All Products
Search
Document Center

Enable Internet access

Last Updated: Sep 22, 2021

To enable Internet access for your elastic container instance, you must configure a NAT gateway or an elastic IP address (EIP) for the instance and pay network usage fees. This topic describes how to associate an EIP with an elastic container instance and how to attach a NAT gateway to the virtual private cloud (VPC) where an elastic container instance resides.

Background information

The following table describes two methods used to enable Internet access for an elastic container instance.

Method

Description

Fee

Associate an EIP with the elastic container instance

EIPs are public IP addresses that can be individually purchased and managed. You can enable Internet access for an elastic container instance by associating an EIP with the instance.

EIPs support the subscription and pay-as-you-go billing methods and the pay-by-bandwidth and pay-by-data-transfer metering methods. When you associate an EIP with an elastic container instance, you are not charged a configuration fee but may be charged an association fee. For more information, see Billing overview.

Attach a NAT gateway to the VPC where the elastic container instance resides

NAT gateways are Internet gateways that can be individually purchased. After you associate an EIP with a NAT gateway, the NAT gateway can provide Internet services for all elastic container instances within the associated VPC.

NAT gateways support the pay-as-you-go billing method. A NAT gateway can provide Internet services only after it is associated with an EIP. You must pay for NAT gateways and their associated EIPs. For more information, see Billing overview.

Use appropriate methods to enable Internet access for elastic container instances based on your business needs.

  • Scenario 1: Enable Internet access to NGINX deployed on an elastic container instance.

    If you want to deploy the NGINX service on an elastic container instance, you must associate an EIP with the instance when you create the instance. When NGINX starts, the elastic container instance exposes port 80 to the associated EIP. You can then use the EIP and the port number to access NGINX.

  • Scenario 2: Allow multiple elastic container instances to pull images from Docker Hub over the Internet.

    By default, Elastic Container Instance does not provide external links for pulling public images over the Internet. If one or more elastic container instances in a VPC need to pull images from Docker Hub, you must attach a NAT gateway to the VPC to provide Internet access for the instances. Otherwise, the images cannot be pulled.

Note

When you configure Internet access for elastic container instances, make sure that rules are added to the security groups of the instances to allow traffic on specified ports and to or from specified IP addresses. For more information, see Add security group rules.

Method 1: Associate an EIP with an elastic container instance

You can associate an EIP with an elastic container instance when you create the instance. Use one of the following methods to associate an EIP with an elastic container instance:

Note

Each EIP can be associated with a single elastic container instance at a time and provide Internet services only for its associated elastic container instance. If multiple elastic container instances need to access the Internet, you must associate an EIP with each of these instances or attach NAT gateways to the VPCs where the instances reside.

Use Kubernetes

You can add annotations to metadata of the pod to associate an existing EIP or create and associate an EIP. Add the annotations described in the following table.

Annotation

Description

k8s.aliyun.com/eci-eip-instanceid

The existing EIP.

k8s.aliyun.com/eci-with-eip

Specifies whether to create and associate an EIP.

k8s.aliyun.com/eip-bandwidth

The maximum bandwidth value for the EIP. Unit: Mbit/s. Default value: 5.

k8s.aliyun.com/eip-common-bandwidth-package-id

The EIP bandwidth plan.

k8s.aliyun.com/eip-isp

The line type of the EIP. Valid values:

  • BPG: BGP (Multi-ISP)

  • BGP_PRO: BGP (Multi-ISP) Pro

k8s.aliyun.com/eip-internet-charge-type

The metering method of the EIP. Valid values:

  • PayByBandwidth: pay-by-bandwidth

  • PayByTraffic: pay-by-data-transfer

  • Example 1: Associate an existing EIP

    apiVersion: v1
    kind: Pod
    metadata:
      name: nginx
      annotations:
        k8s.aliyun.com/eci-eip-instanceid: "eip-bp1q5n8cq4p7f6dzu****"    #Associate an existing EIP.
    spec:
      containers:
      - image: registry-vpc.cn-hangzhou.aliyuncs.com/jovi/nginx:alpine
        imagePullPolicy: Always
        name: nginx
        ports:
        - containerPort: 80
          name: http
          protocol: TCP
      restartPolicy: OnFailure
  • Example 2: Create and associate an EIP and specify a bandwidth value for the EIP

    apiVersion: v1
    kind: Pod
    metadata:
      name: nginx
      annotations:
        k8s.aliyun.com/eci-with-eip: "true"   #Create and associate an EIP.
        k8s.aliyun.com/eip-bandwidth: "10"   #Specify a bandwidth value for the EIP.
    spec:
      containers:
      - image: registry-vpc.cn-hangzhou.aliyuncs.com/jovi/nginx:alpine
        imagePullPolicy: Always
        name: nginx
        ports:
        - containerPort: 80
          name: http
          protocol: TCP
      restartPolicy: OnFailure
  • Example 3: Create and associate an EIP and then associate an EIP bandwidth plan

    apiVersion: v1
    kind: Pod
    metadata:
      name: nginx
      annotations:
        k8s.aliyun.com/eci-with-eip: "true"   #Create and associate an EIP.
        k8s.aliyun.com/eip-common-bandwith-package-id: "cbwp-2zeukbj916scmj51m****"  #Associate an EIP bandwidth plan.
    spec:
      containers:
      - image: registry-vpc.cn-hangzhou.aliyuncs.com/jovi/nginx:alpine
        imagePullPolicy: Always
        name: nginx
        ports:
        - containerPort: 80
          name: http
          protocol: TCP
      restartPolicy: OnFailure

