By default, Elastic Container Instance assigns only a private IP address to each instance. To connect an instance to the Internet—for example, to pull images from Docker Hub or expose a service on a public port—associate an elastic IP address (EIP) with the instance, or create an Internet NAT gateway in the virtual private cloud (VPC) where the instance runs.
Prerequisites
Before you begin, ensure that you have:
A security group attached to the instance with rules that allow the IP addresses and ports required for your traffic. For instructions, see Add a security group rule
Choose an access method
| Method | Best for | Traffic direction |
|---|---|---|
| Associate an EIP | A single instance that needs its own public IP | Outbound and inbound |
| Create an Internet NAT gateway | Multiple instances sharing one or more EIPs | Outbound (SNAT) and inbound (DNAT) |
Associate an EIP with an elastic container instance
An EIP is a public IP address that belongs to one instance at a time. When you associate an EIP with an instance, only that instance uses the EIP for Internet access.
To give multiple instances public access, associate a separate EIP with each instance, or use an Internet NAT gateway instead.
Use the console
During instance creation, go to the Other Settings step and associate an EIP. Choose an existing EIP or let the system create one automatically.

Use the API
Call CreateContainerGroup with one of the following parameter sets.
Associate an existing EIP
| Parameter | Type | Example | Description |
|---|---|---|---|
EipInstanceId | String | eip-uf66jeqopgqa9hdn**** | The ID of the EIP to associate with the instance. |
Create and associate an EIP automatically
| Parameter | Type | Example | Description |
|---|---|---|---|
AutoCreateEip | Boolean | true | Set to true to create an EIP and associate it with the instance. |
EipBandwidth | Integer | 5 | Maximum bandwidth of the EIP, in Mbit/s. Default: 5. |
EipISP | String | BGP | Line type. Applies to pay-as-you-go EIPs only. Default: BGP. Valid values: BGP (BGP (Multi-ISP)) and BGP_PRO (BGP (Multi-ISP) Pro). For details, see the "Line type" section in What is an EIP. |
EipCommonBandwidthPackage | String | cbwp-2zeukbj916scmj51m**** | ID of an existing Internet Shared Bandwidth instance to associate with the EIP. For details, see What is Internet Shared Bandwidth. |
For EIP pricing, see Billing overview.
Create an Internet NAT gateway
An Internet NAT gateway lets all instances in a VPC share a pool of EIPs for Internet access. By default, Elastic Container Instance does not provide a public endpoint to pull images over the Internet. You must create an Internet NAT gateway in the VPC where the instances run and configure the security group rules. It supports two traffic modes:
| Feature | What it does |
|---|---|
| SNAT | Lets instances without a public IP address initiate outbound connections to the Internet. |
| DNAT | Maps an EIP on the NAT gateway to a specific instance so external clients can reach that instance. |
Step 1: Create an Internet NAT gateway
In the VPC console, create an Internet NAT gateway in the VPC where your instances run. For instructions, see Create and manage an Internet NAT gateway.
Step 2: Enable outbound access with an SNAT entry
Create an SNAT entry to allow instances in the VPC to initiate outbound connections to the Internet. For instructions, see Create and manage SNAT entries.
Key parameters:
| Parameter | Description |
|---|---|
| SNAT Entry | Scope of instances that use this SNAT entry. Options: Specify VPC (all instances in the VPC), Specify vSwitch (instances on selected vSwitches), or Specify Custom CIDR Block (instances in the specified CIDR block). |
| Select vSwitch | Required when SNAT Entry is set to Specify vSwitch. Select the vSwitches used by your instances. |
| Custom CIDR Block | Required when SNAT Entry is set to Specify Custom CIDR Block. Enter the CIDR block that contains your instances. |
| Select EIP | The EIPs associated with the NAT gateway. Instances use these EIPs to reach the Internet. |
If an instance already has an associated EIP, it uses that EIP for outbound traffic instead of the SNAT entry.
Step 3: Enable inbound access with a DNAT entry
Create a DNAT entry to forward inbound Internet traffic to a specific instance. For instructions, see Create and manage DNAT entries.
Key parameters:
| Parameter | Description |
|---|---|
| Select EIP | The EIP on the NAT gateway that external clients use to reach the instance. |
| Select Private IP Address | The target instance. Select its elastic network interface (ENI) or enter its private IP address. |
| Port Settings | Mapping mode. Any Port forwards all traffic destined for the EIP to the instance (IP address mapping). Custom Port forwards traffic on a specific protocol and port to the corresponding port on the instance (port mapping). |
For NAT gateway pricing, see Billing of Internet NAT gateways.