If an EAS service needs to call public APIs, download files from the internet, connect to an RDS database, or access other external services, you must configure a Virtual Private Cloud (VPC) to establish network connectivity.
How it works
When you configure a VPC for an EAS service, the system creates an Elastic Network Interface (ENI) for each service instance and assigns it a private IP address from the specified vSwitch. This gives the instance a network identity within the VPC, enabling communication with other VPC resources or public internet access through a NAT Gateway.
Billing
Configuring a VPC for an EAS service is free of charge. However, NAT Gateway and Elastic IP Address (EIP) are paid products. For billing details, see NAT Gateway billing and EIP billing overview.
Before you begin: plan and prepare your network
Before you begin, plan your network connectivity and prepare the required VPC, vSwitch, and security group. If you need to create these resources, see Create a VPC and a vSwitch and Use security groups.
-
Security group rules control all outbound traffic from EAS services. Ensure that the outbound rules of your security group allow the EAS service to access the target service.
-
To enable private network communication, the simplest approach is to deploy the EAS service and the target service in the same VPC. If the target service is in a different VPC, you must connect the networks using services such as VPC Peering Connection or Cloud Enterprise Network.
Procedure
Step 1: Configure a VPC
VPC configuration is the first step to enable private network communication or public internet access for your EAS service. EAS supports VPC configuration at both the service level and the resource group level:
-
Service level: Specifies a VPC for a single service. This configuration has the highest priority.
-
Resource group level: Sets a default VPC for all services in a dedicated resource group, simplifying batch configuration.
If you configure network settings at both the service and resource group levels, the service-level configuration takes precedence.
Service level
Console
When you create or update a service, configure the VPC in the Network Information section. After you select a VPC from the drop-down list, configure the vSwitch and security group.
In addition to VPC settings, the Network Information section includes Gateway Selection (options include shared gateway or dedicated gateway), and options to Associate Network Load Balancer (NLB) and Associate Service Discovery (Nacos).
After you create a VPC, vSwitch, or security group, it might take 1 to 2 minutes for the new resource to appear in the drop-down lists in the PAI console. If the new resource does not appear, wait a moment and then refresh the page.
eascmd client
-
In the service's JSON configuration file, add or modify the
cloud.networkingfield to include the IDs of your VPC, vSwitch, and security group. The following example shows the networking fields:{ "cloud": { "networking": { "vpc_id": "your-vpc-id", "vswitch_id": "your-switch-id", "security_group_id": "your-security-group-id" } } }You can find the required IDs on the VPC and vSwitch list pages in the VPC console and on the Security Groups page in the ECS console.
-
Refer to the Command reference and use the
createormodifycommand to create the service or apply the new configuration.
Resource group level
-
Console: On the Resource Group page, configure the VPC for the entire resource group. Select the target resource group and click Enable VPC Configuration in the Actions column.
-
eascmd client: See Configure a VPC for a resource group.
Step 2: Configure NAT gateway and SNAT entry
If your EAS service needs public internet access, you must configure a NAT Gateway with an EIP. For details, see Use the SNAT feature of an Internet NAT gateway to access the Internet.
-
Create an Internet NAT Gateway and bind an EIP: Go to the Internet NAT Gateway purchase page, select the region and VPC where your EAS service is located, and bind an EIP to it. This EIP serves as the unified egress IP address for your EAS service to access the public internet.
-
Configure an SNAT entry: In the NAT Gateway that you created, create an SNAT entry. Set the SNAT Entry to VPC Granularity. This ensures all traffic from this VPC to the public internet routes through this NAT Gateway.
Step 3: Configure an allowlist (optional)
If a target service uses an IP or security group allowlist, you must add the IP address range or security group ID of your EAS service to that allowlist. The following sections describe how to find the private and public IP addresses of your EAS service.
Find the private IP address
EAS instances are dynamically scheduled. When an instance restarts or updates, EAS may create a new instance on a different physical node and assign it a new private IP address from the vSwitch address pool. Therefore, for IP-based access control, you must use the vSwitch CIDR block in your allowlist instead of hardcoding the IP address of a single instance.
Log in to the VPC console and find the corresponding IPv4 CIDR block on the vSwitch page.
Find the public IP address
Log in to the VPC console. On the page, find the gateway that you configured for EAS. The Elastic IP Address column shows the bound EIP.
Best practices for production
-
IP address planning: Dedicate a vSwitch with sufficient available IP addresses for your EAS service. Calculate the minimum number of required IPs as follows:
Number of running instances + Number of extra instances for rolling updates + Reserved buffer IPs. Insufficient IP addresses cause service creation or scaling failures. -
Security group isolation: Use separate security groups for different services or environments, such as development, testing, and production. Follow the principle of least privilege by opening only the necessary ports and source IP addresses.
-
Cost optimization: Upload resources to OSS in the same region and mount the OSS volume during deployment. This avoids public network traffic costs.
FAQ
Q: Why can't EAS services access the public internet by default?
By default, EAS services run in an isolated environment without public internet access to ensure security and stability. Unrestricted public egress in a shared environment can lead to bandwidth abuse and unpredictable performance. To enable public internet access, configure a VPC and a NAT Gateway.
Q: How can I quickly test for public internet connectivity?
In your service configuration, you can add a network test command to the Command field, such as curl -I -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/120.0.0.0" --connect-timeout 5 https://www.aliyun.com.
After deployment, check the real-time log of the instance. If you see a status code like 200, it confirms that public internet access is working.
Q: Why can't my service access other VPC resources after VPC configuration?
Follow these steps to troubleshoot:
-
VPC configuration: Confirm that the EAS service and the target service are in the same VPC.
-
Security group rules: Confirm that the outbound rules of the security group attached to the EAS service allow traffic to the target service.
-
Target service access control: If the target service uses an IP allowlist or security group to restrict access, ensure that you have added the vSwitch CIDR block or the security group ID of the EAS service to the allowlist.
Q: Why no public internet access after NAT gateway configuration?
Follow these steps to troubleshoot:
-
SNAT rules: Confirm that the vSwitch specified in the SNAT entry matches the one used for deploying the EAS service. In the Internet NAT Gateway console, go to the SNAT management tab. Verify three conditions: the SNAT entry list contains an entry with a source CIDR block of
0.0.0.0/0; the ECS/ENI/vSwitch/VPC ID column is associated with your target instance; and the status is Available. -
VPC route table: In the VPC console, check the route table to confirm that it contains a route to
0.0.0.0/0and the next hop pointing to the NAT Gateway. -
Security group outbound rules: Confirm that the outbound rules for the EAS service's security group allow all public traffic. The default rule allows traffic to
0.0.0.0/0.