NAT Gateway:Create and manage an Internet NAT gateway

Background

• We recommend that you purchase an Internet NAT gateway together with an elastic IP address (EIP). After the Internet NAT gateway is created, the EIP is automatically associated with the Internet NAT gateway. For more information, see Purchase an Internet NAT gateway and an EIP.

  In this topic, the Internet NAT gateway is created in standard mode.

• When you create the first Internet NAT gateway in a VPC, the system automatically adds a route whose destination CIDR block is 0.0.0.0/0 and whose next hop is the Internet NAT gateway to the system route table of the VPC. This route is used to route traffic to the Internet NAT gateway. If the VPC has a custom route table or multiple Internet NAT gateways exist in the VPC, manually add routes based on your requirements. For more information, see Create and manage a route table.

  If a route whose destination CIDR block is 0.0.0.0/0 already exists in the system route table of the VPC before the Internet NAT gateway is created, the system does not automatically add a route that points to the Internet NAT gateway.

• SNAT entries do not take effect on ECS instances that are assigned public IP addresses. For example, an ECS instance may be assigned a static public IP address, associated with an elastic IP address (EIP), or configured with DNAT IP mapping. In this case, the ECS instance uses the public IP address instead of an SNAT entry of an Internet NAT gateway to access the Internet. If you want ECS instances in a VPC to use the same EIP to access the Internet, see Configure ECS instances that are assigned static public IP addresses to use the same EIP to access the Internet and Configure ECS instances that configured with DNAT IP mapping to use the same NAT IP address to access the Internet.

• If the source CIDR blocks of multiple SNAT entries overlap with each other, the CIDR block with the longest subnet mask is used.

  • For example, if you create an SNAT entry for an ECS instance, the subnet mask of the source CIDR block is /32, which is the longest subnet mask. Therefore, the SNAT entry has the highest priority.

  • For SNAT entries that you create for other resources, the system determines the priorities of the SNAT entries based on the subnet mask length for the source CIDR block. An SNAT entry with a longer subnet mask length for the source CIDR block has a higher priority.

• If your ECS instance is already associated with an EIP, you cannot create a DNAT entry for the ECS instance.Elastic IP Address (EIP) Before you can create a DNAT entry for the ECS instance, you must disassociate the EIP from the ECS instance. For more information about how to disassociate an EIP, see Disassociate an EIP from a cloud resource.

Prerequisites

• A VPC and a vSwitch are created. For more information, see Create a VPC with an IPv4 CIDR block.

• An EIP is created. For more information, see Apply for an EIP.

Create an Internet NAT gateway

1. Log on to the NAT Gateway console.

2. On the Internet NAT Gateway page, click Create Internet NAT Gateway.

3. When you create an Internet NAT gateway for the first time, click Create in the Notes on Creating Service-linked Roles section of the buy page to create a service-linked role. After the service-linked role is created, you can create Internet NAT gateways.

   For more information, see Service-linked roles.

4. On the buy page, set the following parameters and click Buy Now.

   Parameter	Description
   Billing Method	By default, Pay-As-You-Go is selected. You can pay for resources after you use them. For more information, see Billing of Internet NAT gateways.
   Resource Group	Select the resource group to which the virtual private cloud (VPC) belongs. For more information, see Resource group overview.
   Tags	Tag Key: Select or enter a tag key. You can specify at most 20 tag keys. A tag key can be up to 64 characters in length and cannot start with aliyun or acs:. It cannot contain http:// or https://. Tag Value: Select or enter a tag value. You can specify at most 20 tag values. A tag value can be up to 128 characters in length. It cannot start with aliyun or acs:, and cannot contain http:// or https://.
   Region	Select the region where you want to create the Internet NAT gateway.
   VPC	Select the VPC where you want to create the Internet NAT gateway. After the Internet NAT gateway is created, you cannot change the VPC to which the Internet NAT gateway belongs.
   Associate vSwitch	Select the vSwitch to which the Internet NAT gateway belongs.
   Metering Method	By default, Pay-By-CU is selected. You are charged based on the resources that you use. For more information, see Billing of Internet NAT gateways.
   Billing Cycle	By default, By Hour is selected. Bills are generated on an hourly basis. If you use an Internet NAT gateway for less than 1 hour, the usage duration is rounded up to 1 hour.
   Instance Name	Enter a name for the Internet NAT gateway. The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.
   Access Mode	Select the mode in which you want to create the Internet NAT gateway. The following modes are supported: SNAT for All VPC Resources: If you select this value, the Internet NAT gateway is created in unified access mode. After the Internet NAT gateway is created, all resources in the VPC can access the Internet by using the SNAT feature of the NAT gateway. If you select SNAT for All VPC Resources, you must also specify an EIP. Configure Later: If you select this option, you can configure the Internet NAT gateway in the console after you complete the payment. If you select Configure Later, only the Internet NAT gateway is created. No SNAT entry is created. In this example, Configure Later is selected.

5. On the Confirm page, confirm the information, select the Terms of Service check box, and then click Confirm.

   When the Purchased message appears, the Internet NAT gateway is created.

