All Products
Search
Document Center

Virtual Private Cloud:CreateNatGateway

Last Updated:Dec 20, 2024

Creates an enhanced Internet NAT gateway or a Virtual Private Cloud (VPC) NAT gateway.

Operation description

Usage notes

Before you call this operation, take note of the following items:

  • When you create an enhanced NAT gateway for the first time, the system automatically creates the service-linked role AliyunServiceRoleForNatgw. Then, the system attaches the permission policy AliyunServiceRolePolicyForNatgw to the role. This allows the NAT gateway to access other resources on Alibaba Cloud. For more information, see Service-linked roles.

  • After you create an enhanced Internet NAT gateway, a route entry is automatically added to the route table of the VPC. The destination CIDR block of the route entry is 0.0.0.0/0 and the next hop is the NAT gateway. This ensures that traffic is routed to the NAT gateway.

  • CreateNatGateway is an asynchronous operation. After a request is sent, the system returns a request ID and runs the task in the background. You can call the DescribeNatGateways operation to query the status of the task.

    • If a NAT gateway is in the Creating state, the NAT gateway is being created. In this case, you can query the NAT gateway but cannot perform other operations.

    • If a NAT gateway is in the Available state, the NAT gateway is created.

It takes 1 to 3 minutes to create a NAT gateway.

Debugging

You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition Key: the condition key that is defined by the cloud service.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
OperationAccess levelResource typeCondition keyAssociated operation
vpc:CreateNatGatewaycreate
*NatGateway
acs:vpc:{#regionId}:{#accountId}:natgateway/*
    none
none

Request parameters

ParameterTypeRequiredDescriptionExample
RegionIdstringYes

The region ID of the NAT gateway.

You can call the DescribeRegions operation to obtain the region ID.

cn-hangzhou
VpcIdstringYes

The ID of the VPC where you want to create the NAT gateway.

vpc-bp1di7uewzmtvfuq8****
NamestringNo

The name of the NAT gateway.

The name must be 2 to 128 characters in length and can contain letters, digits, underscores (_), and hyphens (-). The name must start with a letter.

If this parameter is not set, the system assigns a default name to the NAT gateway.

fortest
DescriptionstringNo

The description of the NAT gateway.

You can leave this parameter empty or enter a description. If you enter a description, the description must be 2 to 256 characters in length and cannot start with http:// or https://.

testnat
ClientTokenstringNo

The client token that is used to ensure the idempotence of the request.

You can use the client to generate the token, but you must make sure that the token is unique among different requests.

Note If you do not specify this parameter, the system automatically uses the request ID as the client token. The request ID may be different for each request.
5A2CFF0E-5718-45B5-9D4D-70B3FF3898
SpecstringNo

Subscription Internet NAT gateways are no longer available for purchase. Ignore this parameter.

Invalid parameter.
InstanceChargeTypestringNo

The billing method of the NAT gateway.

Set the value to PostPaid (pay-as-you-go), which is the default value.

For more information, see Internet NAT gateway billing and VPC NAT gateway billing.

PostPaid
PricingCyclestringNo

Subscription Internet NAT gateways are no longer available for purchase. Ignore this parameter.

Invalid parameter.
DurationstringNo

Subscription Internet NAT gateways are no longer available for purchase. Ignore this parameter.

Invalid parameter.
AutoPaybooleanNo

Subscription Internet NAT gateways are no longer available for purchase. Ignore this parameter.

Invalid parameter.
VSwitchIdstringYes

The ID of the vSwitch to which the NAT gateway is attached.

When you create a NAT gateway, you must specify a vSwitch for the NAT gateway. Then, the system assigns an idle private IP address from the vSwitch to the NAT gateway.

  • To attach the NAT gateway to an existing vSwitch, make sure that the zone to which the vSwitch belongs supports NAT gateways. In addition, the vSwitch must have idle IP addresses.
  • If no vSwitch exists in the VPC, create a vSwitch in a zone that supports NAT gateways. Then, specify the vSwitch for the NAT gateway.
Note You can call the ListEnhanhcedNatGatewayAvailableZones operation to query zones that support NAT gateways. You can call the DescribeVSwitches operation to query idle IP addresses in a vSwitch.
vsw-bp1e3se98n9fq8hle****
NatTypestringYes

The type of NAT gateway. Set the value to Enhanced, which specifies enhanced NAT gateway.

Enhanced
InternetChargeTypestringNo

The metering method of the NAT gateway. Set the value to PayByLcu, which specifies the pay-by-CU metering method.

