To enable Internet access for your elastic container instance, you must configure a net address translation (NAT) gateway or an elastic IP address (EIP) for the instance and pay network usage fees. This topic describes how to associate an EIP with an elastic container instance and how to attach a NAT gateway to the virtual private cloud (VPC) where an elastic container instance resides.
Background information
The following table describes two methods used to enable Internet access for an elastic container instance.
Method | Description | Billing |
Associate an EIP with the elastic container instance | EIPs are public IP addresses that can be separately purchased and managed. You can enable Internet access for an elastic container instance by associating an EIP with the instance. | EIPs support the subscription and pay-as-you-go billing methods and the pay-by-bandwidth and pay-by-data-transfer metering methods. When you associate an EIP with an elastic container instance, you are not charged a configuration fee but may be charged an association fee. For more information about billing of EIPs, see Overview. |
Attach a NAT gateway to the VPC where the elastic container instance resides | NAT gateways are Internet gateways that can be individually purchased. After you associate an EIP with a NAT gateway, the NAT gateway can provide Internet services for all elastic container instances within the associated VPC. | NAT gateways support the pay-as-you-go billing method. A NAT gateway can provide Internet services only after it is associated with an EIP. You must pay for NAT gateways and their associated EIPs. For more information, see Billing of Internet NAT gateways. |
Use appropriate methods to enable Internet access for elastic container instances based on your business needs.
Scenario 1: Enable Internet access to NGINX deployed on an elastic container instance.
If you want to deploy the NGINX service on an elastic container instance, you must associate an EIP with the instance when you create the instance. When NGINX starts, the elastic container instance exposes port 80 to the associated EIP. You can then use the EIP and the port number to access NGINX.
Scenario 2: Allow multiple elastic container instances to pull images from Docker Hub over the Internet.
By default, Elastic Container Instance does not provide external links for pulling public images over the Internet. If one or more elastic container instances in a VPC need to pull images from Docker Hub, you must attach a NAT gateway to the VPC to provide Internet access for the instances. Otherwise, the images cannot be pulled.
Note
When you configure Internet access for elastic container instances, make sure that rules are added to the security groups of the instances to allow traffic on specified ports and to or from specified IP addresses. For more information, see Add a security group rule.
Method 1: Associate an EIP with an elastic container instance
You can associate an EIP with an elastic container instance when you create the instance.
Note
Each EIP can be associated with a single elastic container instance at a time and provide Internet services only for its associated elastic container instance. If multiple elastic container instances need to access the Internet, you must associate an EIP with each of these instances or attach NAT gateways to the VPCs where the instances reside.
OpenAPI
When you call the CreateContainerGroup operation to create an elastic container instance, you can use the EipInstanceId parameter to associate an existing EIP or use the AutoCreateEip and EipBandwidth parameters to create and associate an EIP. The following table describes the parameters. For more information, see CreateContainerGroup.
Parameter | Type | Example | Description |
EipInstanceId | String | eip-uf66jeqopgqa9hdn**** | The EIP to be associated with the elastic container instance. |
AutoCreateEip | Boolean | true | Specifies whether to create an EIP and associate it with the elastic container instance. |
EipBandwidth | Integer | 5 | The maximum bandwidth value for the EIP. Unit: Mbit/s. Default value: 5. You can specify this parameter when you set AutoCreateEip to true. |
Use the Elastic Container Instance console
When you create an elastic container instance in the Elastic Container Instance console, you can associate an EIP with the instance in the Other Settings step. In the Other Settings step, you can associate an existing EIP or create and associate an EIP, as shown in the following figure.
Method 2: Attach a NAT gateway to the VPC where an elastic container instance resides
In the VPC console, you can attach a NAT gateway to a VPC and associate an EIP with the NAT gateway to implement the following features:
Source NAT (SNAT): allows elastic container instances within the VPC to access the Internet when these instances are not assigned public IP addresses.
Destination NAT (DNAT): maps the EIP to the IP addresses of elastic container instances within the VPC so that the instances can provide Internet-facing services.
Perform the following steps:
Log on to the VPC console.
In the upper-left corner of the top navigation bar, select a region.
On the NAT Gateway page, create a NAT gateway.
Click Create NAT Gateway.
Configure the parameters for the NAT gateway.
Select the region, zone, VPC, and vSwitch of the elastic container instance. For more information, see Purchase a NAT gateway.
Confirm the configurations and fees and click Buy Now.
On the Elastic IP Addresses page, create an EIP.
Click Create EIP.
Configure the parameters for the EIP.
Select the region where the elastic container instance is located. For more information, see Apply for new EIPs
Confirm the configurations and fees and click Buy Now.
Associate the EIP with the NAT gateway.
On the NAT Gateway page, find the created NAT gateway and click Associate Now in the Elastic IP Address column.
In the Associate EIP dialog box, select the created EIP and click OK.
To allow your elastic container instance to access the Internet, you must create an SNAT entry for the NAT gateway.
On the NAT Gateway page, find the NAT gateway and click Configure SNAT in the Actions column.
Click Create SNAT Entry.
Configure the parameters for the SNAT entry.
Take note of the parameters described in the following table. For more information, see Configure SNAT to access the Internet.
Parameter
Description
SNAT Entry
Select a value for this parameter based on factors such as service networking and security:
Specify VPC: All elastic container instances in the specified VPC can use SNAT to access the Internet.
Specify vSwitch: All elastic container instances that are connected to the selected vSwitches can use SNAT to access the Internet.
Specify Custom CIDR Block: All elastic container instances that belong to the specified CIDR block can use SNAT to access the Internet.
Select vSwitch
If you select Specify vSwitch for the SNAT Entry parameter, for this parameter select one or more vSwitches that are used to create your elastic container instance.
Custom CIDR Block
If you select Specify Custom CIDR Block for the SNAT Entry parameter, use this parameter to specify the CIDR block to which your elastic container instance that will access the Internet belongs to.
Select Public IP Address
Select one or more EIPs that are associated with the NAT gateway to access the Internet.
Click OK.
Note
If your elastic container instance has an associated EIP, the instance uses this EIP instead of the SNAT feature of the NAT gateway to access the Internet.
To allow your elastic container instance to provide Internet-facing services, you must create a DNAT entry for the NAT gateway.
On the NAT Gateway page, find the NAT gateway and click Configure DNAT in the Actions column.
Click Create DNAT Entry.
Configure the parameters for the DNAT entry.
Take note of the parameters described in the following table. For more information, see Configure DNAT to provide Internet-facing services.
Parameter
Description
Select Public IP Address
Select the EIP that is associated with the NAT gateway. This EIP is used to communicate with the Internet.
Select Private IP Address
Select the elastic container instance that needs to communicate with the Internet by using the DNAT entry. You can specify the elastic network interface (ENI) bound to the instance or enter the private IP address of the instance.
Port Settings
Select a DNAT mapping method:
Any Port: specifies IP address mapping. The NAT gateway forwards the requests destined for the associated EIP to the selected elastic container instance.
Specific Port: specifies port mapping. The NAT gateway forwards the requests from a specific protocol and port destined for the associated EIP to the corresponding port on the selected elastic container instance.
Click OK.