All Products
Search

This Product

    NAT Gateway:Use a VPC NAT gateway and an Express Connect circuit to connect a data center to a VPC

    Document Center

    NAT Gateway:Use a VPC NAT gateway and an Express Connect circuit to connect a data center to a VPC

    Last Updated:Oct 18, 2024

    This topic describes how to use the SNAT and DNAT features of a Virtual Private Cloud (VPC) NAT gateway and an Express Connect circuit to enable a data center and a VPC to communicate with each other by using static private IP addresses.

    Scenario

    The following scenario is used as an example. An enterprise has created a VPC and vSwitches in the China (Shanghai) region. Elastic Compute Service (ECS) instances are deployed in the vSwitches. The data center of the enterprise is connected to Alibaba Cloud through virtual border routers (VBRs) and Express Connect circuits. The VPC can communicate with the data center by using Cloud Enterprise Network (CEN). The enterprise requires the ECS instances in the VPC to communicate with the data center by using a static private IP address.

    VPC NAT场景

    The preceding requirement can be met by using the DNAT and SNAT features of a VPC NAT gateway. The following table describes how networks are planned in this example. You can plan CIDR blocks based on your business requirements. Make sure that the CIDR blocks do not overlap with each other.

    Parameter

    IP address/CIDR block

    VPC1 CIDR block

    192.168.0.0/16

    vSwitch CIDR blocks

    • VSW1: 192.168.10.0/24

    • VSW2: 192.168.20.0/24

    • NATVSW: 192.168.3.0/24

    IP addresses of the ECS instances

    • ECS1: 192.168.10.55

    • ECS2: 192.168.20.30

    Data center CIDR block

    172.16.0.0/12

    IP address of the server in the data center

    172.16.10.137

    Peer IP addresses

    • VBR: 10.0.0.2/30

    • Data center: 10.0.0.1/30

    Prerequisites

    • A VPC named VPC1 is created in the China (Shanghai) region and two vSwitches named VSW1 and VSW2 are created in VPC1. VSW1 is deployed in Zone F and VSW2 is deployed in Zone G. For more information, see Create and manage a VPC.

      Note

      Before you connect an Enterprise Edition transit router to a VPC, make sure that the VPC has at least one vSwitch in a zone that supports Enterprise Edition transit routers. The vSwitch must have at least one idle IP address. In this example, the transit router is created in the China (Shanghai) region. Shanghai Zone F and Shanghai Zone G support Enterprise Edition transit routers.

    • A transit vSwitch named NATVSW is created in VPC1. NATVSW is deployed in Zone H.

    • Two ECS instances named ECS1 and ECS2 are created in VSW1 and VSW2. Applications are deployed on ECS1 and ECS2. For more information, see Create an instance on the Custom Launch tab.

    • An Express Connect circuit and a VBR are created in the China (Shanghai) region. For more information, see Create and manage a dedicated connection over an Express Connect circuit and Create and manage a VBR.

    • A CEN instance is created. For more information, see Create a CEN instance.

    • An Enterprise Edition transit router is created in the region where the VPC resides. For more information, see Transit routers.

    Procedure

    步骤

    Step 1: Connect the transit router to the VPC and the VBR

    Connect the transit router in the China (Shanghai) region to the VPC that you want to connect to the data center. Then, connect the transit router to the VBRs that are associated with the Express Connect circuits. This way, the VPC and the data center can communicate with each other.

    1. Log on to the CEN console.

    2. On the Instances page, click the ID of the CEN instance that you want to manage.

    3. On the Basic Information > Transit Router tab, find the transit router that you want to manage and click Create Connection in the Actions column.

    4. On the Connection with Peer Network Instance page, configure the following parameters and click OK.

      Note

      When you perform this operation for the first time, the system automatically creates a service-linked role named AliyunServiceRoleForCEN. This role allows the transit router to create an ENI in a vSwitch of the VPC. For more information, see AliyunServiceRoleForCEN.

      Parameter

      Description

      Instance Type

      The type of network instance.

      In this example, VPC is selected.

      Region

      The region in which the VPC is deployed.

      In this example, China (Shanghai) is selected.

      Transit Router

      The system automatically displays the transit router in the selected region.

      Resource Owner ID

      The Alibaba Cloud account to which the VPC belongs.

      In this example, Current Account is selected.

      Billing Method

      By default, transit routers use the pay-as-you-go billing method.

      For more information, see Billing rules.

      Network Instance

      The ID of the VPC.

      In this example, the VPC that you created is selected.

      VSwitch

      Select at least two vSwitches in a zone supported by the transit router.