Associate an EIP with an Internet NAT gateway

An Internet NAT gateway works as expected only after you associate an EIP with the Internet NAT gateway. You can associate up to 20 EIPs with an Internet NAT gateway. You can go to the Quota Management page to request a quota increase. Before you associate an EIP with an Internet NAT gateway, make sure that an Internet NAT gateway is created.

1. Log on to the NAT Gateway console.
2. In the top navigation bar, select the region where you want to create the NAT gateway.

3. On the Internet NAT Gateway page, find the Internet NAT gateway and click Associate Now in the EIP column.

4. In the Associate EIP dialog box, set the following parameters and click OK.

   Parameter	Description
   Resource Group	Select the resource group of the EIP.
   Select EIP	Select the EIP that you want to associate with the Internet NAT gateway. Valid values: Select Existing EIP: selects an existing EIP from the drop-down list. Purchase and Associate EIP: The system automatically creates an EIP that is billed on a pay-by-data-transfer basis and associates the EIP with the Internet NAT gateway.

   After you associate an EIP with the Internet NAT gateway, the EIP is displayed in the Elastic IP Address column.

Create an SNAT entry

You can configure SNAT entries on an Internet NAT gateway to allow Elastic Compute Service (ECS) instances in a virtual private cloud (VPC) to access the Internet when the ECS instances are not assigned public IP addresses.

1. Log on to the NAT Gateway console.
2. In the top navigation bar, select the region where you want to create the NAT gateway.
3. On the Internet NAT Gateway page, find the NAT gateway that you want to manage and click Configure SNAT in the Actions column.

4. On the SNAT Management tab, click Create SNAT Entry.

5. On the Create SNAT Entry page, set the following parameters and click OK.

Parameter	Description
SNAT Entry	Specify whether you want to create an SNAT entry for a VPC, a vSwitch, an ECS instance, or a custom CIDR block. Specify VPC: All ECS instances in the VPC to which the Internet NAT gateway belongs use the EIP in the SNAT entry to access the Internet. Select vSwitch: The ECS instances that belong to the vSwitch use the specified EIP to access the Internet. Select vSwitch: Select a vSwitch from the drop-down list. You can select a vSwitch from the drop-down list or click Create vSwitch to create a vSwitch in the VPC console. If you select multiple vSwitches, the system creates multiple SNAT entries that use the same EIP. vSwitch CIDR Block: displays the CIDR block of the vSwitch. Specify ECS Instance/ENI: The specified ECS instance or ENI uses the EIP to access the Internet. Select by ECS or ENI: Select an ECS instance or ENI from the drop-down list. The specified ECS instance or ENI uses the EIP to access the Internet. You can select an ECS instance from the drop-down list or click Create ECS Instance to create an ECS instance in the ECS console. If you select multiple ECS instances, the system creates multiple SNAT entries that use the same EIP. Make sure that the ECS instance meets the following requirements: The ECS instance is in the Running state. No EIP is associated with the ECS instance and the ECS instance is not assigned a static public IP address. ECS Instance/ENI: displays the CIDR block of the ECS instance or ENI. Specify Custom CIDR Block: ECS instances in the specified CIDR block use the SNAT entry to access the Internet.
Select EIP	Select one or more EIPs to access the Internet. Use One IP Address: Select an EIP from the drop-down list. If no EIPs are available in the drop-down list, click Purchase and Associate EIP from the drop-down list. Then, you can purchase an EIP in the dialog box that appears. Use Multiple IP Addresses: Select multiple EIPs from the Public IP Address list. If you add multiple EIPs to an SNAT IP address pool, network traffic is distributed based on a hashing algorithm instead of being evenly distributed to each EIP. To prevent individual EIPs from being overloaded, we recommend that you associate the EIPs with the same Internet Shared Bandwidth instance.
EIP Affinity	You can choose whether to enable EIP affinity if you select multiple EIPs. If EIP affinity is disabled, when one private IP address accesses a destination IP address multiple times, different EIPs may be used each time. If EIP affinity is enabled, the same EIP is used each time the private IP address accesses the destination IP address. If the number of sessions is high, the monitored count of failed port allocations may increase.
Entry Name	Enter a name for the SNAT entry.

Create a DNAT entry

You can use the DNAT feature of Internet NAT Gateway to map public IP addresses to ECS instances through port mapping or IP mapping. This way, the ECS instances can provide services over the Internet.Elastic Compute Service (ECS)

1. Log on to the NAT Gateway console.
2. In the top navigation bar, select the region where you want to create the NAT gateway.
3. On the Internet NAT Gateway page, find the NAT gateway that you want to manage and click Configure DNAT in the Actions column.

