Internet access

Choose a public IP address type

IPv4

VPC resources require public IPv4 addresses for Internet access: static IPs or EIPs.

Static IPs are assigned when you create ECS or Classic Load Balancer (CLB) instances. They cannot be reassigned or detached and persist until the instance is deleted. An EIP is independent — create, attach, or detach it as needed. EIPs are recommended for flexibility.

Application Load Balancer (ALB), Network Load Balancer (NLB), and NAT gateway use attached EIPs to support Internet access.

The static public IPs of ECS instances and CLB instances can be converted to EIPs.

Three EIP types are available:

BGP (Multi-ISP) EIP: Routes traffic over the optimal ISP line for fast, stable Internet access.
BGP (Multi-ISP) Pro EIP: Routes responses from outside the Chinese mainland to end users within it over premium ISP lines, reducing latency and improving stability. Not supported for data center connections.
Anycast EIP: Routes user traffic through the nearest Alibaba Cloud access point and transmits it over Alibaba Cloud's backbone network, bypassing public ISP networks. Ideal for services outside the Chinese mainland that serve a global user base.

Item	BGP (Multi-ISP) EIP	BGP (Multi-ISP) Pro EIP	Anycast EIP
Use case	General-purpose low-cost Internet connection	Transmitting responses from outside the Chinese mainland to within it	Using the same IP across multiple global regions
Limitations	Your business can be deployed in any region Users access your service from anywhere using the Internet	Must be deployed in the supported regions outside the Chinese mainland Users access your service from within the Chinese mainland	Must be deployed in the supported regions outside the Chinese mainland Users access your service from the nearest Anycast EIP access points outside the Chinese mainland
Quality	Standard. User traffic is routed through standard ISP lines.	High. User traffic is routed through dedicated ISP lines.	High. User traffic enters Alibaba Cloud's high-quality global backbone network immediately after being transmitted over standard ISP lines to an access point.
Cost	Low	Medium	High

IPv6

When you enable IPv6 for your VPC and vSwitches, the system creates an IPv6 gateway with an IPv6 CIDR block that supports only private communication by default.

To enable Internet access, activate IPv6 Internet bandwidth for the IPv6 gateway.

IPv6 addresses are globally unique — no additional public IPs are needed for Internet access.

Use load balancing for inbound Internet traffic

Running on a single server creates a single point of failure (SPOF).

Deploy multiple backend servers across zones behind a load balancer to distribute inbound Internet traffic, improve scalability and availability, and eliminate SPOFs.

Item	ALB	NLB
Capabilities	Powerful Layer 7 processing capabilities and advanced routing features Intended for HTTP, HTTPS, and QUIC protocols	Powerful Layer 4 processing capabilities and large-scale SSL over TCP certificate offloading Intended for TCP, UDP, and SSL over TCP protocols
Performance	Up to 1 million QPS per instance	Up to 100 million concurrent connections per instance
Backend resource	ECS instances ENIs ECIs IP addresses Function Compute	ECS instances ENIs ECIs IP addresses
O&M	Both scale automatically with load — no manual intervention required.
Use cases	Web applications that require high-performance automatic scaling at Layer 7 Applications that require low latency and large throughput, such as audio and video applications Canary releases and blue-green deployments for cloud-native applications	Business that involves high concurrency and large throughput at Layer 4 Internet of Things (IoT) and Internet of Vehicles (IoV) services Systems with multi-active disaster recovery designs or connecting on-premises data centers and cloud environments

Use a NAT gateway as a unified Internet egress

Servers can access the Internet individually through their own public IPs, but at scale this wastes IP resources, increases costs, and complicates management.

Use an Internet NAT gateway with SNAT entries to let multiple ECS instances share EIPs for Internet access, reducing IP costs and simplifying management. The NAT gateway also masks instance IPs through address translation, improving security.

Item	Using an EIP	With an Internet NAT gateway
Cloud resources sharing an EIP	Not supported	Supported
Scope of resources that can use the same EIP	An ECS instance or an ENI	A VPC A vSwitch An ECS instance or an ENI A custom CIDR block
Overall resource cost with many servers	High	Low
Security	Standard	High

Use an Internet gateway to centrally manage Internet traffic

IPv4 gateway

By default, VPC resources access the Internet through their own public IPs. Centralized Internet access management can fail when other teams assign public IPs to ECS instances independently.

An IPv4 gateway with route table configurations centralizes Internet access control, reducing security risks from scattered access.

Public vSwitch: The route table associated with this vSwitch has a route with Destination CIDR Block set to 0.0.0.0/0 and Next Hop set to the IPv4 gateway. Resources in this vSwitch can access the Internet with their public IPs.

Private vSwitch: No routes point to the IPv4 gateway, so resources cannot access the Internet even with public IPs. To provide Internet access, add routes pointing to a NAT gateway in a public vSwitch. Configure these routes before activating the IPv4 gateway to avoid connectivity loss.

Important

The IPv4 gateway controls Internet traffic for the VPC. Activating it changes the default access mode — improper configuration may disconnect all VPC resources from the Internet. Proceed with caution. For details, see IPv4 gateway.

The IPv4 gateway also supports privately used public CIDR blocks and routing traffic to third-party security devices.

IPv6 gateway

IPv6 addresses assigned to cloud resources support only private communication by default. Use an IPv6 gateway and activate IPv6 Internet bandwidth to enable Internet access.

The IPv6 gateway manages VPC Internet traffic. Configure egress-only rules to allow outbound Internet access while blocking inbound connections.

Internet-facing CLB instances operate outside VPCs. Their traffic is not controlled by IPv6 gateways.

Accelerate global Internet access

Global applications — AI agents, video games, web apps — often suffer from high latency, jitter, and slow response over standard Internet connections.

Global Accelerator routes user requests through the nearest Alibaba Cloud access point and transmits them over Alibaba Cloud's global backbone network, reducing latency, jitter, and slow speed.

Reduce Internet costs

Internet connectivity fees can add significantly to cloud resource costs.

To reduce Internet costs:

IP costs: Use a load balancer for inbound traffic and a NAT gateway for outbound traffic to reduce the number of public IPs and lower public IP retention fees (formerly EIP configuration fees).
Traffic costs: Cloud Data Transfer (CDT) provides a free traffic quota and aggregates IPv4/IPv6 traffic across cloud products with cumulative tiered pricing, reducing overall traffic costs.