Creates an enhanced Internet NAT gateway or a Virtual Private Cloud (VPC) NAT gateway.
Operation description
Usage notes
Before you call this operation, take note of the following items:
-
When you create an enhanced NAT gateway for the first time, the system automatically creates the service-linked role AliyunServiceRoleForNatgw. Then, the system attaches the permission policy AliyunServiceRolePolicyForNatgw to the role. This allows the NAT gateway to access other resources on Alibaba Cloud. For more information, see Service-linked roles.
-
After you create an enhanced Internet NAT gateway, a route entry is automatically added to the route table of the VPC. The destination CIDR block of the route entry is 0.0.0.0/0 and the next hop is the NAT gateway. This ensures that traffic is routed to the NAT gateway.
-
CreateNatGateway is an asynchronous operation. After a request is sent, the system returns a request ID and runs the task in the background. You can call the DescribeNatGateways operation to query the status of the task.
-
If a NAT gateway is in the Creating state, the NAT gateway is being created. In this case, you can query the NAT gateway but cannot perform other operations.
-
If a NAT gateway is in the Available state, the NAT gateway is created.
-
It takes 1 to 3 minutes to create a NAT gateway.
Debugging
Authorization information
The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:
- Operation: the value that you can use in the Action element to specify the operation on a resource.
- Access level: the access level of each operation. The levels are read, write, and list.
- Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level,
All Resourcesis used in the Resource type column of the operation.
- Condition Key: the condition key that is defined by the cloud service.
- Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
| Operation | Access level | Resource type | Condition key | Associated operation |
|---|---|---|---|---|
| vpc:CreateNatGateway | create | *NatGateway acs:vpc:{#regionId}:{#accountId}:natgateway/* |
| none |
Request parameters
| Parameter | Type | Required | Description | Example |
|---|---|---|---|---|
| RegionId | string | Yes | The region ID of the NAT gateway. You can call the DescribeRegions operation to obtain the region ID. | cn-hangzhou |
| VpcId | string | Yes | The ID of the VPC where you want to create the NAT gateway. | vpc-bp1di7uewzmtvfuq8**** |
| Name | string | No | The name of the NAT gateway. The name must be 2 to 128 characters in length and can contain letters, digits, underscores (_), and hyphens (-). The name must start with a letter. If this parameter is not set, the system assigns a default name to the NAT gateway. | fortest |
| Description | string | No | The description of the NAT gateway. You can leave this parameter empty or enter a description. If you enter a description, the description must be 2 to 256 characters in length and cannot start with | testnat |
| ClientToken | string | No | The client token that is used to ensure the idempotence of the request. You can use the client to generate the token, but you must make sure that the token is unique among different requests. Note
If you do not specify this parameter, the system automatically uses the request ID as the client token. The request ID may be different for each request.
| 5A2CFF0E-5718-45B5-9D4D-70B3FF3898 |
| Spec | string | No | Subscription Internet NAT gateways are no longer available for purchase. Ignore this parameter. | Invalid parameter. |
| InstanceChargeType | string | No | The billing method of the NAT gateway. Set the value to PostPaid (pay-as-you-go), which is the default value. For more information, see Internet NAT gateway billing and VPC NAT gateway billing. | PostPaid |
| PricingCycle | string | No | Subscription Internet NAT gateways are no longer available for purchase. Ignore this parameter. | Invalid parameter. |
| Duration | string | No | Subscription Internet NAT gateways are no longer available for purchase. Ignore this parameter. | Invalid parameter. |
| AutoPay | boolean | No | Subscription Internet NAT gateways are no longer available for purchase. Ignore this parameter. | Invalid parameter. |
| VSwitchId | string | Yes | The ID of the vSwitch to which the NAT gateway is attached. When you create a NAT gateway, you must specify a vSwitch for the NAT gateway. Then, the system assigns an idle private IP address from the vSwitch to the NAT gateway.
Note
You can call the ListEnhanhcedNatGatewayAvailableZones operation to query zones that support NAT gateways. You can call the DescribeVSwitches operation to query idle IP addresses in a vSwitch.
