Help Center/ Virtual Private Cloud/ User Guide/ VPC and Subnet/ VPC Connectivity Options/ Connecting VPCs to the Public Network
Updated on 2024-08-07 GMT+08:00
View PDF

Connecting VPCs to the Public Network

You can use EIP, NAT Gateway, or ELB to allow the resources in VPCs to access the public network.

EIP

An EIP is an independent public IP address. You can bind it to an instance, such as an ECS, a NAT gateway, or a load balancer, so that the instance can access the public network or provide services accessible from the public network.

In Figure 1, there are two subnets (Subnet-A01 and Subnet-A02) in a region (region A), and there is an ECS on each subnet. The ECS (ECS-A01) on Subnet-A01 needs to access the public network, and the ECS (ECS-A02) on Subnet-A02 needs to provide web services for the public network. Two EIPs (EIP-A01 and EIP-A02) are required, with each bound to an ECS.
Figure 1 Connecting a VPC to the public network using EIP

NAT Gateway (SNAT)

You can use a public network NAT gateway and configure SNAT rules to enable multiple ECSs in a VPC to share one or more EIPs to access the public network. If only SNAT rules are configured, the public network address of the NAT gateway cannot be directly accessed from the public network. This is more secure than using EIPs.
In Figure 2, ECSs deployed on two subnets (Subnet-A01 and Subnet-A02) in a VPC (VPC-A) need to access the public network. For this to work, you first need to create a public NAT gateway in a third subnet (Subnet-NAT), and then configure SNAT rules on the public NAT gateway for Subnet-A01 and Subnet-A02. In this way, all ECSs in Subnet-A01 and Subnet-A02 can share an EIP to access the public network.
Figure 2 Enabling ECSs in a VPC to access the public network using a NAT gateway
In Figure 3, three VPCs (VPC-A, VPC-B, and VPC-C) in a region need to communicate with each other and can use the NAT gateway deployed in another VPC (VPC-D) to access the public network. For this to work, you first need to attach the four VPCs to an enterprise router, then configure routes in the route tables of the VPCs and of the enterprise router, and configure SNAT rules on the public NAT gateway. In this way, the VPCs can communicate with each other and share an EIP to access the public network.
Figure 3 Enabling ECSs in different VPCs to access the public network using a NAT gateway

NAT Gateway (DNAT)

DNAT enables port forwarding. It maps EIP ports to ECS ports so that the ECSs in VPCs can share the same EIP and bandwidth to provide Internet-accessible services. However, DNAT does not balance traffic.

For details, see Using DNAT to Provide Services for the Public Network.

In Figure 4, ECSs deployed on two subnets (Subnet-A01 and Subnet-A02) in a VPC (VPC-A) need to provide web services for the public network. For this to work, you first need to create a public NAT gateway in a third subnet (Subnet-NAT in this example), and then configure DNAT rules on the public NAT gateway for Subnet-A01 and Subnet-A02. In this way, all ECSs in Subnet-A01 and Subnet-A02 can share an EIP to provide Internet-accessible services.
Figure 4 Enabling ECSs in a VPC to provide services for the public network using a NAT gateway

ELB

ELB evenly distributes incoming traffic to multiple backend servers. Together with EIPs, ELB allows a large number of users to access services deployed on cloud servers from the public network.

For details, see Getting Started with ELB.

In Figure 5, a web application is deployed on the ECSs in two VPCs (VPC-A and VPC-B) in a region. Because of the heavy incoming traffic, a load balancer is used to distribute the traffic across ECSs in different VPCs. For this to work, VPCs need to communicate with each other. In this example, a VPC peering connection is used to connect VPC-A and VPC-B.
Figure 5 ELB for evenly distributing incoming traffic from the public network
Parent Topic: VPC Connectivity Options