By default, the system assigns only a private IP address to an Elastic Container Instance-based pod. If you want to connect a pod to the Internet, for example, if you want to pull an image over the Internet, you can associate an elastic IP address (EIP) with the pod or create an Internet NAT gateway in the virtual private cloud (VPC) to which the pod belongs.
Background information
The following table describes two methods used to enable Internet access for elastic container instances.
Method | Description | Scenario |
Associate an EIP with the elastic container instance | EIPs are public IP addresses that can be separately purchased and managed. You can enable Internet access for an elastic container instance by associating an EIP with the instance. For more information, see What is an EIP and Billing overview. | You want to enable Internet access for a single elastic container instance. For example, you want to create an elastic container instance to deploy NGINX. When you create the instance, you need to associate an EIP with the instance. When NGINX starts, the elastic container instance exposes port 80 to the associated EIP. You can then use the EIP and the port number to access NGINX. |
Create an Internet NAT gateway in the VPC to which the elastic container instance belongs | NAT (Network Address Translation) gateway provides the SNAT and DNAT features. For more information, see What is NAT Gateway and Billing of Internet NAT gateways. | You want to enable Internet access for multiple elastic container instances. For example, you want to pull images from Docker Hub for multiple elastic container instances. By default, Elastic Container Instance does not provide public endpoint to pull images over the Internet. You must create an Internet NAT gateway in the VPC to which the elastic container instances belong and configure the security group rule. Otherwise, you cannot pull images over the Internet. |
When you enable Internet access for elastic container instances, make sure that you have enabled relevant IP address and port in the security group to which the instances belong. For more information, see Add a security group rule.
Associate an EIP with the elastic container instance
When you create a pod, you can add annotations to the metadata in the configuration file of the pod to associate an existing EIP, or allow the system to automatically create an EIP and associate the EIP with the pod.
Each EIP can be associated with a single elastic container instance at a time and provide Internet services only for its associated elastic container instance. If you want to connect multiple elastic container instances to the Internet, you must associate an EIP with each instance or create an Internet NAT gateway in the VPC to which the instances belong.
Associate an existing EIP with the pod
Annotation
Example
Description
k8s.aliyun.com/eci-eip-instanceid
"eip-bp1q5n8cq4p7f6dzu****"
Specifies the ID of the EIP that you want to associate.
Automatically create an EIP and associate the EIP with the pod
Annotation
Example
Description
k8s.aliyun.com/eci-with-eip
"true"
Specifies whether to automatically create an EIP and associate the EIP with the pod.
k8s.aliyun.com/eip-bandwidth
"10"
Specifies the maximum bandwidth of the EIP. Unit: Mbit/s. Default value: 5.
k8s.aliyun.com/eip-common-bandwidth-package-id
"cbwp-2zeukbj916scmj51m****"
Specifies the ID of an existing EIP bandwidth plan that you want to associate with the instance. For more information, see What is an Internet Shared Bandwidth?
k8s.aliyun.com/eip-isp
BGP
Specifies the line type of the EIP. This annotation is applicable only to pay-as-you-go EIPs. Default value: BGP. Valid values:
BGP: BGP (Multi-ISP) lines
BGP_PRO: BGP (Multi-ISP) Pro lines
For more information, see the "Line types" section of the Elastic IP Addresses topic.
k8s.aliyun.com/eip-internet-charge-type
PayByTraffic
Specifies the metering method of the EIP. Valid values:
PayByBandwidth: pay-by-bandwidth
PayByTraffic: pay-by-traffic
For more information about the billing of EIPs, see Billing overview.
k8s.aliyun.com/eip-public-ip-address-pool-id
pippool-bp187arfugi543y1s****
Specifies the ID of the IP address pool. The EIP is allocated from the IP address pool. For more information, see Create and manage IP address pools.
Annotations must be added to the metadata in the configuration file of the pod. For example, when you create a Deployment, you must add annotations in the spec.template.metadata section.
To use features of Elastic Container Instance, you can add annotations only when you create Elastic Container Instance-based pods. If you add or modify annotations when you update pods, these annotations do not take effect.
Sample configurations:
Create an Internet NAT gateway in the VPC to which the elastic container instance belongs
After you create an Internet NAT gateway in a VPC, the Internet NAT gateway can provide the SNAT and DNAT features and the elastic container instances in the VPC can connect to the Internet.
Feature | Description |
SNAT | Allows elastic container instances within the VPC to access the Internet when these instances are not assigned public IP addresses. |
DNAT | Maps the EIP that is associated with the Internet NAT gateway to elastic container instances in the VPC. This way, the elastic container instances in the VPC can provide Internet-facing services. |
Create an Internet NAT gateway in the VPC console. For more information, see Create and manage Internet NAT gateways.
To allow your elastic container instance to access the Internet, you must create an SNAT entry for the NAT gateway. For more information, see Create and manage SNAT entries.
The following table describes the parameters that you need to take note of when you create an entry.
Parameter
Description
SNAT Entry
Select a value for this parameter based on factors such as service networking and security:
Specify VPC: All elastic container instances in the specified VPC can use SNAT to access the Internet.
Specify vSwitch: All elastic container instances that are connected to the selected vSwitches can use SNAT to access the Internet.
Specify Custom CIDR Block: All elastic container instances that belong to the specified CIDR block can use SNAT to access the Internet.
Select vSwitch
If you set the SNAT Entry parameter to Specify vSwitch, you must select one or more vSwitches that are used to create your elastic container instance.
Custom CIDR Block
If you set the SNAT Entry parameter to Specify Custom CIDR Block, you must specify the CIDR block to which your elastic container instance that will access the Internet belongs.
Select EIP
Select one or more EIPs that are associated with the NAT gateway. The elastic container instance use the EIPs to access the Internet.
NoteIf your elastic container instance has an associated EIP, the instance uses this EIP instead of the SNAT feature of the NAT gateway to access the Internet.
To allow your elastic container instance to provide Internet-facing services, you must create a DNAT entry for the NAT gateway. For more information, see Create and manage DNAT entries.
The following table describes the parameters that you need to take note of when you create an entry.
Parameter
Description
Select EIP
Select the EIP that is associated with the NAT gateway. The elastic container instance uses the EIP to provide Internet-facing services.
Select Private IP Address
Select the elastic container instance that needs to provide Internet-facing services by using the DNAT entry. You can specify the elastic network interface (ENI) that is bound to the elastic container instance or enter the private IP address of the instance.
Port Settings
The DNAT mapping method. Valid values:
Any Port: specifies IP address mapping. The NAT gateway forwards the requests destined for the associated EIP to the selected elastic container instance.
Custom Port: specifies port mapping. The NAT gateway forwards the requests from a specific protocol and port destined for the associated EIP to the corresponding port on the selected elastic container instance.