4. On the DNAT Management tab, click Create DNAT Entry.

5. On the Create DNAT Entry page, set the following parameters and click Confirm.

   Parameter	Description
   Select EIP	Select an EIP. Note For Internet NAT gateways, you can specify the same EIP in an SNAT entry and a DNAT entry.
   Select Private IP Address	Specify the IP address of the ECS instance that uses the DNAT entry to communicate with the Internet. You can specify a destination private IP address in one of the following ways: Select by ECS or ENI: Specify the private IP address by selecting the ECS instance or the elastic network interface (ENI) that is associated with the ECS instance from the drop-down list. Manually Enter: Enter the private IP address.
   Port Settings	Choose a DNAT mapping method: Any Port: specifies IP mapping. The requests destined for the EIP are forwarded to the specified ECS instance. The specified ECS instance can use the EIP to access the Internet. Note If IP mapping is configured for an EIP in a DNAT entry, the EIP cannot be used in another DNAT entry or SNAT entry. If an Internet NAT gateway is configured with an SNAT entry and a DNAT entry that uses IP mapping, the ECS instance preferentially uses DNAT to access the Internet. Specific Port: specifies port mapping. The Internet NAT gateway forwards requests to the selected ECS instance based on the specified protocol and ports. After you select Specific Port, set the following parameters based on your business requirements: Public Port: the external port or port range that is used in port forwarding. Valid values: 1 to 65535. To specify a port range, separate the first port and the last port with a forward slash (/), such as 10/20. If Public Port is set to a port range, you must also set Private Port to a port range. In addition, the public port range and private port range must specify the same number of ports. For example, if you set Public Port to 10/20, you can set Private Port to 80/90. If the selected EIP is already specified in an SNAT entry and the port number is greater than 1024, click Remove Port Limits and click OK because the default SNAT port range is 1025 to 65535. Warning This operation may temporarily interrupt existing SNAT connections. You can solve this problem by reestablishing the connections. Proceed with caution. Private Port: the private port or port range that is used in port forwarding. Protocol Type: the protocol used by the ports.
   Entry Name	Enter a name for the DNAT entry. The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

   Note

   After you create a DNAT entry for an ECS instance, you need to configure security group rules for the security group that is associated with the ECS instance. For information about how to add an inbound security group rule, see Add a security group rule.

Add a tag to an Internet NAT gateway

As your business grows, the number of Internet NAT gateways may grow along with it. This results in a large number of gateways that may be hard to manage. We recommend that you add tags to the Internet NAT gateways to manage them by groups. After you add tags, you can search for and filter Internet NAT gateways by tag.

1. Log on to the NAT Gateway console.
2. In the top navigation bar, select the region where you want to create the NAT gateway.

3. On the Internet NAT Gateway page, find the Internet NAT gateway, move the pointer over in the Tags column, and then click Add or Edit.

4. In the Configure Tags dialog box, set the following parameters and click OK.

   Parameter	Description
   Tag Key	The key of the tag. You can select or enter a key. The tag key can be up to 128 characters in length. It cannot start with aliyun or acs:, and cannot contain http:// or https://.
   Tag Value	The value of the tag. You can select or enter a value. The tag value can be up to 128 characters in length. It cannot start with aliyun or acs:, and cannot contain http:// or https://.

5. Return to the Internet NAT Gateway page and click Filter by Tag. In the Filter by Tag dialog box, you can specify a tag key and a tag value to search for an Internet NAT gateway.

Modify an Internet NAT gateway

1. Log on to the NAT Gateway console.
2. In the top navigation bar, select the region where you want to create the NAT gateway.
3. On the Internet NAT Gateway page, find the NAT gateway that you want to manage and click Manage in the Actions column.

4. In the Basic Information section of the Basic Information tab, you can perform the following operations to modify the Internet NAT gateway.

   • Modify the name of the Internet NAT gateway

     Click Edit next to Instance Name. In the dialog box that appears, enter a new name and click OK.

   • Modify the description of the Internet NAT gateway

     Click Edit next to Description. In the dialog box that appears, enter a new description for the Internet NAT gateway and click OK.

   • Enable or disable deletion protection

     Click Enable Deletion Protection or Disable Deletion Protection next to Deletion Protection.

   • Enable or disable ICMP retrieval

     Turn on or turn off the switch next to ICMP Retrieval.

     Note

     By default, ICMP retrieval is enabled for NAT gateways. In this case, NAT gateways can return ICMP packets. If you run the ping command to perform probes, response packets are returned through the NAT gateway. However, this does not mean that backend servers are running as expected. Therefore, the accuracy of probes in the O&M system may be affected when ICMP retrieval is enabled. If ICMP retrieval is disabled, NAT gateways do not return ICMP packets. If Any Port is specified for DNAT, NAT gateways forward ICMP packets to backend servers.

What to do next

References

• CreateNatGateway: creates an Internet NAT gateway.

• AssociateEipAddress: associates an EIP with an instance.

• CreateSnatEntry: creates an SNAT entry.

• CreateForwardEntry: creates a DNAT entry.

• DeleteSnatEntry: deletes an SNAT entry.

• DeleteForwardEntry: deletes a DNAT entry.

• UnassociateEipAddress: disassociates an EIP from an instance.

• TagResources: adds tags to an instance.

• ModifyNatGatewayAttribute: modifies the basic information about an Internet NAT gateway.

• DeleteNatGateway: deletes an Internet NAT gateway.