All Products
Search

This Product

    Virtual Private Cloud:Create and manage an IPv4 gateway

    Document Center

    Virtual Private Cloud:Create and manage an IPv4 gateway

    Last Updated:Sep 27, 2024

    IPv4 gateways are not automatically allocated to virtual private clouds (VPCs). By default, instances assigned public IP addresses can access the Internet, which may compromise your network security. This topic describes how to use an IPv4 gateway to enable centralized access control for instances in a VPC. If you want to route inbound traffic from the Internet to a firewall, you can use gateway route tables.

    Prerequisites

    A VPC and a vSwitch are created. For more information, see Create and manage a VPC and Create and manage a vSwitch.

    Notes

    • After you create an IPv4 gateway, you need to configure a route that points to the IPv4 gateway and activate the IPv4 gateway.

      • Traffic of instances in the VPC is not affected before the IPv4 gateway is activated. During the activation process, traffic paths may be switched and therefore data transfer may be temporarily interrupted.

      • Before you activate an IPv4 gateway, make sure that the route table associated with the vSwitch that requires Internet access contains routes that point to the IPv4 gateway. This ensures that traffic can be routed as expected after the IPv4 gateway is activated.

    • Instances in a VPC can access the Internet only when an IPv4 gateway in the VPC is activated and routes that point to the IPv4 gateway are added to a route table of the VPC.

    • A VPC that uses an IPv4 gateway cannot contain elastic IP addresses (EIPs) in cut-through mode.

    • After you enable the IPv4 gateway feature for a VPC, you cannot disable the IPv4 feature. If you delete an IPv4 gateway, instances in the VPC cannot access the Internet.

    Manage Internet access

    After you create and activate an IPv4 gateway, you can select a primary route table or a subnet route table. The system automatically adds a default 0.0.0.0/0 route to the IPv4 gateway. This way, instances in the vSwitch associated with the route table can access the Internet through the IPv4 gateway.

    Create and activate an IPv4 gateway

    1. Log on to the VPC console.

    2. In the top navigation bar, select the region where you want to create an IPv4 gateway.

    3. In the left-side navigation pane, click IPv4 Gateway.

    4. On the IPv4 Gateway page, click Create IPv4 Gateway.

    5. Configure the parameters in the Create IPv4 Gateway dialog box. Then, activate the IPv4 gateway and add a route that points to the IPv4 gateway.

      1. Create an IPv4 gateway

        In the Create IPv4 Gateway wizard, configure the following parameters. Keep parameters not covered as default values or modify them as needed.

        Parameter

        Description

        Region

        The region where you want to create the IPv4 gateway is displayed.

        VPC

        Select the VPC with which you want to associate the IPv4 gateway.

      2. Activate the IPv4 gateway

        In the Activate IPv4 Gateway wizard, select one or more route tables and click Activate.

        Note

        • We recommend that you select a route table associated with a vSwitch that contains public IP addresses and NAT gateways.

        • After you select a route table, the system automatically adds a default 0.0.0.0/0 route that points to the IPv4 gateway. This way, the vSwitch associated with the route table can access the Internet.

        • If a default 0.0.0.0/0 route already exists in the route table, the preceding route will not be added. If the vSwitch associated with the route table requires Internet access, we recommend that you plan the routes in advance.

    (Optional) Manage inbound routing policies

    After you create and activate an IPv4 gateway, you can create a gateway route table and associate it with the IPv4 gateway. This way, Internet traffic can be routed to the VPC.

    Step 1: Create a gateway route table and modify routes

    A route table associated with an IPv4 gateway is referred to as a gateway route table. You can modify routes to control traffic from the IPv4 gateway to the VPC. You can create only one gateway route table in a VPC.

    1. On the Route Tables page, click Create Route Table.

    2. On the Create Route Table page, set the following parameters. Keep other parameters as their default values or modify them as needed.

      Parameter

      Description

      VPC

      Select the VPC to which the route table belongs.

      In this example, the VPC to which the IPv4 gateway belongs is selected.

      Associated Resource Type

      Select the type of the resource with which you want to associate the route table.

      • vSwitch: The route table is associated with a vSwitch. In this case, the route table serves as a custom route table and is used to manage traffic within the vSwitch.

      • Border Gateway: The route table is associated with an IPv4 gateway. In this case, the route table serves as a gateway route table and is used to control traffic from the IPv4 gateway to the VPC.

      In this example, Border Gateway is selected.

    3. On the Route Tables page, find the gateway route table and click its ID.

    4. On the Route Entry List > System Route tab, find the system route that you want to modify and click Edit in the Actions column.

    5. In the Edit Route Entry dialog box, set the following parameters. Keep other parameters as their default values or modify them as needed.

      Parameter

      Description

      Destination CIDR Block

      Displays the destination CIDR block of traffic. You cannot modify Destination CIDR Block.

      Next Hop Type

      Select the next hop type. Valid values:

      • Local: Traffic destined for the destination CIDR block is routed to the VPC.

      • ECS Instance: Traffic destined for the destination CIDR block is routed to the specified ECS instance.

      • ENI: Traffic destined for the destination CIDR block is routed to the specified elastic network interface (ENI).

