All Products
Search
Document Center

NAT Gateway:CreateSnatEntry

Last Updated:Nov 14, 2024

Adds an SNAT entry to an SNAT table.

Operation description

You can call this operation to add SNAT entries to Internet NAT gateways and Virtual Private Cloud (VPC) NAT gateways. In this topic, a NAT gateway refers to both gateway types.

Before you call this operation, take note of the following limits:

  • CreateSnatEntry is an asynchronous operation. After a request is sent, the system returns a request ID and runs the task in the background. You can call the DescribeSnatTableEntries operation to query the status of the task.

    • If the SNAT entry is in the Pending state, the system is adding the SNAT entry. You can only query the status of the SNAT entry, and cannot perform other operations.
    • If the SNAT entry is in the Available state, the SNAT entry is added.
  • You cannot repeatedly call the CreateSnatEntry operation to add an SNAT entry to an SNAT table within the specified period of time.

  • The vSwitch and Elastic Compute Service (ECS) instance specified in an SNAT entry must be created in the VPC where the NAT gateway is deployed.

  • Each vSwitch or ECS instance can be specified in only one SNAT entry.

  • If a high-availability virtual IP address (HAVIP) exists in a vSwitch, you cannot create SNAT entries.

Debugging

You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition Key: the condition key that is defined by the cloud service.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
OperationAccess levelResource typeCondition keyAssociated operation
vpc:CreateSnatEntrycreate
  • SnatEntry
    acs:vpc:{#regionId}:{#accountId}:snattable/*
    none
none

Request parameters

ParameterTypeRequiredDescriptionExample
RegionIdstringYes

The region ID of the NAT gateway.

You can call the DescribeRegions operation to query the most recent region list.

Valid values:

  • ap-northeast-2-pop

    :

    ap-northeast-2-pop

    .

cn-hangzhou
SnatTableIdstringYes

The ID of the SNAT table.

stb-bp190wu8io1vgev****
SourceVSwitchIdstringNo

The ID of the vSwitch.

  • When you add an SNAT entry to an Internet NAT gateway, this parameter specifies that ECS instances in the vSwitch can use the SNAT entry to access the Internet. If you select multiple elastic IP addresses (EIPs) to create an SNAT address pool, connections are hashed to these EIPs. Network traffic may not be evenly distributed to the EIPs because the amount of traffic that passes through each connection varies. We recommend that you associate these EIPs with the same EIP bandwidth plan to prevent service interruptions due to the bandwidth limits on individual EIPs.
  • When you add an SNAT entry to a VPC NAT gateway, this parameter specifies that ECS instances in the vSwitch can use the SNAT entry to access external networks.
vsw-bp1nhx2s9ui5o****
SourceCIDRstringNo

You can specify the CIDR block of a VPC, a vSwitch, or an ECS instance or enter a custom CIDR block.

You can specify an SNAT entry in the following ways:

  • You can specify the CIDR block of the VPC where the NAT gateway is deployed. Then, all ECS instances in the VPC can access the Internet or external networks by using SNAT.
  • You can specify the CIDR block of a vSwitch, for example, 192.168.1.0/24. Then, the ECS instances in the vSwitch can access the Internet or external networks by using SNAT.
  • You can specify the IP address of an ECS instance, for example, 192.168.1.1/32. Then, the ECS instance can access the Internet or external networks by using SNAT.
  • You can specify a custom CIDR block. Then, all ECS instances within the specified CIDR block can access the Internet or external networks by using SNAT.

When you add an SNAT entry to an Internet NAT gateway, if SnatIp is set to an EIP, the ECS instance uses the specified EIP to access the Internet.

If SnatIp is set to multiple EIPs, the ECS instance randomly selects an EIP specified in the SnatIp parameter to access the Internet.

You cannot specify this parameter and SourceVSwtichId at the same time. If SourceVSwitchId is specified, you cannot specify SourceCIDR. If SourceCIDR is specified, you cannot specify SourceVSwitchId.

10.1.1.0/24
SnatIpstringYes
  • The EIPs in the SNAT entry when you add an SNAT entry to an Internet NAT gateway. Separate EIPs with commas (,).
Note If you specify multiple EIPs in the SNAT IP address pool, the service connection is allocated to multiple EIPs by using the hashing algorithm. The traffic of each EIP may be different. Therefore, we recommend that you associate the EIPs with an Internet Shared Bandwidth instance to prevent service interruptions caused by bandwidth exhaustion.
  • When you add SNAT entries for a VPC NAT gateway, this parameter specifies the NAT IP addresses in the SNAT entry. Separate multiple NAT IP addresses with commas (,).
47.98.XX.XX
SnatEntryNamestringNo

The name of the SNAT entry.

The name must be 2 to 128 characters in length. It must start with a letter but cannot start with http:// or https://.

SnatEntry-1
ClientTokenstringNo

The client token that is used to ensure the idempotence of the request.

You can use the client to generate the token, but you must make sure that the token is unique among different requests. The client token can contain only ASCII characters.

**

Description If you do not specify this parameter, the system automatically uses the request ID as the client token. The request ID may be different for each request.

02fb3da4-130e-11e9-8e44****
EipAffinityintegerNo

Specifies whether to enable EIP affinity. Valid values:

  • 0: no
  • 1: yes

**

Description After you enable EIP affinity, if multiple EIPs are associated with an SNAT entry, each client uses one EIP to access the Internet. If EIP affinity is disabled, each client uses a random EIP to access the Internet.

1

Response parameters

ParameterTypeDescriptionExample
object

The ID of the SNAT entry.

SnatEntryIdstring

The ID of the SNAT entry.

snat-kmd6nv8fy****
RequestIdstring

The request ID.

