Help Center/ Virtual Private Cloud/ Help Panel/ Virtual Private Cloud/ Connecting VPCs to the Public Network
Updated on 2025-08-06 GMT+08:00

Connecting VPCs to the Public Network

With the network services described in Table 1, you can connect VPCs to the public network so that instances in the VPCs can access the public network or provide services accessible on the public network.
Table 1 Network services that allow VPCs to communicate with the public network

Network Service

Function

Highlights

EIP

An EIP is an independent public IP address. You can bind it to an instance, such as an ECS, a NAT gateway, or a load balancer, so that the instance can access the public network or provide services accessible from the public network.

  • EIPs can be bound to or unbound from instances if needed.
  • Shared bandwidths and shared data packages can be used to lower costs.
  • EIP bandwidth can be adjusted at any time.
NAT Gateway
NAT Gateway supports both source NAT (SNAT) and destination NAT (DNAT).
  • SNAT enables multiple instances to share one or more EIPs to access the public network.
  • DNAT enables port forwarding. It maps EIP ports to ECS ports so that the ECSs in a VPC can share the same EIP and bandwidth to provide Internet-accessible services. However, DNAT does not balance traffic.
  • Using shared EIPs to access the public network reduces costs.
  • EIPs of ECSs are not exposed to the public network, which improves security.
  • Different specifications are available.

ELB

ELB evenly distributes incoming traffic to multiple backend servers. Together with EIPs, ELB allows a large number of users to access services deployed on cloud servers from the public network.

  • ELB can process both Layer 4 and Layer 7 requests and supports advanced forwarding policies and multiple protocols.
  • ELB can eliminate single points of failure (SPOFs) for high availability.

EIP

An EIP is an independent public IP address. You can bind it to an instance, such as an ECS, a NAT gateway, or a load balancer, so that the instance can access the public network or provide services accessible from the public network.

In Figure 1, there are two subnets (Subnet-A01 and Subnet-A02) in a region (region A), and there is an ECS on each subnet. The ECS (ECS-A01) on Subnet-A01 needs to access the public network, and the ECS (ECS-A02) on Subnet-A02 needs to provide web services for the public network. Two EIPs (EIP-A01 and EIP-A02) are required, with each bound to an ECS.
Figure 1 Connecting a VPC to the public network using EIP

NAT Gateway (SNAT)

You can use a public network NAT gateway and configure SNAT rules to enable multiple ECSs in a VPC to share one or more EIPs to access the public network. If only SNAT rules are configured, the public network address of the NAT gateway cannot be directly accessed from the public network. This is more secure than using EIPs.
In Figure 2, ECSs deployed on two subnets (Subnet-A01 and Subnet-A02) of VPC-A in region A need to access the Internet. For this to work, you first need to create a public NAT gateway in a third subnet (Subnet-NAT), and then configure SNAT rules on the public NAT gateway for Subnet-A01 and Subnet-A02. In this way, all ECSs in Subnet-A01 and Subnet-A02 can share an EIP to access the public network.
Figure 2 Enabling ECSs in a VPC to access the public network using a NAT gateway
In Figure 3, three VPCs (VPC-A, VPC-B, and VPC-C) in a region need to communicate with each other and can use the NAT gateway deployed in another VPC (VPC-D) to access the public network. For this to work, you first need to attach the four VPCs to an enterprise router, then configure routes in the route tables of the VPCs and of the enterprise router, and configure SNAT rules on the public NAT gateway. In this way, the VPCs can communicate with each other and share an EIP to access the public network.
Figure 3 Enabling ECSs in different VPCs to access the public network using a NAT gateway

NAT Gateway (DNAT)

DNAT enables port forwarding. It maps EIP ports to ECS ports so that the ECSs in VPCs can share the same EIP and bandwidth to provide Internet-accessible services. However, DNAT does not balance traffic.

For details, see Using a Public NAT Gateway to Enable Servers to Be Accessed by the Internet.

In Figure 4, ECSs deployed on two subnets (Subnet-A01 and Subnet-A02) in a VPC (VPC-A) need to provide web services for the public network. For this to work, you first need to create a public NAT gateway in a third subnet (Subnet-NAT in this example), and then configure DNAT rules on the public NAT gateway for Subnet-A01 and Subnet-A02. In this way, all ECSs in Subnet-A01 and Subnet-A02 can share an EIP to provide Internet-accessible services.
Figure 4 Enabling ECSs in a VPC to provide services for the public network using a NAT gateway

ELB

ELB evenly distributes incoming traffic to multiple backend servers. Together with EIPs, ELB allows a large number of users to access services deployed on cloud servers from the public network.

For details, see Getting Started with ELB.

In Figure 5, a web application is deployed on the ECSs in two VPCs (VPC-A and VPC-B) in a region. Because of the heavy incoming traffic, a load balancer is used to distribute the traffic across ECSs in different VPCs. For this to work, VPCs need to communicate with each other. In this example, a VPC peering connection is used to connect VPC-A and VPC-B.
Figure 5 ELB for evenly distributing incoming traffic from the public network