All Products
Search

This Product

    NAT Gateway:Use a VPC NAT gateway to enable communication between VPCs that have address conflicts

    Document Center

    NAT Gateway:Use a VPC NAT gateway to enable communication between VPCs that have address conflicts

    Last Updated:Nov 08, 2024

    This topic describes how to use a virtual private cloud (VPC) NAT gateway and a Cloud Enterprise Network (CEN) instance to enable communication between VPCs that have address conflicts.

    Examples

    You create two VPCs named VPC_A and VPC_B in the China (Shenzhen) region. The two VPCs use the same CIDR block. Due to address conflicts, the VPCs cannot access each other by using a CEN instance. Therefore, private address translation is required so that VPC_A can access VPC_B.

    To allow VPC_A to access VPC_B, perform the following steps:

    1. Add secondary IPv4 CIDR blocks: Add secondary IPv4 CIDR blocks to both VPCs for later use.

    2. Associate with a transit router: Associate both VPCs with a transit router so that VPC_A can access VPC_B through the transit router.

    3. Translate network addresses: Use a VPC NAT gateway to translate conflicting addresses.

    4. Configure route tables: Configure custom routes so that traffic can be forwarded as expected.

    image

    Procedure

    Step 1: Add secondary CIDR blocks and create vSwitches

    Add secondary CIDR blocks and create vSwitches for both VPC_A and VPC_B. The following table provides an example. You can use custom CIDR blocks, but you must make sure that the CIDR blocks do not overlap.

    VPC

    IPv4 CIDR block

    vSwitch CIDR block and zone

    VPC_A

    172.16.0.0/12 (secondary)

    172.16.20.0/24 (Shenzhen Zone E)

    VPC_B

    10.0.0.0/8 (secondary)

    10.0.20.0/24 (Shenzhen Zone E)

    1. Log on to the VPC console . Click the VPC ID. On the Basic Information tab, click the CIDR Block Management tab and click Add Secondary IPv4 CIDR Block.

      image

    2. In the left-side navigation pane, click vSwitch. On the vSwitch page, click Create vSwitch.

      image

    Step 2: Connect VPC_A to VPC_B through a transit router

    Associate VPC_A and VPC_B with the same transit router so that VPC_A can access VPC_B.

    1. Log on to the CEN console and click Create CEN Instance.

    2. In the The CEN instance is created dialog box, click Create Connection.

      Note

      For more information about the regions and zones that support Enterprise Edition transit routers, see Supported regions and zones.

      image

    Step 3: Configure a VPC NAT gateway

    Address translation: You can use SNAT and DNAT entries to translate the IP addresses of ECS instances in VPC_A and VPC_B into NAT IP addresses for communication.

    1. Log on to the NAT Gateway console . In the left-side navigation pane, click VPC NAT Gateway. On the VPC NAT Gateway page, click Create VPC NAT Gateway.

      Create a VPC NAT gateway named VPC_NATGW_A for VPC_A and a VPC NAT gateway named VPC_NATGW_B for VPC_B.

      image

    2. On the VPC NAT Gateway page, find VPC_NATGW_A and click SNAT Management in the Actions column.

      Create an SNAT entry for VPC_A. In this example, Specify VPC is used for the SNAT Entry parameter. You can also use another value.

      image

    3. On the VPC NAT Gateway page, find VPC_NATGW_B and click DNAT Management in the Actions column.

      Create a DNAT entry for the ECS instance ECS_B in VPC_B. In this example, SSH is used to check the connectivity. Make sure that the security group rules of ECS_B allow requests to port 22. For more information, see Add security group rules. You can also create a custom DNAT entry.

      Note

      SSH: a cryptographic network protocol that uses TCP and port 22.

      image

    Step 4: Configure route tables

    1. Create custom route tables and associate the route tables with vSwitches

      1. In the left-side navigation pane, click Route Tables. On the Route Tables page, click Create Route Table.

        Create a custom route table for both VPC_A and VPC_B.

        image

      2. On the Route Tables page, find the route table and click Associate Resource>Bind.

        Associate the vSwitch in VPC_A with the custom route table of VPC_A and the vSwitch in VPC_B with that of VPC_B.

        image

    2. Optional. Optimize the routes in VPC_A and VPC_B.

      The following adjustments do not affect the connectivity. We recommend that you perform the following steps to optimize the routes.

      Note

      Modify the route priorities. For more information, see Route table overview.

      1. Delete the following routes created by the system after the transit router is configured.

        image

      2. In the system route table, withdraw the routes whose CIDR blocks do not fall within the CIDR block to which the VPC NAT gateway belongs.

        image

    3. Configure routes: Configure routes to forward traffic. Configure routes for VPC_A and VPC_B based on the following table.

      VPC

      Route table

      Destination CIDR block

      Next hop

      VPC_A

      System route table

      10.0.20.0/24

      Transit router

      Custom route table

      10.0.20.0/24

      VPC_NATGW_A

      VPC_B

      System route table

      172.16.20.0/24

      Transit router

      Custom route table

      172.16.20.0/24

      VPC_NATGW_B

      The following figure shows the route added to the system route table of VPC_A.

      image

      image

    Verify the connectivity

    Run the following command on ECS_A. Then, log on to ECS_B and view the IP address of the network interface controller (NIC). 

    ssh root@10.0.20.190
ifconfig

    image

    As shown in the preceding figure, ECS_A can access the NAT IP address (10.0.20.190) of VPC_NATGW_B through the NAT IP address (172.16.20.14) of VPC_NATGW_A. This allows remote logon to ECS_B.

    References