All Products
Search
Document Center

Virtual Private Cloud:IPv4 gateway overview

Last Updated:Nov 18, 2024

An IPv4 gateway is a network component that connects a virtual private cloud (VPC) to the Internet. You can use an IPv4 gateway together with the subnet routing feature to enable access control for a VPC and route traffic destined for the Internet to virtual firewalls to enhance security. This topic describes the features, limits, and use cases of IPv4 gateways.

Features and supported regions

Regions with the IPv4 gateway feature enabled by default are as follows.

Area

Region

Asia Pacific

China (Hangzhou), China (Shanghai), China (Nanjing - Local Region), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), China (Wuhan - Local Region), China (Fuzhou - Local Region), Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), and Thailand (Bangkok)

Europe & Americas

Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia)

Middle East

UAE (Dubai) and SAU (Riyadh - Partner Region)

Important

The SAU (Riyadh - Partner Region) region is operated by a partner.

Overview

An IPv4 gateway supports the following features:

  • Serves as the next hop of a route in a VPC route table and controls the range of destination addresses that a VPC can access over the Internet.

  • Provides the network address translation service for resources that are assigned public IPv4 addresses, such as Elastic Compute Service (ECS) instances and elastic network interfaces (ENIs).

Use cases

Manage Internet access

ECS instances that are assigned static public IP addresses, elastic IP addresses (EIPs), or Internet NAT gateway in a VPC can access the Internet. To reduce the security threats that may arise when ECS instances in a VPC access the Internet, you can use an IPv4 gateway and subnet routing to manage Internet access for the VPC. You can grant or deny specific subnets Internet access based on your business requirements.

公网访问集中控制-EN.jpg

The preceding figure shows the configuration procedure:

  1. Create an Internet NAT gateway in vSwitch 1 and create a custom route table named Subnet Route Table (Table 1).

  2. Create an IPv4 gateway in the VPC, select Subnet Route Table (Table 1), and configure the default 0.0.0.0/0 route to point to the IPv4 gateway before activating it.

  3. Create a custom route table named Subnet Route Table (Table 2) for vSwitch 2 and vSwitch 3. Configure the next hop of the default 0.0.0.0/0 route to point to the Internet NAT gateway.

    Note

    After you activate the IPv4 gateway, take note of the following:

    • If no route that points to the IPv4 gateway is added to the VPC route table, the resources in the vSwitch that is associated with the route table cannot access the Internet. However, they can still access the Internet through the NAT gateway. This is referred to as a private vSwitch, such as vSwitches 2 and 3 in the preceding figure, as their associated route table, Subnet Route Table 2, does not have a default route that points to the IPv4 gateway.

    • If a route that points to the IPv4 gateway is added to the VPC route table, the resources in the vSwitch that is associated with the route table can access the Internet. This is referred to as a public vSwitch, such as vSwitch 1 in the preceding figure. The default 0.0.0.0/0 route in Subnet Route Table (Table 1) points to the IPv4 gateway.

Manage inbound routing policies

You can use the subnet routing feature together with an IPv4 gateway to route inbound traffic to a virtual firewall, such as Cloud Firewall. This protects your ECS instances against malicious requests.

公网访问集中控制2.png

When the traffic between ECS instances associated with EIPs and the Internet is filtered by a firewall, configure routes as shown in the preceding figure.

  1. Deploy a dedicated vSwitch for the firewall and associate a custom route table, Subnet Route Table (Table 1), with the vSwitch.

  2. Create an IPv4 gateway in the VPC and select Subnet Route Table (Table 1). Set the next hop of the default 0.0.0.0/0 route to the IPv4 gateway before activating it. This way, the vSwitch in which the virtual firewall is deployed can access the Internet.

  3. Deploy a dedicated vSwitch for your workloads and associate a custom route table with the vSwitch. Set the next hop of the default 0.0.0.0/0 route to the ENI of the virtual firewall.

  4. Create a custom route table in the VPC and associate it with the IPv4 gateway to control inbound traffic from the Internet. This route table is referred to as the gateway route table. In the gateway route table, find the route that points to the CIDR block of the vSwitch in which your workloads are deployed and change the next hop to the ENI of the virtual firewall.

Limits

Restrictions

  • IPv4 gateways support only IPv4 traffic.

  • You can use an IPv4 gateway only in one region.

  • You can create only one IPv4 gateway in a VPC and associate an IPv4 gateway with only one VPC.

  • You can associate only one gateway route table with an IPv4 gateway.

  • You cannot associate a system route table with an IPv4 gateway.

  • You cannot associate a route table that is already associated with a vSwitch with an IPv4 gateway.

  • You cannot create an IPv4 gateway in the VPC under the following circumstances:

  • When an EIP or Anycast EIP is linked to a Classic Load Balancer (CLB), the inbound traffic from the Internet is not filtered by the IPv4 gateway.

Quotas

Name/ID

Description

Default value

Adjustable

N/A

Maximum number of IPv4 gateways allowed for each VPC

1

N/A

Maximum number of gateway route tables for each IPv4 gateway

1