All Products
Search

This Product

    Virtual Private Cloud:IPv4 gateway

    Document Center

    Virtual Private Cloud:IPv4 gateway

    Last Updated:Feb 07, 2025

    By default, resources within a virtual private cloud (VPC) can communicate with the Internet by binding a public IPv4 address. However, sometimes Internet accesses are not overseen by the operation and maintenance department, which poses security risks. For example, business departments configure public IP addresses for Elastic Compute Service (ECS) instances without informing O&M.

    As a traffic control component at the VPC boundary, an IPv4 gateway allows you to manage Internet access through route tables and ensures that the public traffic passes through the IPv4 gateway, thereby reducing the security risks associated with decentralized access.

    Overview

    VPC components

    Understanding the following VPC components will help you better understand the IPv4 gateway:

    • Public IPv4 address: An IPv4 address that can be directly accessed through the Internet. These addresses are globally unique and can be accessed worldwide. There are two types:

      • Static public IP: A public IP address created and deleted together with instances such as ECS, and Classic Load Balancer (CLB). These IP addresses are strongly bound to instances and cannot be modified after creation, so they do not support flexible disassociation and management.

      • Elastic IP address (EIP): An independent public IP address that can be dynamically bound and unbound, supporting flexible management.

    • Internet NAT Gateway: A network address translation device within the VPC that provides Internet access by binding an EIP. It converts private IPv4 addresses to public ones, or to EIPs. This avoids exposing the real IP addresses and enables secure Internet communication. Resources in the VPC can actively access the Internet and provide services over the Internet through the NAT gateway.

    • Server Load Balancer (SLB): An application traffic distribution service within the VPC that provides Internet access by binding a public IP. It distributes traffic to backend servers to expand the throughput of application systems, eliminating single points of failure (SPOF), and improving the availability of the application system. Resources in the VPC can only provide services over the Internet and cannot actively access the Internet through SLB.

    Architecture of VPC with an IPv4 gateway

    The following architecture shows the inbound and outbound traffic in the VPC. As illustrated, an IPv4 gateway is a public traffic gateway at the VPC boundary that uniformly controls the Internet traffic and differs from public IP addresses, NAT gateways, and load balancing.

    image

    Why use an IPv4 gateway?

    Item

    Internet access without IPv4 gateway (Default)

    Centralized control with IPv4 gateway

    Example

    ECS instances access the Internet through static public IPs, EIPs, or an Internet NAT gateway.

    Centrally control the Internet inbound and outbound traffic.

    Scenario

    Some ECS instances need independent, direct Internet access.

    Suitable for scenarios where Internet access requirements are subject to frequent changes.

    Suitable for large, multi-tiered network architecture.

    Enterprise-level environments with strict requirements for security and compliance.

    Complexity

    Simple and quick operation without the need for route configuration.

    Network planning and routing configuration are required.

    Flexibility

    Each instance is independent.

    Changes in network policies affect all instances in the VPC.

    Security

    Security protection is achieved through configuring security group rules of instances.

    The centralized control mode of the IPv4 gateway ensures the consistency of network policies and overall security.

    Limits

    Feature limits

    • Scope:

      • The IPv4 gateway is a region-level resource that can only be used in the region where it is located.

    • Limits:

      • A VPC can only have one IPv4 gateway, and each IPv4 gateway can only be associated with one VPC.

      • An IPv4 gateway can exclusively bind to a gateway route table of the border gateway type. Each IPv4 gateway is associated with a single gateway route table.

    • Exception:

      • When an internal-facing CLB is bound to an IPv4 gateway by using an EIP or Anycast EIP, the gateway does not restrict the return traffic from the Internet.

    Supported regions

    Area

    Regions

    Asia Pacific - China

    China (Hangzhou), China (Shanghai), China (Nanjing - Local Region), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), China (Wuhan - Local Region), and China (Fuzhou - Local Region)

    Asia Pacific - Others

    Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), and Thailand (Bangkok)

    Europe & Americas

    Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia)

    Middle East

    UAE (Dubai) and SAU (Riyadh - Partner Region)

    Important

    The SAU (Riyadh - Partner Region) region is operated by a partner.

    Use the IPv4 gateway

    Working modes

    The IPv4 gateway must be activated to uniformly control Internet traffic. The working modes of the IPv4 gateway dictate the ability to access the Internet and manage public traffic centrally.

    Refer to the following diagram to understand the working modes and when the modes are switched:

    image
    Important

    The network traffic in the VPC will not be impacted until you activate the IPv4 gateway. However, there may be a brief network interruption during activation due to traffic path switching.

    Scenario

    This section uses the Internet access of two ECS instances in a VPC to demonstrate how to use the IPv4 gateway.

    Internet access

    Target

    Two ECS instances within the VPC can access the Internet through an EIP or provide external services over the Internet.

    • Outbound traffic: All traffic actively accessing the Internet from the VPC must be controlled by the IPv4 gateway.