PayByLcu
NetworkTypestringNo

The network type of the NAT gateway. Valid values:

  • internet: Internet
  • intranet: VPC
internet
SecurityProtectionEnableddeprecatedbooleanNo

Specifies whether to enable the firewall feature. Valid values:

  • false (default)
    Notice This parameter is deprecated.
false
IcmpReplyEnabledbooleanNo

Specifies whether to enable ICMP retrieval. Valid values:

  • true (default)
  • false
true
PrivateLinkEnabledbooleanNo

PrivateLink is not supported by default. If you set the value to true, PrivateLink is supported.

EipBindModestringNo

The mode in which the EIP is associated with the NAT gateway. Valid values:

  • MULTI_BINDED(default): the multi-EIP-to-ENI mode.

  • NAT: NAT mode, which is compatible with IPv4 addresses.

Note If an EIP is associated with a NAT gateway in NAT mode, the EIP occupies a private IP address of the vSwitch where the NAT gateway is deployed. Make sure that the vSwitch has sufficient private IP addresses. Otherwise, EIPs cannot be associated with the NAT gateway. In NAT mode, a maximum number of 50 EIPs can be associated with each NAT gateway.
MULTI_BINDED
Tagarray<object>No

The tags.

MULTI_BINDED
objectNo
KeystringNo

The tag key. The format of Tag.N.Key when you call the operation. Valid values of N: 1 to 20. The tag key cannot be an empty string. The tag key can be up to 128 characters in length and cannot contain http:// or https://. The tag key cannot start with acs: or aliyun.

TestKey
ValuestringNo

The tag value. The format of Tag.N.Value when you call the operation. Valid values of N: 1 to 20. The tag key cannot be an empty string. The tag key can be up to 128 characters in length and cannot contain http:// or https://. The tag key cannot start with acs: or aliyun.

TestValue
AccessModeobjectNo

The access mode for reverse access to the VPC NAT gateway.

ModeValuestringNo

Access mode. Valid values:

  • route: route mode

  • tunnel: tunnel mode

Note If this parameter is specified, you must set PrivateLinkEnabled to true.
route
TunnelTypestringNo

Tunnel mode type:

  • geneve: Geneve type
Note This value takes effect if the access mode is the tunnel mode.

Response parameters

ParameterTypeDescriptionExample
object

The response parameters.

NatGatewayIdstring

The ID of the NAT gateway.

ngw-112za33e4****
RequestIdstring

The request ID.

2315DEB7-5E92-423A-91F7-4C1EC9AD97C3
ForwardTableIdsarray

A list of DNAT entries.

ForwardTableIdstring

A list of DNAT entries.

ftb-11tc6xgmv****
SnatTableIdsarray

A list of SNAT entries.

SnatTableIdstring

A list of SNAT entries.

stb-SnatTableIds****
FullNatTableIdsarray

A list of FULLNAT entries.

FullNatTableIdstring

A list of FULLNAT entries.

fulltb-gw88z7hhlv43rmb26****

Examples

Sample success responses

JSONformat

{
  "NatGatewayId": "ngw-112za33e4****",
  "RequestId": "2315DEB7-5E92-423A-91F7-4C1EC9AD97C3",
  "ForwardTableIds": {
    "ForwardTableId": [
      "ftb-11tc6xgmv****"
    ]
  },
  "SnatTableIds": {
    "SnatTableId": [
      "stb-SnatTableIds****"
    ]
  },
  "FullNatTableIds": {
    "FullNatTableId": [
      "fulltb-gw88z7hhlv43rmb26****"
    ]
  }
}

Error codes

HTTP status codeError codeError messageDescription
400Forbidden.NatPayBySpecPay-by-specification NAT is no longer supported. Newly purchased pay-as-you-go NAT gateways only support the pay-by-CU metering method.Pay-by-specification NAT gateways are no longer available for purchase. Set InternetChargeType to PayByLcu.
400UnsupportedFeature.PrivateLinkThe feature of %s is not supported.-
400DependencyViolation.FullNatEntryThe specified resource of %s depends on %s, so the operation cannot be completed.-
400UnsupportedFeature.InternetChargeTypeThe feature of InternetChargeType is not supported.-
400InvalidVPCStatusvpc incorrect status.The VPC is in an invalid state.
400InvalidNatGatewayName.MalFormedNatGateway name is not valid.The gateway name is invalid.
400InvalidNatGatewayDescription.MalFormedNatGateway description is not valid.The gateway description is invalid.
400MissingParameter.BandwidthPackageonly support one BandwidthPackage be created with NatGateway.You must specify an EIP bandwidth plan.
400OperationDeniedThe user cannot allow to create natgw, please call PD to authorize-
400RouterEntryConflict.DuplicatedA route entry already exists, which CIDR is '0.0.0.0/0'-
400MissingParameterMiss mandatory parameter.Some required parameters are not specified. Specify all required parameters and try again.
400QuotaExceeded.BandwidthPackageIpsThe specified ipCount exceeded quota.The number of IP addresses has reached the upper limit. Request a quota increase on the Quota Management page.
400AllocateIpFailedAlloc bandwidthPackage ips failed, maybe no available ip.-
400InvalidParameter.Name.MalformedThe specified Name is not valid.The specified name format is invalid. Enter the name in the valid format.
400InvalidParameter.Description.MalformedThe specified Description is not valid.The specified description is invalid.
400ZONE_NO_AVAILABLE_IPThe Zone have no available ip.No IP address is available in the zone.
400ParameterIllegalipCount,bandwidth parameter invalid-
400InvalidParameter.BandwidthPackage.n.ISP.ValueNotSupportThe specified ISP of BandwidthPackage is not valid.The specified ISP of the EIP bandwidth plan is invalid.
400InvalidNatGatewayId.NotFoundThe NatGatewayId not exist.The value of the NatGatewayId parameter is invalid.
400VswitchStatusErrorThe VSwitch is creating .The operation is not supported when the vSwitch is being created.
400VpcStatusErrorThe Vpc is creating .The VPC is being created.
400InvalidParameter.Spec.ValueNotSupportedThe specified Spec is not valid.The specification is invalid.
400TaskConflictThe operation is too frequent, TaskConflict.The system is unavailable. Try again later.
400COMMODITY.INVALID_COMPONENTThe instance component is invalid.The instance component is invalid.
400CreateNatGateway.RouteConflict.DynamicRouteRoute conflict exists in routing table.-
400OperationUnsupported.MultiNatGatewayMore than one natGateway per vpc is unsupported.-
400Forbidden.CheckEntryRuleQuotaRoute entry quota rule check error.An error occurred when the system was checking the quota of route entries.
400OperationFailed.UnpaidBillsExistThe account has unpaid bills. Please pay your overdue bill first.This account has unpaid orders.
400IncorrectStatus.RouteEntrySpecified routeEntry status error.-
400OperationFailed.RiskControlRisk control check failed.The error message returned because your payment method has security risks. Click the link for verification in your email or console message and submit your order after verification.
400IncorrectStatus.RouteTableStatus%s-
400OperationFailed.TokenVerfiyToken verify failed.-
400%s%s-
400IllegalParam.NameThe specified Name is invalid, shorter than 2 characters.-
400OperationFailed.EnhancedQuotaExceedEnhanced nat gateway per vpc quota is exceeded-
400OrderError.NoAvailablePaymentMethod%s-
400OrderError.BasicInfoUncompleted%s-
400OperationUnsupported.EnhancedCURegion%s-
400NoPermission.CreateServiceLinkedRoleYou are not authorized to create service linked role-
400OperationUnsupported.EnhancedRegion%s-
400OperationFailed.EnhancedInventoryNotEnoughOperation failed because inventory is not enough.-
400OperationFailed.VswNotBelongToVpcOperation failed because the specified VSwitch is not bound to the same VPC with NAT gateway.The vSwitch and NAT gateway do not belong to the same VPC.
400OperationFailed.EnhancedUserIsUnAuthorizedOperation failed because the user is not authorized to create an enhanced NAT gateway.Operation failed because the user is not authorized to create an enhanced NAT gateway.
400OperationUnsupported.PrePaidPyByLcuThe operation failed because the subscription NAT gateway does not support the pay-by-LCU billing method.The operation failed because the subscription NAT gateway does not support the pay-by-LCU billing method.
400OperationFailed.NormalInventoryNotEnoughStandard NAT gateways are no longer offered. You can create enhanced NAT gateways and set the correct natType.Create an enhanced NAT gateway and ensure that the NatType parameters are configured correctly.
400OperationFailed.VSwitchNoAvailableIpOperation failed because the specified vswitch does not have availabe ip.-
