NAT Gateway:Create and manage a VPC NAT gateway

Prerequisites

• A VPC is created. For more information, see Create and manage a VPC.

• A vSwitch is created. For more information, see Create and manage a vSwitch.

Create a VPC NAT gateway

1. Log on to the NAT Gateway console.
2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
3. On the VPC NAT Gateway page, click Create VPC NAT Gateway.

4. On the VPC NAT Gateway (Pay-As-You-Go) page, set the following parameters and click Buy Now.

   Parameter	Description
   Region	Select the region where you want to create the VPC NAT gateway.
   VPC ID	Select the VPC to which the VPC NAT gateway belongs. After you create a VPC NAT gateway, you cannot change the VPC to which it belongs.
   Zones	Select the zone to which the VPC NAT gateway belongs.
   vSwitch ID	Select the vSwitch to which the VPC NAT gateway belongs. We recommend that you select an independent vSwitch.
   Name	Enter a name for the VPC NAT gateway.
   Service-linked Role	Displays whether a service-linked role is created for the VPC NAT gateway. If this is your first time using a NAT gateway, including an Internet NAT gateway and a VPC NAT gateway, you must click Create Service-linked Role to create a service-linked role.

5. On the Confirm Order page, confirm the information, select the Terms of Service check box, and then click Activate Now.

   When the message Order complete. appears, it indicates that the VPC NAT gateway is created.

6. Return to the VPC NAT Gateway page to view the created VPC NAT gateway.

   • Click the ID of the VPC NAT gateway. On the Basic Information tab, view the VPC and vSwitch of the VPC NAT gateway.

   • Click the NAT IP Address tab to view the default NAT IP address and the default NAT CIDR block.

     Note

     The default NAT CIDR block is the CIDR block of the vSwitch to which the VPC NAT gateway is attached. The default NAT IP address is an IP address that is randomly allocated from the CIDR block of the vSwitch. You cannot delete the default NAT CIDR block or the default NAT IP address.

Create a NAT CIDR block

After you create a VPC NAT gateway, the system uses the CIDR block of the vSwitch to which the VPC NAT gateway is attached as the default NAT CIDR block. You can also create a NAT CIDR block for the VPC NAT gateway to meet your business requirements.

1. Log on to the NAT Gateway console.
2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
3. In the top navigation bar, select the region where the VPC NAT gateway is created.
4. On the VPC NAT Gateway page, find the VPC NAT gateway that you want to manage and click its ID.

5. Click the NAT IP Address tab, and click Create CIDR Block.

6. In the Create CIDR Block dialog box, specify CIDR Block Name and CIDR Block, and then click OK.

   The NAT CIDR block must meet the following conditions:

   • The NAT CIDR block must fall within 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or their subnets.

   • The subnet mask must be 16 to 32 bits in length.

   • The NAT CIDR block cannot overlap with the private CIDR block of the VPC to which the NAT gateway belongs. If you want to use other IP addresses from the VPC to provide NAT services, create a vSwitch and attach it to another VPC NAT gateway.

   • You can specify the user CIDR block of a VPC as the NAT CIDR block of a VPC NAT gateway that belongs to the VPC. For more information, see What is a user CIDR block?

   If the The CIDR block is added. message appears, the CIDR block is created.

Add a NAT IP address

A NAT IP address is used to create an SNAT entry or a DNAT entry. You can also add NAT IP addresses to a NAT CIDR block to meet your requirements.

1. Log on to the NAT Gateway console.
2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
3. In the top navigation bar, select the region where the VPC NAT gateway is created.
4. On the VPC NAT Gateway page, find the VPC NAT gateway that you want to manage and click its ID.

5. Click the NAT IP Address tab and click Add NAT IP Address.

6. In the Add NAT IP Address dialog box, set the following parameters and click OK.

   Parameter	Description
   Select CIDR Block	Select the CIDR block to which you want to add a NAT IP address. You can select an existing NAT CIDR block of the VPC NAT gateway or create a NAT CIDR block.
   Allocation Method	Select a method to allocate the NAT IP address. Randomly Allocate: The system randomly assigns an IP address from the CIDR block. Manually Allocate: You can specify an IP address from the CIDR block.
   IP Address	Enter an IP address from the selected CIDR block. This parameter is required if you set Allocation Method to Manually Allocate.
   NAT IP Address Name	Enter a name for the NAT IP address.

Create an SNAT entry

You can create an SNAT entry to allow instances in a VPC to access another VPC or a data center.

1. Log on to the NAT Gateway console.
2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
3. In the top navigation bar, select the region where the VPC NAT gateway is created.
4. On the VPC NAT Gateway page, find the VPC NAT gateway that you want to manage and click SNAT Management in the Actions column.
5. On the SNAT Management tab, click Create SNAT Entry.

