All Products
Search

This Product

    Virtual Private Cloud:Create and enable an IPv4 gateway in a VPC associated with an Internet NAT gateway

    Document Center

    Virtual Private Cloud:Create and enable an IPv4 gateway in a VPC associated with an Internet NAT gateway

    Last Updated:Aug 08, 2024

    If you want to enable an IPv4 gateway in a virtual private cloud (VPC) where an Internet NAT gateway is deployed, you can create a new Internet NAT gateway or retain the Internet NAT gateway.

    Scenarios

    A company created a VPC in the Singapore region and deployed an Elastic Compute Service (ECS) cluster in a vSwitch (VSW1) of the VPC. Cloud services are deployed in the ECS cluster. The ECS cluster uses an Internet NAT gateway (NATGW1) with DNAT enabled to provide services over the Internet. Due to business development, some ECS instances in the cluster are assigned static public IP addresses or elastic IP addresses (EIPs). These ECS instances can access the Internet without referencing the VPC route table.

    To protect the ECS instances that are exposed to the Internet, the company plans to create an IPv4 gateway in the VPC. The IPv4 gateway can be used together with subnet routing to regulate access from the ECS instances to the Internet. To achieve this goal, the vSwitch of the Internet NAT gateway must have Internet access. The default route in the route table associated with the vSwitch must point to the IPv4 gateway. The ECS instances that use the Internet NAT gateway to access the Internet must be deployed in a vSwitch that does not have Internet access. The default route in the route table associated with the vSwitch must point to the Internet NAT gateway, instead of the IPv4 gateway. Therefore, the ECS instances and the Internet NAT gateway must be deployed in different vSwitches. You can use one of the following methods to configure an Internet NAT gateway:

    • Method 1: Create an Internet NAT gateway (NATGW2) and a vSwitch (VSW2), and migrate ECS instances with public IP addresses from VSW1 to VSW2. ECS instances without public IP addresses remain in VSW1.

    • Method 2: Use the existing NAT gateway but create a vSwitch (VSW2), and migrate ECS instances without public IP addresses from VSW1 to VSW2.

    Method 1: Create an Internet NAT gateway

    This method requires you to create a vSwitch (VSW2) in the VPC and migrate ECS2 that has a public IP address from VSW1 to VSW2. Then, you need to create an Internet NAT gateway (NATGW2) in VSW2 and point routes to NATGW2 in VSW2, and delete NATGW1 from VSW1.

    After you complete the preceding operations, ECS1 that does not have a public IP address assigned in VSW1 must use NATGW2 and the IPv4 gateway to access the Internet. ECS1 cannot use a public IP address to access the Internet. ECS2 that has a public IP address assigned in VSW2 can use the IPv4 gateway to access the Internet. This allows you to limit the ECS instances in the VPC from accessing the Internet.

    image

    Method 2: Use the existing Internet NAT gateway

    This method requires you to perform the following operations: create an IPv4 gateway in the VPC, create a vSwitch (VSW2), associate VSW2 with subnet route table-2, migrate ECS1 with no public IP address assigned in VSW1 to VSW2, change the next hop of a route in subnet route table-1 that is associated with VSW1 from NATGW1 to the IPv4 gateway, set the next hop of the default route in subnet route table-2 to NATGW1, and then activate the IPv4 gateway.

    After you complete the preceding operations, ECS1 that has no public IP address assigned in VSW2 must use NATGW1 and the IPv4 gateway to access the Internet. ECS1 cannot use a public IP address to access the Internet. ECS2 that has a public IP address assigned in VSW1 can use the IPv4 gateway to access the Internet. This allows you to limit the ECS instances in the VPC from accessing the Internet.

    image

    Choose one of the preceding methods based on your business requirements. In this example, Method 1: Create an Internet NAT gateway is used.

    Important

    You can create only pay-as-you-go Internet NAT gateways. If you have existing Internet NAT gateways that use the subscription billing method and you do not want to change the billing method, you can choose Method 2: Use the existing Internet NAT gateway.

    Prerequisites

    • A VPC is created in the Singapore region, and two vSwitches (VSW1 and VSW2) are created in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.

    • An ECS instance (ECS1) that does not have a public IP address is created in VSW1, and another ECS instance (ECS2) that has a public IP address is created in VSW2. For more information, see Create an instance on the Custom Launch tab.

    • Another Internet NAT gateway (NATGW1) is created in VSW1, and the Internet NAT gateway is associated with an EIP. The custom route that points to NATGW1 is deleted from the system route table of the VPC. For more information, see Create and manage a route table.

    • An Internet NAT gateway (NATGW2) is created in VSW2, and the Internet NAT gateway is associated with an EIP. For more information, see Create and manage an Internet NAT gateway.

    Step 1: Create a custom route table

    You need to create a custom route table and associate it with VSW2. Then, you need to add a route that points to the IPv4 gateway to the route table.

    1. Log on to the VPC console.

    2. In the left-side navigation pane, click Route Tables.

    3. In the top navigation bar, select the region where you want to create the custom route table. In the top navigation bar, select the region where the IPv4 gateway is deployed. Singapore is selected in this example.

    4. On the Route Tables page, click Create Route Table.

    5. On the Create Route Table page, configure the following parameters and click OK.

      Parameter

      Description

      Resource Group

      Select the resource group to which the custom route table belongs.

      VPC

      Select the VPC to which the custom route table belongs.

      Note

      Select the VPC with which the IPv4 gateway is associated.

      Associated Resource Type

      Select the type of the resource with which you want to associate the route table. In this example, vSwitch is selected.

      Name

      Enter a name for the custom route table.

      Description

      Enter a description for the custom route table.

    6. On the Route Tables page, find the route table that you want to manage and click its ID.

    7. On the details page of the route table, click the Associated vSwitch tab and click Associate vSwitch.

    8. In the Associate vSwitch dialog box, select VSW2 and click OK.

    Step 2: Create and activate an IPv4 gateway

    The IPv4 gateway can be created if it is compatible with the Internet NAT gateway in the VPC. Otherwise, the IPv4 gateway fails to be created. You can change the mode of the Internet NAT gateway to make it compatible with IPv4 gateways before you create an IPv4 gateway. For more information about how to change the mode of an Internet NAT gateway, see Change the mode of an Internet NAT gateway.

    1. Log on to the VPC console.

    2. In the top navigation bar, select the region where you want to create an IPv4 gateway. Singapore is selected in this example.

    3. In the left-side navigation pane, click IPv4 Gateway.

    4. On the IPv4 Gateway page, click Create IPv4 Gateway.

    5. In the Create IPv4 Gateway dialog box, configure the following parameters and click Create.

    6. Configure the parameters in the Create IPv4 Gateway dialog box. Then, activate the IPv4 gateway and add a route that points to the IPv4 gateway.

      1. Create an IPv4 gateway

        In the Create IPv4 Gateway wizard, configure the following parameters and click Create.

        Parameter

        Description

        Region

        The region where you want to create the IPv4 gateway is displayed.

        VPC

        Select the VPC with which you want to associate the IPv4 gateway.

        Name

        Enter a name for the IPv4 gateway.

        Description

        Enter a description for the IPv4 gateway.

      2. Activate the IPv4 gateway

        In the Activate IPv4 Gateway wizard, select the custom route table created in Step 1 and click Activate.

      3. In the message that prompts successful activation, click Close.

    Step 3: Create an SNAT entry for NATGW2 in VSW2

    You need to create an SNAT entry for NATGW2 in VSW2 to allow ECS instances without public IP addresses in VSW1 to access the Internet by using NATGW2 in VSW2.

    1. Log on to the NAT Gateway console.

    2. In the top navigation bar, select the region where NATGW2 is deployed. In the top navigation bar, select the region where the IPv4 gateway is deployed. Singapore is selected in this example.

    3. On the Internet NAT Gateway page, find the NAT gateway that you want to manage and click Configure SNAT in the Actions column.

    4. On the SNAT Management tab, click Create SNAT Entry.

    5. On the Create SNAT Entry page, set the following parameters and click OK.

      Parameter

      Description

      SNAT Entry

      Specify whether you want to create an SNAT entry for a VPC, a vSwitch, an ECS instance, or a custom CIDR block. In this example, Specify vSwitch is selected.

      Select vSwitch

      Select the vSwitch in which the ECS instances can use the SNAT entry to access the Internet. In this example, VSW1 is selected.

      vSwitch CIDR Block

      The CIDR block of the selected vSwitch is automatically displayed.

      Select EIP

      Select one or more EIPs that you want to use to access the Internet.

      In this example, Use Single IP is selected and the EIP associated with NATGW2 is selected from the drop-down list.

      Entry Name

      Enter a name for the SNAT entry.

    Step 4: Add a custom route to the system route table

    You need to add a custom route that points to NATGW2 in VSW2 to the system route table that is associated with VSW1. This way, the ECS instance that does not have a public IP address assigned in VSW1 can access the Internet by using the route.

    1. Log on to the VPC console.

    2. In the left-side navigation pane, click Route Tables.

    3. In the top navigation bar, select the region where you want to create the custom route table. In the top navigation bar, select the region where the IPv4 gateway is deployed. Singapore is selected in this example.

    4. On the Route Tables page, find the system route table of the VPC and click its ID.

    5. On the details page of the route table, choose Route Entry List > Custom Route.

    6. Click Add Route Entry. In the Add Route Entry panel, configure the following parameters and click OK.

      Parameter

      Description

      Name

      Enter a name for the custom route.

      Destination CIDR Block

      Enter the destination CIDR block to which you want to route traffic. In this example, 0.0.0.0/0 is used.

      Next Hop Type

      Select the type of next hop. In this example, NAT Gateway is selected.

      NAT Gateway

      In this example, the ID of NATGW2 is selected.

    Step 5: Delete NATGW1 in VSW1

    Before you delete NATGW1, make sure that the following requirements are met:

    • No EIP is associated with the Internet NAT gateway. If an EIP is associated with the Internet NAT gateway, disassociate the EIP from the Internet NAT gateway. For more information, see Disassociate an EIP.

    • The SNAT table does not contain SNAT entries. If the SNAT table contains SNAT entries, delete them. For more information, see Create and manage SNAT entries.

    • By default, Deletion Protection is in the Disabled state on the Basic Information tab of the Internet NAT gateway. If Deletion Protection is in the Enabled state, disable deletion protection.

    1. Log on to the NAT Gateway console.

    2. In the top navigation bar, select the region where NATGW1 is deployed. In the top navigation bar, select the region where the IPv4 gateway is deployed. Singapore is selected in this example.

    3. On the Internet NAT Gateway page, find the Internet NAT gateway that you want to delete and choose p526884.png > Delete in the Actions column.

    4. In the Delete Gateway message, click OK.

      Important

      If you want to forcefully delete an Internet NAT gateway and its resources, select Force Delete (Delete the NAT gateway and associated SNAT/DNAT entries) in the Delete Gateway dialog box. When you forcefully delete an Internet NAT gateway, the system automatically disassociates EIPs from the Internet NAT gateway and deletes SNAT entries and DNAT entries from the Internet NAT gateway.

    Step 6: Test the network connectivity

    After you complete the preceding steps, you must test whether ECS1 in VSW1 can access the destination CIDR block by using NATGW2 and the IPv4 gateway, and whether ECS2 in VSW2 can access the destination CIDR block by using the IPv4 gateway. In this example, both ECS1 and ECS2 run the Linux operating system.

    1. Test whether ECS1 can access the destination CIDR block.

      1. Log on to ECS1. For more information, see Connection method overview.

      2. Run the curl www.aliyun.com command on ECS1.

      3. The following echo reply packet indicates that ECS1 can access www.aliyun.com.ECS1

    2. Test whether ECS2 can access the destination CIDR block.

      1. Log on to ECS2.

      2. Run the curl www.aliyun.com command on ECS2.

      3. The following echo reply packet indicates that ECS2 can access www.aliyun.com.ECS2