| vsw-bp1e3se98n9fq8hle**** |
| NatType | string | Yes | The type of NAT gateway. Set the value to Enhanced, which specifies enhanced NAT gateway. | Enhanced |
| InternetChargeType | string | No | The metering method of the NAT gateway. Set the value to PayByLcu, which specifies the pay-by-CU metering method. | PayByLcu |
| NetworkType | string | No | The network type of the NAT gateway. Valid values:
| internet |
SecurityProtectionEnableddeprecated | boolean | No | Specifies whether to enable the firewall feature. Valid values:
| false |
| IcmpReplyEnabled | boolean | No | Specifies whether to enable ICMP retrieval. Valid values:
| true |
| PrivateLinkEnabled | boolean | No | PrivateLink is not supported by default. If you set the value to true, PrivateLink is supported. | |
| EipBindMode | string | No | The mode in which the EIP is associated with the NAT gateway. Valid values:
Note
If an EIP is associated with a NAT gateway in NAT mode, the EIP occupies a private IP address of the vSwitch where the NAT gateway is deployed. Make sure that the vSwitch has sufficient private IP addresses. Otherwise, EIPs cannot be associated with the NAT gateway. In NAT mode, a maximum number of 50 EIPs can be associated with each NAT gateway.
| MULTI_BINDED |
| Tag | array<object> | No | The tags. | MULTI_BINDED |
| object | No | |||
| Key | string | No | The tag key. The format of Tag.N.Key when you call the operation. Valid values of N: 1 to 20. The tag key cannot be an empty string. The tag key can be up to 128 characters in length and cannot contain http:// or https://. The tag key cannot start with acs: or aliyun. | TestKey |
| Value | string | No | The tag value. The format of Tag.N.Value when you call the operation. Valid values of N: 1 to 20. The tag key cannot be an empty string. The tag key can be up to 128 characters in length and cannot contain http:// or https://. The tag key cannot start with acs: or aliyun. | TestValue |
| AccessMode | object | No | The access mode for reverse access to the VPC NAT gateway. | |
| ModeValue | string | No | Access mode. Valid values:
Note
If this parameter is specified, you must set PrivateLinkEnabled to true.
| route |
| TunnelType | string | No | Tunnel mode type:
Note
This value takes effect if the access mode is the tunnel mode.
|
Response parameters
Examples
Sample success responses
JSONformat
{
"NatGatewayId": "ngw-112za33e4****",
"RequestId": "2315DEB7-5E92-423A-91F7-4C1EC9AD97C3",
"ForwardTableIds": {
"ForwardTableId": [
"ftb-11tc6xgmv****"
]
},
"SnatTableIds": {
"SnatTableId": [
"stb-SnatTableIds****"
]
},
"FullNatTableIds": {
"FullNatTableId": [
"fulltb-gw88z7hhlv43rmb26****"
]
}
}Error codes
| HTTP status code | Error code | Error message | Description |
|---|---|---|---|
| 400 | Forbidden.NatPayBySpec | Pay-by-specification NAT is no longer supported. Newly purchased pay-as-you-go NAT gateways only support the pay-by-CU metering method. | Pay-by-specification NAT gateways are no longer available for purchase. Set InternetChargeType to PayByLcu. |
| 400 | UnsupportedFeature.PrivateLink | The feature of %s is not supported. | - |
| 400 | DependencyViolation.FullNatEntry | The specified resource of %s depends on %s, so the operation cannot be completed. | - |
| 400 | UnsupportedFeature.InternetChargeType | The feature of InternetChargeType is not supported. | - |
| 400 | InvalidVPCStatus | vpc incorrect status. | The VPC is in an invalid state. |
| 400 | InvalidNatGatewayName.MalFormed | NatGateway name is not valid. | The gateway name is invalid. |
| 400 | InvalidNatGatewayDescription.MalFormed | NatGateway description is not valid. | The gateway description is invalid. |
| 400 | MissingParameter.BandwidthPackage | only support one BandwidthPackage be created with NatGateway. | You must specify an EIP bandwidth plan. |
| 400 | OperationDenied | The user cannot allow to create natgw, please call PD to authorize | - |
| 400 | RouterEntryConflict.Duplicated | A route entry already exists, which CIDR is '0.0.0.0/0' | - |
| 400 | MissingParameter | Miss mandatory parameter. | Some required parameters are not specified. Specify all required parameters and try again. |
| 400 | QuotaExceeded.BandwidthPackageIps | The specified ipCount exceeded quota. | The number of IP addresses has reached the upper limit. Request a quota increase on the Quota Management page. |
| 400 | AllocateIpFailed | Alloc bandwidthPackage ips failed, maybe no available ip. | - |
| 400 | InvalidParameter.Name.Malformed | The specified Name is not valid. | The specified name format is invalid. Enter the name in the valid format. |
| 400 | InvalidParameter.Description.Malformed | The specified Description is not valid. | The specified description is invalid. |
| 400 | ZONE_NO_AVAILABLE_IP | The Zone have no available ip. | No IP address is available in the zone. |
| 400 | ParameterIllegal | ipCount,bandwidth parameter invalid | - |
| 400 | InvalidParameter.BandwidthPackage.n.ISP.ValueNotSupport | The specified ISP of BandwidthPackage is not valid. | The specified ISP of the EIP bandwidth plan is invalid. |
| 400 | InvalidNatGatewayId.NotFound | The NatGatewayId not exist. | The value of the NatGatewayId parameter is invalid. |
| 400 | VswitchStatusError | The VSwitch is creating . | The operation is not supported when the vSwitch is being created. |
| 400 | VpcStatusError | The Vpc is creating . | The VPC is being created. |
| 400 | InvalidParameter.Spec.ValueNotSupported | The specified Spec is not valid. | The specification is invalid. |
| 400 | TaskConflict | The operation is too frequent, TaskConflict. | The system is unavailable. Try again later. |
| 400 | COMMODITY.INVALID_COMPONENT | The instance component is invalid. | The instance component is invalid. |
| 400 | CreateNatGateway.RouteConflict.DynamicRoute | Route conflict exists in routing table. | - |
| 400 | OperationUnsupported.MultiNatGateway | More than one natGateway per vpc is unsupported. | - |
| 400 | Forbidden.CheckEntryRuleQuota | Route entry quota rule check error. | An error occurred when the system was checking the quota of route entries. |
| 400 | OperationFailed.UnpaidBillsExist | The account has unpaid bills. Please pay your overdue bill first. | This account has unpaid orders. |
| 400 | IncorrectStatus.RouteEntry | Specified routeEntry status error. | - |
| 400 | OperationFailed.RiskControl | Risk control check failed. | The error message returned because your payment method has security risks. Click the link for verification in your email or console message and submit your order after verification. |
| 400 | IncorrectStatus.RouteTableStatus | %s | - |
| 400 | OperationFailed.TokenVerfiy | Token verify failed. | - |
| 400 | %s | %s | - |
| 400 | IllegalParam.Name | The specified Name is invalid, shorter than 2 characters. | - |
| 400 | OperationFailed.EnhancedQuotaExceed | Enhanced nat gateway per vpc quota is exceeded | - |
| 400 | OrderError.NoAvailablePaymentMethod | %s | - |
| 400 | OrderError.BasicInfoUncompleted | %s | - |
| 400 | OperationUnsupported.EnhancedCURegion | %s | - |
| 400 | NoPermission.CreateServiceLinkedRole | You are not authorized to create service linked role | - |
| 400 | OperationUnsupported.EnhancedRegion | %s | - |
| 400 | OperationFailed.EnhancedInventoryNotEnough | Operation failed because inventory is not enough. | - |
| 400 | OperationFailed.VswNotBelongToVpc | Operation failed because the specified VSwitch is not bound to the same VPC with NAT gateway. | The vSwitch and NAT gateway do not belong to the same VPC. |
| 400 | OperationFailed.EnhancedUserIsUnAuthorized | Operation failed because the user is not authorized to create an enhanced NAT gateway. | Operation failed because the user is not authorized to create an enhanced NAT gateway. |
| 400 | OperationUnsupported.PrePaidPyByLcu | The operation failed because the subscription NAT gateway does not support the pay-by-LCU billing method. | The operation failed because the subscription NAT gateway does not support the pay-by-LCU billing method. |
| 400 | OperationFailed.NormalInventoryNotEnough | Standard NAT gateways are no longer offered. You can create enhanced NAT gateways and set the correct natType. | Create an enhanced NAT gateway and ensure that the NatType parameters are configured correctly. |
| 400 | OperationFailed.VSwitchNoAvailableIp | Operation failed because the specified vswitch does not have availabe ip. | - |
| 400 | UnsupportedFeature.IcmpReplyEnabled | The feature of IcmpReplyEnabled is not supported. | The value of IcmpReplyEnabled cannot be modified. |
| 400 | UnsupportedFeature.SecurityProtectionEnabled | The feature of SecurityProtectionEnabled is not supported. | - |
| 400 | OperationFailed.RegionConvert | Operation failed because do not find region info. | - |
| 400 | OperationFailed.EnhancedUserIsUnAuthorized | Operation failed because user is unauthorized service account. | - |
| 400 | UnsupportedFeature.VpcNat | The feature of VpcNat is not supported. | - |
| 400 | InvalidVSWITCHID.NotFound | The specified resource of %s is not found. | - |
| 400 | Forbidden.OperateShareResource | Operate share resource is forbidden. | - |
| 400 | IncorrectStatus.VSWITCH | The status of VSWITCH is incorrect. | - |
| 400 | OperationFailed.VpcNatGatewayInventoryNotEnough | The operation is failed because of inventory is not enough. | - |
| 400 | OperationFailed.VpcNatGatewayCheckInventory | The operation is failed because of check inventory result is unexpected | - |
| 400 | ExclusiveParam.%sAnd%s | The param of %s and %s are mutually exclusive. | You cannot specify %s and %s at the same time. |
| 400 | SecurityGroupType.NotSupported | The specified security group type is not supported. | The security group is already hosted and cannot be used. |
| 400 | SecurityGroup.NotExist | The specified security group is not exist. | The security group does not exist in this VPC. |
| 400 | OperationFailed.ContainForbiddenLabel | There is a label that prohibits ordering, please contact your distributor for processing. | There is a label that prohibits ordering, please contact your distributor for processing. |
| 400 | OperationDenied.PrePaidInstance | The operation is not allowed because prepaid instance is no longer supported. | Prepaid instance is no longer supported. |
| 400 | UnsupportedFeature.Geneve | The feature of Geneve is not supported. | The feature of Geneve is not supported. |
| 400 | OperationFailed.NoAvailableResource | The Zone have no available resource. | No resources are available in the region. |
| 400 | ExclusiveParam.AccessModeValueAndAccessTunnelType | The specified param AccessModeValue and AccessTunnelType are mutually exclusive. | The specified input AccessMode.ModeValue and AccessMode.TunnelType conflict |
| 400 | ExclusiveParam.PrivateLinkModeAndAccessMode | The specified param PrivateLinkMode and AccessMode are mutually exclusive. | The specified input PrivateLinkMode conflicts with the AccessMode. |
| 400 | ExclusiveParam.PrivateLinkEnabledAndAccessMode | The specified paramPrivateLinkEnabled and AccessMode are mutually exclusive. | The specified input PrivateLinkEnabled conflicts with the AccessMode. |
| 400 | UnsupportedFeature.AccessModeValue | The feature of AccessMode.ModeValue(%s) is not supported. | This operation is not supported for the VPC NAT AccessMode.ModeValue attribute |
| 400 | IllegalParam.AccessTunnelType | The request parameter AccessMode.TunnelType is illegal. | The request parameter AccessMode.TunnelType is illegal. |
| 400 | IllegalParam.AccessModeValue | The request parameter AccessMode.ModeValue is illegal. | The request parameter AccessMode.ModeValue is illegal. |
| 404 | InvalidRegionId.NotFound | The specified RegionId does not exist in our records. | The specified region ID does not exist. |
| 404 | InvalidVpcId.NotFound | Specified value of VpcId is not found in our record. | The VPC does not exist. Check whether the specified VPC is valid. |
| 404 | InvalidZoneId.NotFound | Specified value of ZoneId is not exists. | The specified zone does not exist. |
| 404 | InvalidZoneId.NotFound | Can not find ZoneId for allocated ip. | The zone of the specified IP address is invalid. |
| 404 | VPC_ONLY_CAN_CREATE_ONE_NAT_GATEWAY | NatGateway in one vpc support only one. | - |
| 404 | OperationFailed.CrateEntryTimeOut | Operation failed because create custom routeEntry timeout. | - |
| 404 | Forbidden.CreateSpecialSpecNatGateway | You are not authorized to create special spec nat gateway. | - |
| 404 | UnsupportedZoneForFwNat | The zone is unsupported for FW NAT. | - |
| 500 | OrderError.NatGateway | The Account failed to create order. | - |
| 500 | OperationFailed.AccessTunnelId | AccessTunnelId param do operation failed. | VPC NAT failed to generate tunnel ID. Try again later |
| 500 | OperationFailed.EnhancedCheckInventory | The NAT gateway in the current zone is not in service, or the resource inventory is insufficient. | The NAT gateway in the current zone is not in service, or the resource inventory is insufficient. |
For a list of error codes, visit the Service error codes.
Change history
| Change time | Summary of changes | Operation |
|---|---|---|
| 2024-10-23 | The Error code has changed. The request parameters of the API has changed | View Change Details |
| 2024-08-15 | The Error code has changed | View Change Details |
| 2024-05-06 | The Error code has changed | View Change Details |
| 2024-01-18 | The Error code has changed | View Change Details |
| 2023-12-14 | API Description Update. The Error code has changed | View Change Details |
| 2023-06-30 | The Error code has changed | View Change Details |
| 2023-03-01 | The Error code has changed | View Change Details |
| 2023-01-10 | The Error code has changed. The request parameters of the API has changed | View Change Details |
| 2022-08-12 | The Error code has changed | View Change Details |
| 2022-08-03 | The Error code has changed | View Change Details |
| 2022-07-22 | The Error code has changed | View Change Details |