6. On the Create SNAT Entry page, set the following parameters and click OK.

   Parameter	Description
   SNAT Entry	Specify whether you want to create an SNAT entry for a VPC, a vSwitch, an ECS instance, or a custom CIDR block. Specify VPC: All ECS instances in the VPC to which the VPC NAT gateway belongs use the SNAT entry to access external private networks. Specify vSwitch: The ECS instances that belong to the specified vSwitch use the SNAT entry to access external private networks. Select vSwitch: Select a vSwitch from the drop-down list. You can select a vSwitch from the drop-down list or click Create vSwitch to create a vSwitch in the VPC console. If you select multiple vSwitches, the system creates multiple SNAT entries that use the same IP address. vSwitch CIDR Block: displays the CIDR block of the vSwitch. Specify ECS Instance: The specified ECS instance uses the SNAT entry to access external private networks. Select ECS Instance: Select an ECS instance from the drop-down list. The ECS instance uses the SNAT entry to access external private networks. Make sure that the ECS instance runs as expected. You can select an ECS instance from the drop-down list or click Create ECS Instance to create an ECS instance in the ECS console. If you select multiple ECS instances, the system creates multiple SNAT entries that use the same IP address. ECS CIDR Block: displays the CIDR block of the ECS instance. Specify Custom CIDR Block: You can specify a custom CIDR block in the Custom CIDR Block field. ECS instances that belong to the custom CIDR block use the SNAT entry to access external private networks.
   Select NAT IP Address	Select the NAT IP address that is used to access external private networks. Note You can also click Create NAT IP Address in the drop-down list to add an IP address in the Add NAT IP Address dialog box.
   NAT IP Affinity	You can choose whether to enable NAT IP affinity if you select multiple NAT IP addresses. When one private IP address accesses a destination IP address multiple times, different NAT IP addresses may be used each time by default. If you enable NAT IP affinity, the same NAT IP address is used each time the private IP address accesses the destination IP address.
   Entry Name	Enter a name for the SNAT entry. The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.

Create a DNAT entry

You can create a DNAT entry to map NAT IP addresses to ECS instances in a VPC. This allows the ECS instances to provide services to external private networks.

1. Log on to the NAT Gateway console.
2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
3. In the top navigation bar, select the region where the VPC NAT gateway is created.
4. On the VPC NAT Gateway page, find the VPC NAT gateway that you want to manage and click DNAT Management in the Actions column.
5. On the DNAT Management tab, click Create DNAT Entry.

6. On the Create DNAT Entry page, set the following parameters and click Confirm.

   Parameter	Description
   Select NAT IP Address	Select the NAT IP address that is used to provide services. Note You can use the same NAT IP address in a DNAT port mapping entry and an SNAT entry.
   Select Private IP Address	Specify the private IP address used to communicate with external networks. You can specify the private IP address in one of the following ways: Select by ECS or ENI: Specify the private IP address by selecting the ECS instance or the elastic network interface (ENI) that is associated with the ECS instance from the drop-down list. Manually Enter: Enter the private IP address.
   Port Settings	Select a DNAT mapping method. DNAT supports port mapping and IP mapping. Any Port: specifies IP mapping. All requests destined for the NAT IP address are forwarded to the specified ECS instance. The specified ECS instance can use the NAT IP address to access external private networks. Note If IP mapping is configured for a NAT IP address in a DNAT entry, the NAT IP address cannot be used in another DNAT or SNAT entry. If a NAT gateway is configured with an SNAT entry and a DNAT entry that uses IP mapping, the specified ECS instance preferentially uses the DNAT entry to access external private networks. Specific Port: specifies port mapping. The VPC NAT gateway forwards requests to the specified ECS instance based on the specified protocol and ports. After you select Specific Port, set the following parameters based on your business requirements: Frontend Port: the port that is used to access the NAT IP address from external private networks. If the selected NAT IP address is already specified in an SNAT entry and the port number is greater than 1024, click Remove Port Limits and click OK because the default SNAT port range is 1025 to 65535. Warning This operation may temporarily interrupt existing SNAT connections. You can solve this problem by reestablishing the connections. Proceed with caution. Backend Port: the port mapped to the ECS instance. Valid values: 1 to 65535. Protocol: the protocol used by the ports.
   Entry Name	Enter a name for the DNAT entry. The name must be 2 to 128 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). It must start with a letter and cannot start with http:// or https://.

Configure routes

Perform the following operations to configure routes based on your network configuration:

• If the default NAT CIDR block is used to provide NAT services:

  • Add the following route entry to the system route table of the VPC to which the VPC NAT gateway belongs: Set the destination CIDR block to the peer CIDR block. Set the next hop to the VPC NAT gateway. For more information, see Create and manage a route table.

  • Associate a custom route table with the vSwitch to which the VPC NAT gateway belongs. Check whether the route table learns dynamic route entries from the peer CIDR block, for example, dynamic route entries from the CIDR block of a Cloud Enterprise Network (CEN) instance.

    • If the route table learns dynamic route entries from the peer CIDR block, you do not need to add a custom route entry to the custom table. The custom route entry points to the peer network.

    • If the route table does not learn dynamic route entries from the peer CIDR block, you must add a custom route entry to the custom table. Set the destination CIDR block of the route entry to the peer CIDR block. Set the next hop to the peer device, such as a virtual border router (VBR) or a CEN instance. For more information, see Subnet routing.

• If a custom NAT CIDR block is used to provide NAT services:

  • Add the following route entry to the system route table of the VPC to which the VPC NAT gateway belongs: Set the destination CIDR block to the custom NAT CIDR block. Set the next hop to the VPC NAT gateway.

  • Add the following route entry to the system route table of the VPC to which the VPC NAT gateway belongs: Set the destination CIDR block to the peer CIDR block. Set the next hop to the VPC NAT gateway.

  • Associate a custom route table with the vSwitch to which the VPC NAT gateway belongs and add the following route entry to the route table: Set the destination CIDR block to the peer CIDR block. Set the next hop to the peer network device, such as a router interface or a transit router.

  • If you want a VPC to communicate with an on-premises network or another VPC by using a custom NAT CIDR block of a VPC NAT gateway, you must create Enterprise Edition transit routers. For more information about Enterprise Edition transit routers, see How transit routers work and Create a transit router.

What to do next

References

• CreateNatGateway: creates a VPC NAT gateway.

• CreateNatIpCidr: creates a NAT CIDR block.

• CreateNatIp: creates a NAT IP address.

• ModifyNatGatewayAttribute: modifies a VPC NAT gateway.

• DeleteNatIp: deletes a NAT IP address.

• DeleteNatIpCidr: deletes a NAT CIDR block.

• DeleteNatGateway: deletes a VPC NAT gateway.