All Products
Search
Document Center

Virtual Private Cloud:Internet access overview

Last Updated:Sep 05, 2023

You can deploy cloud resources on Elastic Compute Service (ECS) instances that run in a virtual private cloud (VPC). This allows the cloud resources to access the Internet through the public IP addresses, elastic IP addresses (EIPs), NAT gateways, or Server Load Balancer (SLB) instances that are associated with the ECS instances.

Overview

A VPC is a private network in the cloud. By default, cloud resources in a VPC cannot access the Internet or be accessed over the Internet. You can enable Internet access by configuring public IP addresses, EIPs, NAT gateways, and SLB instances for ECS instances in a VPC.

VPCs are equipped with Internet Shared Bandwidth instances and data transfer plans to help you reduce the cost of data transfer over the Internet. For more information, see How can I minimize the cost of data transfer over the Internet?

Service comparison

ECS static public IP addresses

When you create an ECS instance in a VPC, you can specify whether you want the system to assign a public IPv4 address to the ECS instance. The ECS instance can use the public IP address to communicate with the Internet.

You cannot disassociate the public IP address from the ECS instance. However, you can convert the public IP address to an EIP. For more information, see Convert the static public IP address of an ECS instance in a VPC to an EIP.

EIPs

An EIP is a public IP address resource that you can purchase and own as an independent resource. EIPs are used for network address translation (NAT). They are allocated to Internet gateways of Alibaba Cloud and are mapped to the associated cloud resource through NAT. After an EIP is associated with a cloud resource, the cloud resource can use the EIP to communicate with the Internet.

You can associate an EIP with an ECS instance in a VPC, an Elastic Network Interface(ENI), an SLB instance, or a NAT gateway. For more information, see EIP User Guide.

EIPs provide the following benefits:

  • Purchase and use as independent resources

    An EIP can be purchased and held as an independent resource and does not need to bundle with computing or storage resources.

  • Flexible association and disassociation

    You can associate an EIP with a cloud resource as needed. You can also dissociate and release the EIP at any time.

  • Adjustable maximum bandwidth

    You can adjust the maximum bandwidth of an EIP at any time. The new bandwidth immediately takes effect.

NAT gateways

NAT gateways are enterprise-class Internet gateways. NAT gateways support NAT, including SNAT and DNAT, and a throughput capacity of up to 10 Gbit/s. NAT gateways can also be used in cross-zone disaster recovery.

NAT gateways allow multiple ECS instances to use the same public IP address to access the Internet. For more information, see Use the SNAT feature of an Internet NAT gateway to access the Internet.

NAT gateways provide the following benefits:

  • Easy configuration

    As enterprise-class public gateways for VPCs, NAT gateways support both SNAT and DNAT. You can configure SNAT and DNAT rules without the need to create a NAT gateway.

  • High availability

    As virtual network devices developed on top of Alibaba Cloud distributed gateways, NAT gateways adopt the software-defined networking (SDN) technology. Each NAT gateway supports a forwarding capability of up to 10 Gbit/s, and can serve large-scale Internet-facing applications.

  • On-demand purchase

    You can change the specification of your NAT gateway, or the number and specifications of the EIPs associated with the NAT gateway at any time to provide flexible support for your services.

SLB

SLB instances can be used to distribute network traffic among multiple ECS instances. This optimizes the service capabilities of your applications. This also eliminates single point of failures (SPOFs) and improves the availability of your applications.

SLB distributes network traffic at Layer 4 and Layer 7 by using different ports. You can connect ECS instances to SLB to allow the ECS instances to be accessed over the Internet. For more information, see Overview.

Note

ECS instances that are deployed in VPCs cannot access the Internet through SLB. In this case, SNAT rules are not supported.

SLB provides the following benefits:

  • High availability of the SLB architecture

    SLB instances are deployed in clusters to synchronize sessions and mitigate the effects of SPOFs. This improves redundancy and ensures service stability.

  • High availability with one SLB instance

    SLB supports cross-zone deployment in most regions. This allows you to achieve disaster recovery across data centers. If the primary zone fails or has no healthy ECS instances, the SLB instance automatically fails over services to the secondary zone. This process is completed within 30 seconds. When the primary zone recovers, the SLB instance automatically switches services back to the primary zone.

  • High availability with multiple SLB instances

    You can deploy SLB instances and ECS instances in multiple zones within a region or across regions, and schedule requests by using Alibaba Cloud DNS.

  • High availability of backend ECS instances

    SLB performs health checks to monitor the availability of backend ECS instances. The health check feature improves service availability and prevents service errors caused by unhealthy backend ECS instances.

Examples

Example 1: To provide services over the Internet

Use one ECS instance to provide services over the Internet

If you have only one application that has a small volume of workloads, you can deploy only one ECS instance. You can deploy all workloads, including applications, databases, and files, on the ECS instance. Then, you can associate an EIP with the ECS instance to enable the ECS instance to provide services over the Internet.

To provide Layer 4 load balancing services over the Internet

If you have a high volume of workloads, you may need to deploy more than one ECS instance and enable load balancing. To meet this requirement, you can create an Internet-facing SLB instance, create a Layer 4 TCP or UDP listener, and add multiple ECS instances to the SLB instance.

To provide Layer 7 load balancing services over the Internet

If you want to distribute network traffic to different backend servers, you can create Layer 7 listeners and create URL-based forwarding rules. To meet this requirement, you can create an Internet-facing SLB instance, create a Layer 7 HTTP or HTTPS listener, and add multiple backend ECS instances.

Example 2: Enable an ECS instance without a public IP address to access the Internet

Associate with an EIP

If you have a small number of ECS instances, you can associate an EIP with each ECS instance. Then, ECS instances in VPCs can use their EIPs to access the Internet. If you want to disable Internet access for the ECS instances, disassociate them from the EIPs.

Associate with a NAT gateway and create an SNAT rule

If you have a large number of ECS instances, associating them with EIPs increases the O&M cost. In addition, security risks may arise because the ECS instances are exposed to the Internet. To address this issue, we recommend that you create a public NAT gateway and SNAT rules, as shown in the following figure. Do not create DNAT rules.