    • Inbound traffic: Only public inbound traffic accessing the two ECS instances is allowed through the IPv4 gateway, while other traffic is denied.

    image

    To use the IPv4 gateway in a region, you must create a VPC, ECS, and EIP. Ensure that the VPC is not associated with an IPv4 gateway.

    Step 1: Create and activate the IPv4 gateway

    Note

    An IPv4 gateway cannot be created under the following conditions:

    1. Go to the IPv4 Gateway console and select the region from the top navigation bar.

    2. Click Create IPv4 Gateway, choose a VPC, and click Create.

      image

    3. Select the route table associated with the vSwitch where the ECS is located and click Activate. If there are multiple vSwitch route tables, select all that apply.

      Note

      • During activation, the system adds a default route of 0.0.0.0/0 pointing to the IPv4 gateway in the selected route table of vSwitch, granting Internet access. If there is already a default route with the destination CIDR block of 0.0.0.0/0, the IPv4 gateway default route cannot be added.

      • Network traffic in the VPC remains unaffected before the IPv4 gateway is activated. However, activation may cause a brief network interruption due to the switch in traffic paths.

      image

    4. The IPv4 gateway is activated and the route table is configured.

      image

    5. Now, the VPC has an activated IPv4 gateway. Proceed to test its functionality.

      Note

      Ensure the network ACL and security group configurations are proper to avoid impacting the ECS connectivity tests.

      1. With a route of 0.0.0.0/0 that points to the IPv4 gateway, ECS instances can access the Internet. Test network connectivity with the ping aliyun.com command.

      2. The IPv4 gateway does not have a route pointing to the VPC, so incoming traffic from the Internet to the ECS will be discarded. To test this, use the ping ECS address command from an Internet client, which should fail to connect.

    Step 2: Configure inbound routes

    The inbound routes for the IPv4 gateway are managed by the gateway route tables.

    1. Create a gateway route table

      A route table becomes a gateway route table when you set the Associated Resource Type to Border Gateway.

      1. Navigate to Route Tables and select the region where the gateway route table will be created from the top navigation bar.

      2. Click Create Route Table. In the dialog box, select the corresponding VPC, choose Border Gateway in Associated Resource Type, enter a name for the route table, and click OK. image

    2. Configure gateway routes

      1. On the Route Tables page, find the newly created gateway route table and click its ID.

      2. Click the Route Entry List > System Route tab to view the system route entries. A system route entry is automatically created for each vSwitch in the VPC within the gateway route table.image

      3. Modify the Destination CIDR Block to point to the two route entries of the vSwitch associated with the ECS, and set the next hop to the ECS instance. image

      4. When configuration is complete, the two system route entries become custom route entries. Make sure that the status is Active. image

    3. Associate the gateway route table to the IPv4 gateway

      1. In the details page of the gateway route table, proceed to associate the border gateway. image

      2. After association, ensure that the status is Available. image

    4. Test connectivity

      Note

      Ensure you check the configurations of the network ACL and security group to prevent impacting the ECS connectivity tests.

      1. Run the ping ECS address command on an Internet client. The result should be accessible.

      2. Run the ping other addresses within the VPC command on an Internet client. The result should be inaccessible.

    Additional operations

    Modify public inbound routes

    The inbound routes for the IPv4 gateway are managed through the gateway route table. You can change the inbound routes by modifying the system route entries in the gateway route table.

    Note

    • In the gateway route table, you can modify system routes, but cannot create custom route entries.

    • Upon successfully editing and saving the system routes, they become custom route entries and revert to system route entries upon deletion.

    • When modifying system route entries in the route table, refer to the following recommendations for the next hop type:

      • Local: Enables access to all IP addresses within the vSwitch.

      • ECS Instances/Elastic Network Interface (ENI): Grants access to a specified ECS instance or ENI within the vSwitch. This is typically used to securely direct public traffic to a particular ECS instance or ENI. To change the next hop to this type, you must delete the route entry and then re-edit the system route entry. Direct replacement is not supported.

      • Gateway Load Balancer endpoint (GWLBe): Provides access to a specified endpoint within the vSwitch, and routes public traffic to third-party security devices in GWLB.

    Modify public outbound routes

    The public outbound routes for the IPv4 gateway are managed through the vSwitch route table. If a vSwitch includes a route entry that points to the IPv4 gateway, the corresponding route entry address can access the Internet. Such a vSwitch is a public vSwitch, while a vSwitch without such a route is known as a private vSwitch.

    Delete an IPv4 gateway

    Note

    Before deletion, you must unbind the gateway route table.

    Select a mode when deleting an IPv4 gateway, which impacts the Internet access within the VPC. For more information, see Working modes.

    image

    • In private mode, you must remove all route entries in the VPC route table pointing to the IPv4 gateway before proceeding.

      Warning

      Be aware that choosing private mode will prevent all resources within the VPC from accessing the Internet. Proceed with caution.