2315DEB7-5E92-423A-91F7-4C1EC9AD97C3

Examples

Sample success responses

JSONformat

{
  "SnatEntryId": "snat-kmd6nv8fy****",
  "RequestId": "2315DEB7-5E92-423A-91F7-4C1EC9AD97C3"
}

Error codes

HTTP status codeError codeError messageDescription
400UnsupportedFeature.PrivateLinkEnabledThe feature of PrivateLinkEnabled is not supported.-
400InvalidSourceCIDR.MalformedSourceCIDR is illegal.-
400NOT_ALLOW_USE_SOURCECIDR_OUTSIDEVPCThe User not in sourcecidr_unlimited_outsidevpc white list. Cannot use SourceCidr outside VpcCidr.-
400NOT_ALLOW_USE_SOURCECIDR_AUTODEFINEThe User not in sourcecidr_unlimited_insidevpc white list. Cannot use SourceCidr auto defined.-
400NOT_ALLOW_USE_SOURCECIDR_CONTAINSZEROThe User not in sourcecidr_unlimited_outsidevpc_containszero white list. Cannot use SourceCidr outside VpcCidr.-
400Forbidden.IpHasBeenUsedInDnatThe snat ip can't be used. Because it has been used in dnat-
400Forbidden.SourceVSwitchId.IncludeHaVipThere is some HaVips under specified VSwitchThe specified vSwitch is associated with HAVIPs.
400InvalidSnatIp.MalformedThe specified SnatIp is not a valid IP address.The specified EIP is invalid.
400SNAT_IP_POOL_COUNT_TOO_MANYThe Snat pool ip too many.The number of IP addresses has reached the upper limit supported by the SNAT IP address pool.
400Forbidden.SnatEntryCountLimitedSNAT entry in the specified SNAT table reach its limit.The number of SNAT entries has reached the upper limit.
400NOT_ALLOW_USE_SOURCECIDRThe User not in nat_scope_unlimited white list. Cannot use SourceCidr param.The private IP address does not fall within the VPC CIDR block.
400INVALID_PARAMETERThe parameter invalid.A parameter is set to an invalid value.
400Forbidden.SourceVSwitchId.DuplicatedThe specified SourceCIDRis duplicated.An SNAT entry is already created for the specified vSwitch.
400Forbidden.IpUsedInForwardTableThe specified SnatIp already used in forward tableThe specified EIP is already used by a DNAT entry. Select another EIP or delete the DNAT rule that uses the specified EIP.
400ForbinddenThe specified Instance already bind eipThe ECS instance is associated with an EIP. Disassociate the EIP from the ECS instance before you create forwarding rules.
400EIP_NOT_SUPPORT_SNAT_POOLThe Eip cannot support snat pool-
400EIP_NOT_IN_GATEWAYThe Eip not in nat gateway-
400OperationUnsupported.CidrConflictThe specified CIDR block conflicts with an existing SNAT entry.The specified CIDR block conflicts with those in existing SNAT entries.
400OperationUnsupported.EipNatIpCheck%s-
400OperationUnsupported.EipNatBWPCheck%s-
400OperationUnsupported.EipNatGWCheck%s-
400OperationFailed.SnatIpPoolBwpRules%s-
400OperationFailed.SnatIpsCheck%s-
400OperationFailed.SnatIpPoolCbwpRules%s-
400CreateSnatEntry.ParamExclusive.sourceVSwitchIdAndsourceCIDR%s-
400InvalidNatGatewayId.NotFoundThe NatGateway instance not exist.-
400InvalidParameter.Name.MalformedThe specified Name is not valid.The specified name format is invalid. Enter the name in the valid format.
400InvalidParameter.SnatIpIp semgment must be subnet cidr.-
400InvalidParameter.SnatIpError public ip must in same bandwidth package.-
400InvalidNatGatewayId.NotFoundError natgateway not exist.-
400IncorrectStatus.SnatEntry%s-
400QuotaExceeded.SnatIpPublic ip number exceeds quota.-
400OperationUnsupported.EipInBindingCreate snat entry with eip in associating status is unsupported.You cannot use an associated EIP when you create an SNAT entry.
400OperationFailed.VSwitchNotInVpcThe specified vswitch and natgateway are not in the same vpc.-
400QuotaExceeded.SnatEntrySNAT entry in the specified SNAT table reach it?s limit.-
400IncorrectStatus.NatIp%s-
400IncorrectStatus.NATGWNATGW status is invalid.The NAT gateway is in an invalid state.
404InvalidRegionId.NotFoundThe specified RegionId does not exist in our records.The specified region ID does not exist.
404InvalidSnatTableId.NotFoundSpecified SNAT table does not exist.The specified SNAT table does not exist.
404InvalidVSwitchId.NotFoundThe specified virtual switch does not exists.The vSwitch does not exist.
404InvalidSnatIp.NotFoundSpecified SnatIp does not found on the NAT GatewayThe public IP address does not exist in the NAT gateway.
404ResourceNotFound.NatGatewayThe NatGateway instance not exist.The NAT gateway does not exist.
404ResourceNotFound.NatIpThe NatIp instance not exist.-
500DefaultValidate.Errorvalidte fail.-
500OperationFailed.CrateSnatEntryTimeOutOperation failed because create snatEntry timeout.-

For a list of error codes, visit the Service error codes.

Change history

Change timeSummary of changesOperation
2024-08-09The Error code has changed. The request parameters of the API has changedView Change Details
2024-01-18The Error code has changedView Change Details
2023-09-18API Description Update. The Error code has changedView Change Details
2023-03-01The Error code has changedView Change Details