Call an API operation

When you call the CreateContainerGroup operation to create an elastic container instance, you can use the EipInstanceId parameter to associate an existing EIP or use the AutoCreateEip and EipBandwidth parameters to create and associate an EIP. The following table describes the parameters. For more information, see CreateContainerGroup.

Parameter

Type

Example

Description

EipInstanceId

String

eip-uf66jeqopgqa9hdn****

The EIP to be associated with the elastic container instance.

AutoCreateEip

Boolean

true

Specifies whether to create an EIP and associate it with the elastic container instance.

EipBandwidth

Integer

5

The maximum bandwidth value for the EIP. Unit: Mbit/s. Default value: 5. You can specify this parameter when you set AutoCreateEip to true.

Use the Elastic Container Instance console

When you create an elastic container instance in the Elastic Container Instance console, you can associate an EIP with the instance in the Other Settings step. In the Other Settings step, you can associate an existing EIP or create and associate an EIP, as shown in the following figure.

Associate an EIP

Method 2: Attach a NAT gateway to the VPC where an elastic container instance resides

In the VPC console, you can attach a NAT gateway to a VPC and associate an EIP with the NAT gateway to implement the following features:

  • Source NAT (SNAT): allows elastic container instances within the VPC to access the Internet when these instances are not assigned public IP addresses.

  • Destination NAT (DNAT): maps the EIP to the IP addresses of elastic container instances within the VPC so that the instances can provide Internet-facing services.

Perform the following steps:

  1. Log on to the VPC console.

  2. In the upper-left corner of the top navigation bar, select a region.

  3. On the NAT Gateway page, create a NAT gateway.

    1. Click Create NAT Gateway.

    2. Configure the parameters for the NAT gateway.

      Select the region, zone, VPC, and vSwitch of the elastic container instance. For more information, see Purchase a NAT gateway.

    3. Confirm the configurations and fees and click Buy Now.

  4. On the Elastic IP Addresses page, create an EIP.

    1. Click Create EIP.

    2. Configure the parameters for the EIP.

      Select the region where the elastic container instance is located. For more information, see Apply for new EIPs

    3. Confirm the configurations and fees and click Buy Now.

  5. Associate the EIP with the NAT gateway.

    1. On the NAT Gateway page, find the created NAT gateway and click Associate Now in the Elastic IP Address column.

    2. In the Associate EIP dialog box, select the created EIP and click OK.

  6. To allow your elastic container instance to access the Internet, you must create an SNAT entry for the NAT gateway.

    1. On the NAT Gateway page, find the NAT gateway and click Configure SNAT in the Actions column.

    2. Click Create SNAT Entry.

    3. Configure the parameters for the SNAT entry.

      Take note of the parameters described in the following table. For more information, see Configure SNAT to access the Internet.

      Parameter

      Description

      SNAT Entry

      Click Specify VSwitch.

      Select vSwitch

      Select the vSwitch to which the elastic container instance is connected. You can specify multiple vSwitches. After the SNAT entry is created, all the elastic container instances that are connected to the specified vSwitches can use SNAT to access the Internet.

      Select Public IP Address

      Select Use One IP Address and then select the EIP that is associated with the NAT gateway. This EIP is used to communicate with the Internet.

    4. Click OK.

    Note

    If your elastic container instance has an associated EIP, the instance uses this EIP instead of the SNAT feature of the NAT gateway to access the Internet.

  7. To allow your elastic container instance to provide Internet-facing services, you must create a DNAT entry for the NAT gateway.

    1. On the NAT Gateway page, find the NAT gateway and click Configure DNAT in the Actions column.

    2. Click Create DNAT Entry.

    3. Configure the parameters for the DNAT entry.

      Take note of the parameters described in the following table. For more information, see Configure DNAT to provide Internet-facing services.

      Parameter

      Description

      Select Public IP Address

      Select the EIP that is associated with the NAT gateway. This EIP is used to communicate with the Internet.

      Select Private IP Address

      Select the elastic container instance that needs to communicate with the Internet by using the DNAT entry. You can specify the elastic network interface (ENI) bound to the instance or enter the private IP address of the instance.

      Port Settings

      Select a DNAT mapping method:

      • Any Port: specifies IP address mapping. The NAT gateway forwards the requests destined for the associated EIP to the selected elastic container instance.

      • Specific Port: specifies port mapping. The NAT gateway forwards the requests from a specific protocol and port destined for the associated EIP to the corresponding port on the selected elastic container instance.

    4. Click OK.