    • In public mode, the system will automatically delete all route entries pointing to the IPv4 gateway. Choose this mode if you need to revert to the initial state where instances can access the Internet through a public IP address.

    Best practices

    Centralized control of Internet egress

    Organizations may have public access channels that lack oversight from the O&M team. For example, when business departments configure public IPs for ECS instances at their discretion, it may create security vulnerabilities for network management.

    By employing an IPv4 gateway, you can transform the network architecture into a centralized framework where you can manage public traffic through the route table. This ensures that all data flows through the IPv4 gateway and facilitates the enforcement of unified security policies and audits, thereby mitigating the risks associated with decentralized access.

    Below is an example of the IPv4 architecture. For more information, see Use IPv4 gateway to centralize control over Internet access.

    image

    Use public CIDR blocks as private ones

    Some organizations use non-RFC 1918 private CIDR blocks in local data centers or VPCs, such as 30.0.0.0/16. When establishing connections with other VPCs or data centers, access to the Internet is prioritized. This is because VPCs treat non-RFC 1918 IPs as public CIDR blocks. So, even if a route entry pointing to 30.0.0.0/16 is configured, it cannot access the target VPCs or data centers.

    You can use the IPv4 gateway to centrally control the Internet access and route traffic to VPCs or data centers when accessing 30.0.0.0/16.

    Below is an example of the architecture. For more information, see Use IPv4 gateway to route traffic from Internet to private network.

    image

    Route traffic to third-party security devices

    Single-point architecture

    Some organizations deploy third-party security devices within the VPC to scrub inbound and outbound traffic.

    You can use the IPv4 gateway in conjunction with the route table to safely divert traffic, forwarding public inbound and outbound traffic to security devices for inspection and filtering. This helps prevent malicious attacks and unauthorized access, ensuring security protection.

    image

    GWLB high availability architecture

    In a single-point architecture, failures of third-party devices can affect the availability of the entire business system. The GWLB can be deployed to achieve high availability and eliminate single points of failure.

    In this scenario, you can use the IPv4 gateway in conjunction with the route table to forward public traffic to the GWLBe, which connects to GWLB through PrivateLink and routes the traffic to third-party security devices for processing. After scrubbing, the traffic is transmitted to the application server or Internet client.

    Below is an example of the architecture. For more information, see Use a GWLB instance to create a security check system for IPv4 traffic.

    image

    Inbound IPv4 traffic path

    Outbound IPv4 traffic path

    1. IPv4 traffic enters the business VPC through the IPv4 gateway.

    2. Traffic is sent to GWLBe based on the route table of the IPv4 gateway.

    3. GWLBe converts the traffic and sends it to GWLB, which then forwards the traffic to third-party security devices.

    4. After third-party security devices complete the security check, the traffic is returned to GWLB and transmitted to GWLBe through PrivateLink.

    5. Traffic is sent to the application server based on the route table of the GWLBe subnet.

    1. Traffic is sent to GWLBe based on the route table of the application server subnet.

    2. GWLBe sends the traffic to GWLB, which forwards the traffic to the third-party security devices.

    3. After the third-party security devices complete the security check, the traffic is returned to GWLB and transmitted to GWLBe through PrivateLink.

    4. Traffic is sent to the IPv4 gateway based on the route table of the GWLBe subnet.

    5. The IPv4 gateway routes the traffic to the Internet.

    FAQs

    What are the differences between an IPv4 gateway and an Internet NAT gateway?

    Component

    IPv4 Gateway

    Internet NAT Gateway

    Function

    A component at the VPC boundary that controls public IPv4 traffic.

    Network address translation device in VPCs.

    Scenario

    Centralized control of public traffic.

    Unified traffic egress of the Internet.

    Whether Internet access is provided

    No. It is a traffic control component.

    Internet access is available by attaching an EIP.

    (The NAT gateway itself does not provide Internet access capability.)

    IPv4 gateways and Internet NAT gateways serve distinct functions and can be used together.

    For more information about the relationship between network components, see the location of the IPv4 gateway in the VPC.

    How do I restore a VPC with an enabled IPv4 gateway to the initial state?

    To restore a VPC to its initial state (for example, allowing ECS instances to access the Internet by binding a public IP), delete the IPv4 gateway in public mode.

    The deletion mode impacts how the VPC accesses the Internet. For more information, see Working modes.

    How is the IPv4 gateway billed?

    There are no fees associated with the IPv4 gateway itself.

    However, data transfer costs are incurred by the public IPs, such as EIPs or static public IPs of ECS or CLB. For more information, refer to the billing documents of the corresponding products.

    How do I centrally manage IPv6 traffic?

    The IPv4 gateway serves as a public IPv4 traffic control component at the VPC boundary. To centrally manage IPv6 traffic, an IPv6 gateway is required.

    Additional actions

    You can manage the IPv4 gateway by calling the following APIs: