The VPC service provides free, shared source network address translation (SNAT), which allows ECSs to use a limited number of public IP addresses to gain one-way access to the Internet for operations, such as updating software. However, Internet users cannot directly access the ECSs.
Figure 1 shows how shared SNAT works. The Internet access traffic of ECSs is forwarded by the SNAT device to the Internet, and the response traffic from the Internet is forwarded to the ECSs also by the SNAT device. When forwarding ECS traffic to the Internet, the SNAT device converts the source IP addresses (ECS private IP addresses) in the data packets into the public IP addresses set on the SNAT device. When processing the response packets from the Internet to the ECSs, the SNAT device changes the public IP addresses in the response data packets to the private IP addresses of the ECSs.
After being configured for a VPC, shared SNAT takes effect for the whole VPC. If EIPs are bound to ECSs in a VPC for which shared SNAT is configured, Internet traffic is preferentially forwarded using the EIPs. If you want to prevent an ECS from connecting to the Internet, you can configure an outbound rule for the security group associated with the ECS.
To prevent an ECS from connecting to the Internet but allow the ECS to access the 192.168.10.0/24 network segment, configure the following rule for the security group associated with the ECS:
After this rule is deleted, ECSs associated with this security group are not allowed to access any network, including the internal networks in the VPC of the ECSs.
The differences between shared SNAT and custom routes are as follows:
Shared SNAT provides the SNAT function for a specified VPC through an API or the management console and enables all ECSs in the VPC to gain one-way access to the Internet. A custom route enables other ECSs to access the Internet through an SNAT server that has an EIP bound. The ECSs' access requests are routed to the SNAT server based on the route table. Shared SNAT takes effect for the whole VPC by default, while a custom route takes effect for the VPC or subnet for which routes have been configured. The priority of a custom route is higher than that of shared SNAT.