NAT Gateway:Use the SNAT feature of an Internet NAT gateway to access the Internet

Scenarios

The following scenario is an example. An enterprise created a virtual private cloud (VPC) and a vSwitch on Alibaba Cloud. Multiple ECS instances are created in the vSwitch. The ECS instances are not assigned static public IP addresses or associated with elastic IP addresses (EIPs). Due to business growth, each ECS instance needs to access the Internet.

In this scenario, you can configure SNAT on an Internet NAT gateway. SNAT allows ECS instances in a VPC to access the Internet when the ECS instances are not assigned public IP addresses.

Prerequisites

• A VPC and two vSwitches are created, and ECS instances are created in the vSwitches. For more information, see Create a VPC with an IPv4 CIDR block.

• The VPC must meet the following requirements:

  • A custom route whose destination CIDR block is 0.0.0.0/0 does not exist in the VPC. If the custom route exists, delete it.

  • If you want to configure SNAT as a Resource Access Management (RAM) user, make sure that the RAM user has access permissions on the VPC. Otherwise, contact the Alibaba Cloud account owner to acquire the permissions.

Limits

For more information about SNAT, see SNAT FAQ.

Procedure

Step 1: Create an Internet NAT gateway

1. Log on to the NAT Gateway console.
2. On the Internet NAT Gateway page, click Create NAT Gateway.

3. When you create an Internet NAT gateway for the first time, click Create in the Notes on Creating Service-linked Roles section of the buy page to create a service-linked role. After the service-linked role is created, you can create Internet NAT gateways.

   For more information, see Service-linked roles.

4. On the buy page, set the following parameters and click Buy Now.

   Parameter	Description
   Billing Method	By default, Pay-As-You-Go is selected. You can pay for resources after you use them. For more information, see Billing of Internet NAT gateways.
   Resource Group	Select the resource group to which the virtual private cloud (VPC) belongs. For more information, see Resource group overview.
   Tags	Tag Key: Select or enter a tag key. You can specify at most 20 tag keys. A tag key can be up to 64 characters in length and cannot start with aliyun or acs:. It cannot contain http:// or https://. Tag Value: Select or enter a tag value. You can specify at most 20 tag values. A tag value can be up to 128 characters in length. It cannot start with aliyun or acs:, and cannot contain http:// or https://.
   Region	Select the region where you want to create the Internet NAT gateway.
   VPC	Select the VPC where you want to create the Internet NAT gateway. After the Internet NAT gateway is created, you cannot change the VPC to which the Internet NAT gateway belongs.
   Associate vSwitch	Select the vSwitch to which the Internet NAT gateway belongs.
   Metering Method	By default, Pay-By-CU is selected. You are charged based on the resources that you use. For more information, see Billing of Internet NAT gateways.
   Billing Cycle	By default, By Hour is selected. Bills are generated on an hourly basis. If you use an Internet NAT gateway for less than 1 hour, the usage duration is rounded up to 1 hour.
   Instance Name	Enter a name for the Internet NAT gateway. The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.
   Access Mode	Select the mode in which you want to create the Internet NAT gateway. The following modes are supported: SNAT for All VPC Resources: If you select this value, the Internet NAT gateway is created in unified access mode. After the Internet NAT gateway is created, all resources in the VPC can access the Internet by using the SNAT feature of the NAT gateway. If you select SNAT for All VPC Resources, you must also specify an EIP. Configure Later: If you select this option, you can configure the Internet NAT gateway in the console after you complete the payment. If you select Configure Later, only the Internet NAT gateway is created. No SNAT entry is created. In this example, Configure Later is selected.

5. On the Confirm page, confirm the information, select the Terms of Service check box, and then click Confirm.

   When the Purchased message appears, the Internet NAT gateway is created.

Step 2: Associate an EIP with the Internet NAT gateway

An Internet NAT gateway can run as expected only when it is associated with an EIP. After you create an Internet NAT gateway, you can associate EIPs with the Internet NAT gateway to meet your business requirements.

1. Log on to the NAT Gateway console.
2. In the top navigation bar, select the region where you want to create the NAT gateway.

3. On the Internet NAT Gateway page, find the Internet NAT gateway that you want to manage and click Associate Now in the EIP column.

4. In the Associate EIP dialog box, set the following parameters and click OK.

   Parameter	Description
   Resource Group	Select the resource group of the EIP.
   Select EIP	Select the EIP that you want to associate with the Internet NAT gateway. In this example, Purchase and Associate EIP is selected. The system automatically creates a pay-by-data-transfer EIP and associates the EIP with the Internet NAT gateway.

Step 3: Create an SNAT entry

SNAT allows ECS instances in a VPC to access the Internet when no public IP addresses are assigned to the ECS instances.

1. Log on to the NAT Gateway console.
2. In the top navigation bar, select the region where you want to create the NAT gateway.
3. On the Internet NAT Gateway page, find the NAT gateway that you want to manage and click Configure SNAT in the Actions column.

4. On the SNAT Management tab, click Create SNAT Entry.

5. On the Create SNAT Entry page, set the following parameters and click OK.

   Parameter	Description
   SNAT Entry	Specify whether you want to create an SNAT entry for a VPC, a vSwitch, an ECS instance, or a custom CIDR block. Specify vSwitch is selected in this example. The ECS instances that are attached to the specified vSwitch use the EIP to access the Internet. Select vSwitch: Select a vSwitch from the drop-down list. Note If you select multiple vSwitches, the system creates multiple SNAT entries that use the same EIP. vSwitch CIDR block: The CIDR block of the selected vSwitch is displayed.
   Select EIP	Select one or more EIPs that are used to access the Internet. In this example, Use Single IP is selected and the EIP that is associated with the Internet NAT gateway in Step 2 is selected from the drop-down list.
   Entry Name	Enter a name for the SNAT entry.

Step 4: Add a route

Add a custom route that points to the Internet NAT gateway to the VPC system route table.

1. Log on to the VPC console.

2. In the left-side navigation pane, click Route Tables.

3. In the top navigation bar, select the region to which the route table belongs.

4. On the Route Tables page, find the route table that you want to manage and click its ID.

5. On the details page, choose Route Entry List > Custom Route and click Add Route Entry.

6. In the Add Route Entry dialog box, set the following parameters and click OK.

   Parameter	Description
   Name	Enter a name for the custom route.
   Resource Group	Select the resource group to which the next hop belongs.
   Destination CIDR Block	Enter a destination CIDR block. In this example, IPv4 CIDR Block is selected and 0.0.0.0/0 is used.
   Next Hop Type	Select NAT Gateway from the drop-down list.
   NAT Gateway	Select the Internet NAT gateway that you created.
   Description	Enter a description for the custom route.

Step 5: Test the network connectivity

1. Log on to an ECS instance in the vSwitch. For more information, see Connection method overview.

2. Run the ping www.aliyun.com command to test the network connectivity.

   If you can receive echo reply packets, the connection is established.

   The result shows that the ECS instance can access the Internet.