All Products
Search
Document Center

Elastic Container Instance:Enable Internet access for elastic container instances

Last Updated:Apr 01, 2026

By default, Elastic Container Instance assigns only a private IP address to each instance. To connect an instance to the Internet—for example, to pull images from Docker Hub or expose a service on a public port—associate an elastic IP address (EIP) with the instance, or create an Internet NAT gateway in the virtual private cloud (VPC) where the instance runs.

Prerequisites

Before you begin, ensure that you have:

  • A security group attached to the instance with rules that allow the IP addresses and ports required for your traffic. For instructions, see Add a security group rule

Choose an access method

MethodBest forTraffic direction
Associate an EIPA single instance that needs its own public IPOutbound and inbound
Create an Internet NAT gatewayMultiple instances sharing one or more EIPsOutbound (SNAT) and inbound (DNAT)

Associate an EIP with an elastic container instance

An EIP is a public IP address that belongs to one instance at a time. When you associate an EIP with an instance, only that instance uses the EIP for Internet access.

To give multiple instances public access, associate a separate EIP with each instance, or use an Internet NAT gateway instead.

Use the console

During instance creation, go to the Other Settings step and associate an EIP. Choose an existing EIP or let the system create one automatically.

绑定EIP

Use the API

Call CreateContainerGroup with one of the following parameter sets.

Associate an existing EIP

ParameterTypeExampleDescription
EipInstanceIdStringeip-uf66jeqopgqa9hdn****The ID of the EIP to associate with the instance.

Create and associate an EIP automatically

ParameterTypeExampleDescription
AutoCreateEipBooleantrueSet to true to create an EIP and associate it with the instance.
EipBandwidthInteger5Maximum bandwidth of the EIP, in Mbit/s. Default: 5.
EipISPStringBGPLine type. Applies to pay-as-you-go EIPs only. Default: BGP. Valid values: BGP (BGP (Multi-ISP)) and BGP_PRO (BGP (Multi-ISP) Pro). For details, see the "Line type" section in What is an EIP.
EipCommonBandwidthPackageStringcbwp-2zeukbj916scmj51m****ID of an existing Internet Shared Bandwidth instance to associate with the EIP. For details, see What is Internet Shared Bandwidth.

For EIP pricing, see Billing overview.

Create an Internet NAT gateway

An Internet NAT gateway lets all instances in a VPC share a pool of EIPs for Internet access. By default, Elastic Container Instance does not provide a public endpoint to pull images over the Internet. You must create an Internet NAT gateway in the VPC where the instances run and configure the security group rules. It supports two traffic modes:

FeatureWhat it does
SNATLets instances without a public IP address initiate outbound connections to the Internet.
DNATMaps an EIP on the NAT gateway to a specific instance so external clients can reach that instance.

Step 1: Create an Internet NAT gateway

In the VPC console, create an Internet NAT gateway in the VPC where your instances run. For instructions, see Create and manage an Internet NAT gateway.

Step 2: Enable outbound access with an SNAT entry

Create an SNAT entry to allow instances in the VPC to initiate outbound connections to the Internet. For instructions, see Create and manage SNAT entries.

Key parameters:

ParameterDescription
SNAT EntryScope of instances that use this SNAT entry. Options: Specify VPC (all instances in the VPC), Specify vSwitch (instances on selected vSwitches), or Specify Custom CIDR Block (instances in the specified CIDR block).
Select vSwitchRequired when SNAT Entry is set to Specify vSwitch. Select the vSwitches used by your instances.
Custom CIDR BlockRequired when SNAT Entry is set to Specify Custom CIDR Block. Enter the CIDR block that contains your instances.
Select EIPThe EIPs associated with the NAT gateway. Instances use these EIPs to reach the Internet.
Important

If an instance already has an associated EIP, it uses that EIP for outbound traffic instead of the SNAT entry.

Step 3: Enable inbound access with a DNAT entry

Create a DNAT entry to forward inbound Internet traffic to a specific instance. For instructions, see Create and manage DNAT entries.

Key parameters:

ParameterDescription
Select EIPThe EIP on the NAT gateway that external clients use to reach the instance.
Select Private IP AddressThe target instance. Select its elastic network interface (ENI) or enter its private IP address.
Port SettingsMapping mode. Any Port forwards all traffic destined for the EIP to the instance (IP address mapping). Custom Port forwards traffic on a specific protocol and port to the corresponding port on the instance (port mapping).

For NAT gateway pricing, see Billing of Internet NAT gateways.