400UnsupportedFeature.IcmpReplyEnabledThe feature of IcmpReplyEnabled is not supported.The value of IcmpReplyEnabled cannot be modified.
400UnsupportedFeature.SecurityProtectionEnabledThe feature of SecurityProtectionEnabled is not supported.-
400OperationFailed.RegionConvertOperation failed because do not find region info.-
400OperationFailed.EnhancedUserIsUnAuthorizedOperation failed because user is unauthorized service account.-
400UnsupportedFeature.VpcNatThe feature of VpcNat is not supported.-
400InvalidVSWITCHID.NotFoundThe specified resource of %s is not found.-
400Forbidden.OperateShareResourceOperate share resource is forbidden.-
400IncorrectStatus.VSWITCHThe status of VSWITCH is incorrect.-
400OperationFailed.VpcNatGatewayInventoryNotEnoughThe operation is failed because of inventory is not enough.-
400OperationFailed.VpcNatGatewayCheckInventoryThe operation is failed because of check inventory result is unexpected-
400ExclusiveParam.%sAnd%sThe param of %s and %s are mutually exclusive.You cannot specify %s and %s at the same time.
400SecurityGroupType.NotSupportedThe specified security group type is not supported.The security group is already hosted and cannot be used.
400SecurityGroup.NotExistThe specified security group is not exist.The security group does not exist in this VPC.
400OperationFailed.ContainForbiddenLabelThere is a label that prohibits ordering, please contact your distributor for processing.There is a label that prohibits ordering, please contact your distributor for processing.
400OperationDenied.PrePaidInstanceThe operation is not allowed because prepaid instance is no longer supported.Prepaid instance is no longer supported.
400UnsupportedFeature.GeneveThe feature of Geneve is not supported.The feature of Geneve is not supported.
400OperationFailed.NoAvailableResourceThe Zone have no available resource.No resources are available in the region.
400ExclusiveParam.AccessModeValueAndAccessTunnelTypeThe specified param AccessModeValue and AccessTunnelType are mutually exclusive.The specified input AccessMode.ModeValue and AccessMode.TunnelType conflict
400ExclusiveParam.PrivateLinkModeAndAccessModeThe specified param PrivateLinkMode and AccessMode are mutually exclusive.The specified input PrivateLinkMode conflicts with the AccessMode.
400ExclusiveParam.PrivateLinkEnabledAndAccessModeThe specified paramPrivateLinkEnabled and AccessMode are mutually exclusive.The specified input PrivateLinkEnabled conflicts with the AccessMode.
400UnsupportedFeature.AccessModeValueThe feature of AccessMode.ModeValue(%s) is not supported.This operation is not supported for the VPC NAT AccessMode.ModeValue attribute
400IllegalParam.AccessTunnelTypeThe request parameter AccessMode.TunnelType is illegal.The request parameter AccessMode.TunnelType is illegal.
400IllegalParam.AccessModeValueThe request parameter AccessMode.ModeValue is illegal.The request parameter AccessMode.ModeValue is illegal.
404InvalidRegionId.NotFoundThe specified RegionId does not exist in our records.The specified region ID does not exist.
404InvalidVpcId.NotFoundSpecified value of VpcId is not found in our record.The VPC does not exist. Check whether the specified VPC is valid.
404InvalidZoneId.NotFoundSpecified value of ZoneId is not exists.The specified zone does not exist.
404InvalidZoneId.NotFoundCan not find ZoneId for allocated ip.The zone of the specified IP address is invalid.
404VPC_ONLY_CAN_CREATE_ONE_NAT_GATEWAYNatGateway in one vpc support only one.-
404OperationFailed.CrateEntryTimeOutOperation failed because create custom routeEntry timeout.-
404Forbidden.CreateSpecialSpecNatGatewayYou are not authorized to create special spec nat gateway.-
404UnsupportedZoneForFwNatThe zone is unsupported for FW NAT.-
500OrderError.NatGatewayThe Account failed to create order.-
500OperationFailed.AccessTunnelIdAccessTunnelId param do operation failed.VPC NAT failed to generate tunnel ID. Try again later
500OperationFailed.EnhancedCheckInventoryThe NAT gateway in the current zone is not in service, or the resource inventory is insufficient.The NAT gateway in the current zone is not in service, or the resource inventory is insufficient.

For a list of error codes, visit the Service error codes.

Change history

Change timeSummary of changesOperation
2024-12-03The Error code has changedView Change Details
2024-10-23The Error code has changed. The request parameters of the API has changedView Change Details
2024-08-15The Error code has changedView Change Details
2024-05-06The Error code has changedView Change Details
2024-01-18The Error code has changedView Change Details
2023-12-14API Description Update. The Error code has changedView Change Details
2023-06-30The Error code has changedView Change Details
2023-03-01The Error code has changedView Change Details
2023-01-10The Error code has changed. The request parameters of the API has changedView Change Details
2022-08-12The Error code has changedView Change Details
2022-08-03The Error code has changedView Change Details
2022-07-22The Error code has changedView Change Details