By default, the system assigns only a private IP address to an elastic container instance. If you want to connect an elastic container instance to the Internet, for example, if you want to pull an image over the Internet, you can associate an elastic IP address (EIP) with the instance or create an Internet NAT gateway in the virtual private cloud (VPC) to which the instance belongs.
Background information
The following table describes two methods used to enable Internet access for elastic container instances.
Method | Description | Scenario |
Associate an EIP with the elastic container instance | EIPs are public IP addresses that can be separately purchased and managed. You can enable Internet access for an elastic container instance by associating an EIP with the instance. For more information, see What is an EIP and Billing overview. | You want to enable Internet access for a single elastic container instance. For example, you want to create an elastic container instance to deploy NGINX. When you create the instance, you need to associate an EIP with the instance. When NGINX starts, the elastic container instance exposes port 80 to the associated EIP. You can then use the EIP and the port number to access NGINX. |
Create an Internet NAT gateway in the VPC to which the elastic container instance belongs | NAT (Network Address Translation) gateway provides the SNAT and DNAT features. For more information, see What is NAT Gateway and Billing of Internet NAT gateways. | You want to enable Internet access for multiple elastic container instances. For example, you want to pull images from Docker Hub for multiple elastic container instances. By default, Elastic Container Instance does not provide public endpoint to pull images over the Internet. You must create an Internet NAT gateway in the VPC to which the elastic container instances belong and configure the security group rule. Otherwise, you cannot pull images over the Internet. |
When you enable Internet access for elastic container instances, make sure that you have enabled relevant IP address and port in the security group to which the instances belong. For more information, see Add a security group rule.
Associate an EIP with the elastic container instance
When you create an elastic container instance, you can associate an existing EIP with the instance, or allow the system to automatically create an EIP and associate the EIP with the instance.
Each EIP can be associated with a single elastic container instance at a time and provide Internet services only for its associated elastic container instance. If you want to connect multiple elastic container instances to the Internet, you must associate an EIP with each instance or create an Internet NAT gateway in the VPC to which the instances belong.
Call an API operation
When you call the CreateContainerGroup API operation to create an elastic container instance, you can use the EipInstanceId parameter to associate an existing EIP, or use the AutoCreateEip and EipBandwidth parameters to create an EIP and associate the EIP with the instance. The following tables describe these parameters. For more information, see CreateContainerGroup.
Associate an existing EIP with the elastic container instance
Parameter
Type
Example
Description
EipInstanceId
String
eip-uf66jeqopgqa9hdn****
The EIP to be associated with the elastic container instance.
Automatically create an EIP and associate the EIP with the instance
Parameter
Type
Example
Description
AutoCreateEip
Boolean
true
Specifies whether to create an EIP and associate it with the elastic container instance. Set the value to true.
EipBandwidth
Integer
5
Specifies the maximum bandwidth of the EIP. Unit: Mbit/s. Default value: 5.
EipISP
String
BGP
Specifies the line type of the EIP. This annotation is applicable only to pay-as-you-go EIPs. Default value: BGP. Valid values:
BGP: BGP (Multi-ISP) lines
BGP_PRO: BGP (Multi-ISP) Pro lines
For more information, see the "Line type" section of the What is an EIP topic.
EipCommonBandwidthPackage
String
cbwp-2zeukbj916scmj51m****
Specifies the ID of an existing EIP bandwidth plan that you want to associate with the instance. For more information, see What is an Internet Shared Bandwidth?
Use the Elastic Container Instance console
When you create an elastic container instance in the Elastic Container Instance console, you can associate an EIP with the instance in the Other Settings step. You can associate an existing EIP or allow the system to create an EIP and then associate the EIP with the instance.
Create an Internet NAT gateway in the VPC to which the elastic container instance belongs
After you create an Internet NAT gateway in a VPC, the Internet NAT gateway can provide the SNAT and DNAT features and the elastic container instances in the VPC can connect to the Internet.
Feature | Description |
SNAT | Allows elastic container instances within the VPC to access the Internet when these instances are not assigned public IP addresses. |
DNAT | Maps the EIP that is associated with the Internet NAT gateway to elastic container instances in the VPC. This way, the elastic container instances in the VPC can provide Internet-facing services. |
Create an Internet NAT gateway in the VPC console. For more information, see Create and manage Internet NAT gateways.
To allow your elastic container instance to access the Internet, you must create an SNAT entry for the NAT gateway. For more information, see Create and manage SNAT entries.
The following table describes the parameters that you need to take note of when you create an entry.
Parameter
Description
SNAT Entry
Select a value for this parameter based on factors such as service networking and security:
Specify VPC: All elastic container instances in the specified VPC can use SNAT to access the Internet.
Specify vSwitch: All elastic container instances that are connected to the selected vSwitches can use SNAT to access the Internet.
Specify Custom CIDR Block: All elastic container instances that belong to the specified CIDR block can use SNAT to access the Internet.
Select vSwitch
If you set the SNAT Entry parameter to Specify vSwitch, you must select one or more vSwitches that are used to create your elastic container instance.
Custom CIDR Block
If you set the SNAT Entry parameter to Specify Custom CIDR Block, you must specify the CIDR block to which your elastic container instance that will access the Internet belongs.
Select EIP
Select one or more EIPs that are associated with the NAT gateway. The elastic container instance use the EIPs to access the Internet.
NoteIf your elastic container instance has an associated EIP, the instance uses this EIP instead of the SNAT feature of the NAT gateway to access the Internet.
To allow your elastic container instance to provide Internet-facing services, you must create a DNAT entry for the NAT gateway. For more information, see Create and manage DNAT entries.
The following table describes the parameters that you need to take note of when you create an entry.
Parameter
Description
Select EIP
Select the EIP that is associated with the NAT gateway. The elastic container instance uses the EIP to provide Internet-facing services.
Select Private IP Address
Select the elastic container instance that needs to provide Internet-facing services by using the DNAT entry. You can specify the elastic network interface (ENI) that is bound to the elastic container instance or enter the private IP address of the instance.
Port Settings
The DNAT mapping method. Valid values:
Any Port: specifies IP address mapping. The NAT gateway forwards the requests destined for the associated EIP to the selected elastic container instance.
Custom Port: specifies port mapping. The NAT gateway forwards the requests from a specific protocol and port destined for the associated EIP to the corresponding port on the selected elastic container instance.