Virtual Private Cloud (VPC) NAT gateways provide the private NAT feature to allow communication among conflicting addresses or access to specified addresses.
Background information
You can use VPC NAT gateways to address private network communication issues:
To enable private communication between two VPCs with conflicting addresses, you can configure a VPC NAT gateway with a unique private address for each VPC.
To enable private communication between a VPC and a data center, you can configure a NAT gateway and specify private IP addresses.
Why VPC NAT Gateway?
VPC NAT Gateway provides the following benefits:
Security
VPC NAT Gateway can avoid exposing addresses, uses SNAT entries to control inbound traffic, and supports fine-grained outbound rules.
High elasticity
VPC NAT Gateway supports automatic scaling and high performance to meet requirements in scenarios such as traffic spikes.
High availability
VPC NAT Gateway supports cross-zone disaster recovery. This ensures that services can run as expected if one zone fails.
Flexible billing
VPC NAT Gateway supports the pay-as-you-go billing method to reduce costs.
Monitoring
VPC NAT Gateway supports multiple monitoring metrics in various dimensions, and supports session logs and VPC flow logs to meet different monitoring requirements.
Features
VPC NAT gateways provide the SNAT and DNAT features. The following table describes the features.
Feature | Description | References |
Feature | Description | References |
SNAT | VPC NAT Gateway uses NAT IP addresses to allow instances in a VPC to access external private networks. | Create and manage SNAT entries on a VPC NAT gateway |
DNAT | VPC NAT Gateway maps NAT IP addresses and ports to IP addresses and ports of instances in a VPC to allow the instances to provide private services to external networks. | Create and manage DNAT entries on a VPC NAT gateway |
Auto scaling | VPC NAT Gateway supports auto scaling based on your business requirements. By default, VPC NAT Gateway supports 5 Gbit/s traffic processing, 100,000 new connections per second, 2 million concurrent connections per minute. The traffic processing capacity can be scaled up to 15 Gbit/s automatically. | Usage notes |
Session log | NAT Gateway supports the session log feature. After you create an SNAT entry and traffic flows through a NAT gateway, SNAT sessions are recorded as logs to facilitate traffic monitoring and tracking. | Session log (public preview) |
Various monitoring metrics | VPC NAT Gateway supports multiple monitoring metrics. You can monitor VPC NAT gateways in real time. | Monitoring and O&M of VPC NAT gateways |
Usage notes
When you create a VPC NAT gateway, you must select a VPC and a vSwitch in the VPC. To facilitate route configuration, we recommend that you use a vSwitch that is exclusive to the VPC NAT gateway.
NAT IP addresses are IP addresses specified in SNAT or DNAT entries. After you create a VPC NAT gateway, the CIDR block of the vSwitch that you specify for the VPC NAT gateway is used as the default NAT CIDR block. An IP address from the default NAT CIDR block is used as the default NAT IP address. You can add IP addresses to the default CIDR block or create a NAT CIDR block. For more information about how to use NAT CIDR blocks to configure routes, see Configure routes.
Newly created NAT CIDR blocks must meet the following requirements:
The NAT CIDR block must fall within 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or their subnets.
The subnet mask must be 16 to 32 bits in length.
The NAT CIDR block cannot overlap with the private CIDR block of the VPC to which the NAT gateway belongs. If you want to use other IP addresses from the VPC to provide NAT services, create a vSwitch and attach it to another VPC NAT gateway.
You can specify the user CIDR block of a VPC as the NAT CIDR block of a VPC NAT gateway that belongs to the VPC. For more information, see What is a user CIDR block?
By default, a VPC NAT gateway can process traffic at 5 Gbit/s and scale up to 15 Gbit/s as traffic increases. To increase the traffic processing capacity, new connection rate, and concurrent connection rate, contact your account manager.
Metrics | SessionNewConnection | SessionActiveConnection | Data forwarding |
Metrics | SessionNewConnection | SessionActiveConnection | Data forwarding |
Default metric | 100,000 | 2,000,000 | 5 Gbit/s to 15 Gbit/s (automatic scaling) |
The following content describes the preceding metrics:
- SessionNewConnection: the number of new connections per second.
- SessionActiveConnection: the number of concurrent connections per minute.
- Data forwarding: the amount of inbound and outbound traffic processed per hour.
Limits
Instance limits
Item | Limit | Adjustable |
Maximum number of VPC NAT gateways that you can create for a VPC | 5 | You can request a quota increase by using one of the following methods: |
Number of NAT IP addresses that you can create for a VPC NAT gateway | 20 | You can request a quota increase by using one of the following methods: |
SNAT limits
Item | Limit | Adjustable |
Maximum number of SNAT entries that you can create on a VPC NAT gateway | 40 | You can request a quota increase by using one of the following methods: |
Maximum number of concurrent connections limited by the number of IP addresses in an SNAT entry | If ECS instances in a VPC access one destination IP address and one port through a VPC NAT gateway, the maximum number of concurrent connections supported by the VPC NAT gateway is N×55000, in which N refers to the number of NAT IP addresses specified in an SNAT entry. | N/A |
DNAT limits
Item | Limit | Adjustable |
Maximum number of DNAT entries that you can create on a VPC NAT gateway | 100 | You can request a quota increase by using one of the following methods: |