      Important

      If the next hop type is set to ENI or ECS Instance, you must first change the next hop type to Local, change the next hop type to ENI or ECS Instance, and then change the next hop. You cannot directly change the next hop when the next hop type is set to ENI or ECS Instance.

      Resource Group

      Select the resource group to which the next hop belongs.

      If Next Hop Type is set to ECS Instance or ENI, this parameter is required.

      ECS Instance or ENI

      Select an instance as the next hop.

      If Next Hop Type is set to ECS Instance or ENI, you must select an instance as the next hop.

    Step 2: Associate the gateway route table with an IPv4 gateway

    After the gateway route table is created, associate it with an IPv4 gateway. Then, you can configure routes to manage traffic from the IPv4 gateway to the VPC. Before you associate the gateway route table with an IPv4 gateway, make sure that an IPv4 gateway is created and activated. For more information, see Manage Internet access.

    1. On the IPv4 Gateway page, find the IPv4 gateway that you want to manage and click its ID.

    2. On the details page of the IPv4 gateway, click Bind on the Gateway Route Entry tab.

    3. In the Associate Route Table dialog box, confirm the gateway route table and click OK.

    4. After the route table is associated with the IPv4 gateway, Internet traffic is routed to instances as expected based on the configured routes. You can control Internet access and ensure security.

    Disassociate a gateway route table from an IPv4 gateway

    If you no longer need to route Internet traffic to a VPC, you can disassociate the gateway route table from the IPv4 gateway.

    1. In the left-side navigation pane, click IPv4 Gateway.

    2. On the IPv4 Gateway page, find the IPv4 gateway that you want to manage and click its ID.

    3. On the details page of the IPv4 gateway, click Unbind on the Gateway Route Entry tab.

    4. In the message that appears, click OK.

    Delete an IPv4 gateway

    You can delete an IPv4 gateway in one of the following modes:

    Private Mode: After the IPv4 gateway is deleted, instances in the VPC cannot access the Internet.

    Public Mode: After the IPv4 gateway is deleted, instances that are assigned public IP addresses in the VPC can access the Internet.

    Before you delete an IPv4 gateway:

    • If the IPv4 gateway is associated with a gateway route table, disassociate the gateway route table from the IPv4 gateway. For more information, see Disassociate a gateway route table from an IPv4 gateway.

    • If you select Private Mode, you must first all the routes that point to IPv4 gateway from VPC route tables. For more information, see Add and delete routes.

    • If you select Public Mode, the system automatically deletes all the routes that point to the IPv4 gateway.

    1. Log on to the VPC console.

    2. In the top navigation bar, select the region where the IPv4 gateway is deployed.

    3. In the left-side navigation pane, click IPv4 Gateway.

    4. On the IPv4 Gateway page, find the IPv4 gateway that you want to delete and click Delete in the Actions column.

    5. In the dialog box that appears, select a deletion mode and click OK.

      • Private Mode: After the IPv4 gateway is deleted, instances in the VPC cannot access the Internet.

      • Public Mode: After the IPv4 gateway is deleted, instances that are assigned public IP addresses in the VPC can access the Internet.

      Important

      If the VPC requires Internet access after you delete the IPv4 gateway in Private Mode, create a new IPv4 gateway in the VPC and configure routes that point to the IPv4 gateway.

    More operations

    Operation

    Procedure

    Activate an IPv4 gateway

    1. On the IPv4 Gateway page, find the IPv4 gateway and click Activate in the Actions column.

    2. In the Activate IPv4 Gateway dialog box, select one or more route tables and click Activate.

    3. If the The IPv4 gateway is activated and the route table is configured. message appears, click Close.

    Modify an IPv4 gateway

    1. On the IPv4 Gateway page, find the IPv4 gateway that you want to modify and click its ID.

    2. On the details page of the IPv4 gateway, click Edit next to IPv4 Gateway Name in the Basic Information section.

    3. In the dialog box that appears, enter a new name and click OK.

    4. On the details page of the IPv4 gateway, click Edit next to Description in the Basic Information section.

    5. In the dialog box that appears, enter a new description and click OK.

    Replace the gateway route table that is associated with an IPv4 gateway

    1. On the IPv4 Gateway page, find the IPv4 gateway that you want to manage and click its ID.

    2. In the Gateway Route Entries section, click Replace Associated Route Table.

    3. In the dialog box that appears, select Replace Custom Route Table, select a new route table from the drop-down list, and then click OK.

    Modify a gateway route table

    1. On the Route Tables page, find the gateway route table that you want to manage and click its ID.

    2. On the details page of the gateway route table, click Edit next to Name.

    3. In the dialog box that appears, enter a new name and click OK.

    4. On the details page of the gateway route table, click Edit next to Description.

    5. In the dialog box that appears, enter a new description and click OK.

    6. On the Route Entry List tab, find the route that you want to modify and click Edit in the Actions column.

    7. In the dialog box, modify the information about the route and click OK.

    Reference

    If you need to enable an IPv4 gateway in a VPC associated with an Internet NAT gateway, see Create and enable an IPv4 gateway in a VPC associated with an Internet NAT gateway