An IPv4 gateway is a network component that connects a virtual private cloud (VPC) to the Internet. You can use an IPv4 gateway together with the subnet routing feature to enable access control for a VPC and route traffic destined for the Internet to virtual firewalls to enhance security. This topic describes the features, limits, and use cases of IPv4 gateways.
Features and supported regions
Regions with the IPv4 gateway feature enabled by default are as follows.
Area | Region |
Asia Pacific | China (Hangzhou), China (Shanghai), China (Nanjing - Local Region), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), China (Wuhan - Local Region), China (Fuzhou - Local Region), Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), and Thailand (Bangkok) |
Europe & Americas | Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia) |
Middle East | UAE (Dubai) and SAU (Riyadh - Partner Region) Important The SAU (Riyadh - Partner Region) region is operated by a partner. |
Overview
An IPv4 gateway supports the following features:
Serves as the next hop of a route in a VPC route table and controls the range of destination addresses that a VPC can access over the Internet.
Provides the network address translation service for resources that are assigned public IPv4 addresses, such as Elastic Compute Service (ECS) instances and elastic network interfaces (ENIs).
Use cases
Manage Internet access
ECS instances that are assigned static public IP addresses, elastic IP addresses (EIPs), or Internet NAT gateway in a VPC can access the Internet. To reduce the security threats that may arise when ECS instances in a VPC access the Internet, you can use an IPv4 gateway and subnet routing to manage Internet access for the VPC. You can grant or deny specific subnets Internet access based on your business requirements.
The preceding figure shows the configuration procedure:
Create an Internet NAT gateway in vSwitch 1 and create a custom route table named Subnet Route Table (Table 1).
Create an IPv4 gateway in the VPC, select Subnet Route Table (Table 1), and configure the default 0.0.0.0/0 route to point to the IPv4 gateway before activating it.
Create a custom route table named Subnet Route Table (Table 2) for vSwitch 2 and vSwitch 3. Configure the next hop of the default 0.0.0.0/0 route to point to the Internet NAT gateway.
NoteAfter you activate the IPv4 gateway, take note of the following:
If no route that points to the IPv4 gateway is added to the VPC route table, the resources in the vSwitch that is associated with the route table cannot access the Internet. However, they can still access the Internet through the NAT gateway. This is referred to as a private vSwitch, such as vSwitches 2 and 3 in the preceding figure, as their associated route table, Subnet Route Table 2, does not have a default route that points to the IPv4 gateway.
If a route that points to the IPv4 gateway is added to the VPC route table, the resources in the vSwitch that is associated with the route table can access the Internet. This is referred to as a public vSwitch, such as vSwitch 1 in the preceding figure. The default 0.0.0.0/0 route in Subnet Route Table (Table 1) points to the IPv4 gateway.
Manage inbound routing policies
You can use the subnet routing feature together with an IPv4 gateway to route inbound traffic to a virtual firewall, such as Cloud Firewall. This protects your ECS instances against malicious requests.
When the traffic between ECS instances associated with EIPs and the Internet is filtered by a firewall, configure routes as shown in the preceding figure.
Deploy a dedicated vSwitch for the firewall and associate a custom route table, Subnet Route Table (Table 1), with the vSwitch.
Create an IPv4 gateway in the VPC and select Subnet Route Table (Table 1). Set the next hop of the default 0.0.0.0/0 route to the IPv4 gateway before activating it. This way, the vSwitch in which the virtual firewall is deployed can access the Internet.
Deploy a dedicated vSwitch for your workloads and associate a custom route table with the vSwitch. Set the next hop of the default 0.0.0.0/0 route to the ENI of the virtual firewall.
Create a custom route table in the VPC and associate it with the IPv4 gateway to control inbound traffic from the Internet. This route table is referred to as the gateway route table. In the gateway route table, find the route that points to the CIDR block of the vSwitch in which your workloads are deployed and change the next hop to the ENI of the virtual firewall.
Limits
Restrictions
IPv4 gateways support only IPv4 traffic.
You can use an IPv4 gateway only in one region.
You can create only one IPv4 gateway in a VPC and associate an IPv4 gateway with only one VPC.
You can associate only one gateway route table with an IPv4 gateway.
You cannot associate a system route table with an IPv4 gateway.
You cannot associate a route table that is already associated with a vSwitch with an IPv4 gateway.
You cannot create an IPv4 gateway in the VPC under the following circumstances:
EIPs that are associated with ENIs in cut-through mode exist in the VPC. For more information about the cut-through mode, see Associate a secondary ENI in cut-though mode (not recommended).
Internet NAT gateway of the VPC is incompatible with the IPv4 gateway. To enable compatibility, you can change the mode of the Internet NAT gateway. For more information, see Change the mode of Internet NAT gateway.
Creating an IPv4 in a shared VPC is not supported.
When an EIP or Anycast EIP is linked to a Classic Load Balancer (CLB), the inbound traffic from the Internet is not filtered by the IPv4 gateway.
Quotas
Name/ID | Description | Default value | Adjustable |
N/A | Maximum number of IPv4 gateways allowed for each VPC | 1 | N/A |
Maximum number of gateway route tables for each IPv4 gateway | 1 |