      Advanced Settings

      By default, the following features are selected: Automatically associate with the default route table of the transit router, Automatically advertise system routes to the default route table of the transit router, and Automatically add a route that points to the transit router to all the route tables of the VPC.

      In this example, the default settings are used.

    5. On the Connection with Peer Network Instance page, click Create More Connections.

    6. On the Connection with Peer Network Instance page, configure the following parameters and click OK to create a connection for VBR1.

      Parameter

      Description

      Instance Type

      The type of the network instance. In this example, Virtual Border Router (VBR) is selected.

      Region

      The region in which the VBR is deployed.

      In this example, China (Shanghai) is selected.

      Transit Router

      The system automatically displays the transit router in the selected region.

      Resource Owner ID

      The Alibaba Cloud account to which the VBR belongs.

      In this example, Current Account is selected.

      Network Instance

      The ID of the VBR.

      In this example, VBR1 is selected.

      Advanced Settings

      By default, the following advanced features are enabled: Associate with Default Route Table of Transit Router, Propagate System Routes to Default Route Table of Transit Router, and Propagate Routes to VBR.

      In this example, the default settings are used.

      After the connections are created, you can view the details about the connections on the Intra-region Connections tab of the VBR details page. For more information, see View network instance connections.

    Step 2: Configure VBR routes

    Add a route that points to the data center to the VBR.

    1. Log on to the Express Connect console.

    2. In the top navigation bar, select a region and click Virtual Border Routers (VBRs) in the left-side navigation pane.

    3. On the Virtual Border Routers (VBRs) page, click the OD of the VBR that you want to manage.

    4. On the details page of the VBR, click the Routes tab and click Add Route.

    5. In the Add Route panel, configure the parameters and click OK. The following table describes the parameters.

      Parameter

      Description

      Next Hop Type

      Select the next hop type. In this example, Physical Connection Interface is selected.

      Destination CIDR Block

      In this example, 172.16.10.137 is used, which is the IP address of the server in the data center.

      Next Hop

      Select the Express Connect circuit.

    Step 3: Create a VPC NAT gateway

    1. Log on to the NAT Gateway console.
    2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
    3. On the VPC NAT Gateway page, click Create VPC NAT Gateway.

    4. On the VPC NAT Gateway (Pay-As-You-Go) page, set the following parameters and click Buy Now.

      Parameter

      Description

      Region

      Select the region where you want to create the VPC NAT gateway. In this example, China (Shanghai) is selected.

      VPC ID

      Select the VPC to which the VPC NAT gateway belongs. After you create a VPC NAT gateway, you cannot change the VPC to which the VPC NAT gateway belongs. In this example, VPC1 is selected.

      Zones

      Select the zone to which the VPC NAT gateway belongs. In this example, Zone H, the zone where NATVSW is deployed, is selected.

      vSwitch ID

      Select the vSwitch to which the VPC NAT gateway belongs. In this example, NATVSW is selected.

      Name

      Enter a name for the VPC NAT gateway.

      The name must be 1 to 128 characters in length. In this example, VPC_NATGW is used.

      Service-linked Role

      Displays whether a service-linked role is created for the VPC NAT gateway.

      If this is your first time using an Internet NAT gateway or a VPC NAT gateway, you must click Create Service-linked Role to create a service-linked role.

    5. On the Confirm Order page, confirm the information, select Terms of Service, and then click Activate Now.

      When the message Order complete. appears, it indicates that the VPC NAT gateway is created.

    Step 4: Add a route to the system route table of VPC1

    Add a route to the system route table of VPC1. The route must point to the VPC NAT gateway.

    1. Log on to the VPC console.

    2. On the VPC page, find VPC1 and click its ID.

    3. On the details page, click the Resource Management tab and click the number below Route Table.

    4. On the Route Tables page, find the route table whose Route Table Type is System and click its ID.

    5. On the details page of the route table, choose Route Entry List > Custom Route and click Add Route Entry.

    6. In the Add Route Entry panel, configure the parameters and click OK. The following table describes the parameters.

      Parameter

      Description

      Name

      Enter a name for the route. In this example, VPCENTRY is used.

      Destination CIDR Block

      Enter a destination CIDR block. In this example, 172.16.10.137 is used, which is the IP address of the server in the data center.

      Next Hop Type

      Select a next hop type. In this example, NAT Gateway is selected.

      NAT Gateway

      Select a NAT gateway. In this example, the VPC NAT gateway is selected.

    Step 5: Create a custom route table and add a route

    Create a custom route table for NATVSW and add a route that points to the transit router.

    For more information about the regions that support custom route tables, see Supported regions.

