSONL file, max 50,000 lines / 500MB |

## FAQ

Q: Where do I find my API key after creation?
A: The full API key is only shown once immediately after creation. You must copy it using the copy icon. If lost, you must generate a new one.

Q: Can I modify the SSO configuration after adding team members?
A: No, SSO configuration cannot be edited while the organization has members. You must remove all members first before modifying SSO settings.

Q: What happens if I leave the AI Guardrail disabled?
A: If disabled, input and output content will not be scanned for compliance. It is highly recommended to enable it for production workloads to ensure safety and avoid data_inspection_failed errors.

Q: How long does it take for a PrivateLink connection to establish?
A: After clicking Connection, the status will change to Connected. This may take a few moments. Ensure your security group allows inbound traffic on ports 80 and 443.

Q: Why is my batch inference task failing?
A: Check the error file downloaded from the task list. Common issues include invalid JSONL formatting, incorrect model names (e.g., using qwen-max instead of qwen-plus), or exceeding the 50,000 line limit per file.

## Pricing & Billing

### Billing Models
- **API Keys**: Free to create. Usage is billed per request based on the underlying model.
- **Async Task Callbacks**: EventBridge charges per event (1,000 free events/month). RocketMQ charges per message and storage time.
- **Private Link**: Incurs additional costs based on usage. Cross-border scenarios incur additional CEN cross-region fees.
- **AI Guardrail**: Billed per 1,000 tokens. Requests with fewer than 1,000 tokens are charged as 1,000 tokens.
- **Model Monitoring**: Basic monitoring is free. Advanced monitoring and inference logs incur Cloud Monitor CMS and Simple Log Service SLS fees.
- **Batch Inference**: Processed at 50% the cost of real-time inference. Billed upon task completion.

### Price Reference

| Resource / Model | Input Price | Output Price | Notes |
|------------------|-------------|--------------|-------|
| qwen-plus (Real-time) | 0.002 CNY / 1K tokens | 0.004 CNY / 1K tokens | Standard text generation |
| qwen-max (Batch) | 0.002 CNY / 1K tokens | 0.004 CNY / 1K tokens | 50% discount applied automatically |
| AI Guardrail | 0.002 CNY / 1K tokens | 0.002 CNY / 1K tokens | Min 1,000 tokens per request |
| OSS Bucket (VPC) | 0.12 CNY / GB / Month | 0.12 CNY / GB / Month | Secure storage workspace |
| AnalyticDB (VPC) | 0.0002 CNY / GB / hour | 0.0002 CNY / GB / hour | Vector engine optimization |
| Elasticsearch (VPC) | 0.0003 CNY / GB / hour | 0.0003 CNY / GB / hour | Performance-enhanced Edition |

### Free Tier
- **EventBridge**: 1,000 free event pushes per month.
- **Model Usage**: Monthly free quota of 1 million tokens for new users.
- **Model Monitoring**: Basic monitoring is completely free.

### Billing Notes
- API keys do not expire, but usage of models via API keys incurs charges based on model type and volume.
- Batch inference tasks are billed only upon successful completion; incomplete tasks do not incur charges.
- Visual models are billed by image count or video seconds; Speech models are billed by audio duration or tokens.
- If VPC resource billing is suspended, features in the secure storage workspace become unavailable.

## Source Documents

- Export API key as environment variable_6031025.xdita
- Get an API key_6031024.xdita
- Obtain an API key_6031024.xdita
- Create an API key_4757328.xdita
- Configure asynchronous task callbacks_5598785.xdita
- Configure connection reuse for DashScope SDK_5533298.xdita
- Configure Endpoints and Establish Connections_5098975.xdita
- Configure Endpoints and Initiate Connections_5098975.xdita
- Access Model Studio APIs over a private network_5256057.xdita
- Configure resources in a virtual private cloud_5098977.xdita
- Configure an MSE cloud-native gateway_5479138.xdita
- Configure the MSE cloud native gateway_5479138.xdita
- Configure zone IP addresses_5098976.xdita
- Configure zone IPs_5098976.xdita
- Permission management_4763796.xdita
- Team management_6523066.xdita
- Input and output AI guardrail_5480258.xdita
- Model monitoring_5477460.xdita
- Model usage_6287197.xdita
- Batch inference_5446550.xdita