Help Center/ SoftWare Repository for Container/ Best Practices/ Configuring Access Network/ Public Network Access
Updated on 2025-09-10 GMT+08:00
View PDF
Share

Public Network Access

Scenarios

If your container engine client is installed on a CCE node or an ECS that is in a different region from the image repository, you can push or pull images over a public network. An EIP needs to be bound to the CCE node or ECS. For public network access, there are two scenarios.

Public Network Access for Single ECS

If an ECS needs to access a public network, you can bind it to an EIP. Huawei Cloud provides multiple billing modes (such as pay-per-use and pay-per-traffic). You can select one as required and flexibly unbind an unnecessary EIP.

Figure 1 Network topology
  1. Log in to the management console.
  2. Click in the upper left corner and select the desired region and project.
  3. Click and choose Computing > Elastic Cloud Server.
  4. In the ECS list, select the ECS to which an EIP is to be bound, and choose More > Manage Network > Bind EIP in the Operation column.
  5. Select an EIP and click OK.

    Figure 2 Binding an EIP

  6. After the ECS is bound to the EIP, you can view the bound EIP in the ECS list.

    If no EIP is available in the current region, the EIP list is empty. In this case, purchase an EIP and bind it again.

Public Network Access for Multiple ECSs

If all ECSs in your VPC need to access a public network, you can use NAT Gateway and configure SNAT rules by subnet to easily build a public network egress for the VPC. If no SNAT rule is configured, external users cannot directly access the public network IP address of the NAT gateway through a public network, which makes ECS more secure compared with public network access through an EIP.

Figure 3 Network topology
  1. Bind the ECS to an EIP. For details, see Public Network Access for Single ECS.
  2. Create a NAT gateway. For details, see Buying a Public NAT Gateway.

    1. Log in to the management console.
    2. Click in the upper left corner and select the desired region and project.
    3. Click in the upper left corner and choose Networking > NAT Gateway in the service list.
    4. On the displayed page, click Buy Public NAT Gateway.
    5. Configure the parameters as prompted.

  3. Configure SNAT rules and bind EIPs to subnets. For details, see Adding an SNAT Rule.

    1. Log in to the management console.
    2. Click in the upper left corner and select the desired region and project.
    3. Click in the upper left corner and choose Networking > NAT Gateway in the service list.
    4. On the displayed page, click the name of the NAT gateway for which you want to add the SNAT rule.
    5. On the SNAT Rules tab, click Add SNAT Rule.
    6. Configure the parameters as prompted.
      Figure 4 Adding an SNAT rule

If you access OBS by configuring the local /etc/hosts file, add the domain names of the OBS bucket clusters that store container images to this file. Otherwise, the images may fail to be pulled. You can submit a service ticket to obtain information about SWR's OBS bucket clusters in different regions.

Parent Topic: Configuring Access Network