    1. Log on to the VPC console.

    2. In the left-side navigation pane, click Route Tables.

    3. In the top navigation bar, select the region to which the route table belongs.

    4. Perform the following operations to create a custom route table and associate the route table with NATVSW:

      1. On the Route Tables page, click Create Route Table.

      2. On the Create Route Table page, set the following parameters and click OK.

        Parameter

        Description

        Resource Group

        Select the resource group to which the route table belongs. In this example, All is selected.

        VPC

        Select the VPC to which the route table belongs. In this example, VPC1 is selected.

        Name

        Enter a name for the route table. In this example, NATVTB is used.

        Description

        Enter a description for the route table. In this example, Custom is used.

      3. Click the Associated vSwitch tab and click Associate vSwitch.

      4. In the Associate vSwitch dialog box, select a vSwitch and click OK.

        In this example, NATVSW is selected.

    5. Perform the following steps to add a route to the custom route table:

      1. On the Route Tables page, find the custom route table and click its ID.

      2. Choose Route Entry List > Custom Route and click Add Route Entry.

      3. In the Add Route panel, configure the parameters and click OK. The following table describes the parameters.

        Parameter

        Description

        Name

        Enter a name for the route. In this example, VPCNATENTRY is used.

        Destination CIDR Block

        Enter a destination CIDR block. In this example, 172.16.10.137 is used, which is the IP address of the server in the data center.

        Next Hop Type

        Select a type of next hop. In this example, Transit Router is selected.

        Transit Router

        Select a transit router. In this example, the VPC1 connection that you create on the transit router is selected.

    Step 6: Create an SNAT entry and a DNAT entry by using the default NAT IP address

    Create an SNAT entry for the ECS instance to enable the ECS instance to access the data center. Create a DNAT entry for the ECS instance to enable the data center to access the ECS instance.

    1. Log on to the NAT Gateway console.
    2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
    3. In the top navigation bar, select the region where you want to create the NAT gateway.

    4. Perform the following operations to create an SNAT entry:

      1. On the VPC NAT Gateway page, find the VPC NAT gateway that you want to manage and click SNAT Management in the Actions column.
      2. On the SNAT Management tab, click Create SNAT Entry.

      3. On the Create SNAT Entry page, set the following parameters and click OK.

        Parameter

        Description

        SNAT Entry

        Specify whether you want to create an SNAT entry for a VPC, a vSwitch, an ECS instance, or a custom CIDR block. In this example, Specify vSwitch is selected. Then, the vSwitch to which the ECS instance belongs is selected from the Select vSwitch drop-down list. In this example, VSW1 is selected. The vSwitch CIDR Block section displays the CIDR block of VSW1.

        Select NAT IP Address

        Select the NAT IP address that is used to access external private networks. The default NAT IP address is selected in this example.

        Entry Name

        Enter a name for the SNAT entry.

    5. Return to the VPC NAT Gateway page and perform the following operations to create a DNAT entry:

      1. On the VPC NAT Gateway page, find the VPC NAT gateway that you want to manage and click DNAT Management in the Actions column.
      2. On the DNAT Management tab, click Create DNAT Entry.

      3. On the Create DNAT Entry page, set the following parameters and click OK.

        Parameter

        Description

        Select NAT IP Address

        Select the NAT IP address that is used to receive requests from external private networks. The default NAT IP address is selected in this example.

        Select Private IP Address

        Specify the private IP address used to communicate with external networks. In this example, Select by ECS or ENI is selected and the private IP address of ECS1 is selected.

        Port Settings

        Select a DNAT mapping method. Port mapping is used in this example. Select Specific Port, enter 22 for Frontend Port, 22 for Backend Port, and TCP for Protocol.

        Entry Name

        Enter a name for the DNAT entry.

    Step 7: Add a route to the on-premises gateway device

    After you complete the preceding steps, you must add a route that points to the VPC to the on-premises gateway device.

    Add the following route that points to the VPC to the on-premises gateway device:

    Note

    The route is for reference only. The actual route may vary based on the gateway device vendor. 

    ip route 192.168.0.0 255.255.0.0 10.0.0.2

    Step 8: Test the connectivity

    Test whether the ECS instances can communicate with the data center.

    1. Log on to ECS1 in VSW1. For more information, see Connection method overview.

    2. Ping the IP address of the server in the data center to check whether ECS1 can access the server in the data center.

      In this example, the following command is used: 

      ping 172.16.10.137

      If you can receive echo reply packets, the connection is established.

    3. Log on to the server in the data center and run the ssh root@NAT IP command. Before you run this command, replace NAT IP with the default NAT IP address specified for the VPC NAT gateway. Then, enter the password that is used to log on to ECS1 to check whether the server can access ECS1.

      In this example, the following command is used: 

      ssh 192.168.3.132

      If you can receive echo reply packets, the connection is established.