You cannot use the NAT Gateway console to directly switch network traffic to another Internet NAT gateway in the same virtual private cloud (VPC). However, you can create an Internet NAT gateway in the VPC and modify the route whose destination CIDR block is 0.0.0.0/0. This way, network traffic is switched to an Internet NAT gateway that belongs to a different vSwitch or uses a different private IP address.
Procedure
This topic describes how to switch network traffic to an Internet NAT gateway in a different vSwitch.
Prerequisites
Before you start, make sure that the following requirements are met:
A VPC named VPC1 is created in the China (Hangzhou) region and vSwitches named VSW1 and VSW2 are created in the VPC. VSW1 is created in Zone B, and VSW2 is created in Zone H. For more information, see Create a VPC with an IPv4 CIDR block.
An Elastic Compute Service (ECS) instance named ECS1 is created in VSW1 and no static public address is allocated to ECS1. For more information, see Create an instance on the Custom Launch tab.
An Internet NAT gateway (Internet NAT Gateway A) is created in VSW1. An SNAT entry is created for VPC1. A DNAT entry that uses port mapping is configured. In the DNAT entry, the private IP address is set to the private IP address of ECS1, the public port and the private port are set to 22, and the protocol is set to TCP.
Step 1: Check whether NAT Gateway A works as expected
Log on to ECS1 in VSW1. For more information, see Connection methods.
Run the
ping
command to check the network connectivity.Run the
curl myip.ipip.net
command to query the public IP address that ECS1 uses to access the Internet.The query result shows the public IP address that ECS1 uses to access the Internet is the same as the elastic IP address (EIP) configured in the SNAT entry of NAT Gateway A. This indicates that ECS1 accesses the Internet by using the SNAT feature of NAT Gateway A.
Log on to an on-premises Linux machine.
Run the
ssh root@public IP address
command. In this command, the public IP address is the EIP configured in the DNAT entry of NAT Gateway A. Then, enter the password of ECS1 and check if you can connect to ECS1.If Welcome to Alibaba Cloud Elastic Compute Service! is returned, it indicates that ECS1 uses the DNAT feature of NAT Gateway A to provide services over the Internet.
Step 2: Create NAT Gateway B and associate an EIP with NAT Gateway B
In this example, NAT Gateway B is attached to VSW2.
- Log on to the NAT Gateway console.
On the Internet NAT Gateway page, click Create Internet NAT Gateway.
When you create an Internet NAT gateway for the first time, click Create in the Notes on Creating Service-linked Roles section of the buy page to create a service-linked role. After the service-linked role is created, you can create Internet NAT gateways.
For more information, see Service-linked roles.
On the buy page, set the following parameters and click Buy Now.
Parameter
Description
Billing Method
By default, Pay-As-You-Go is selected. You can pay for resources after you use them. For more information, see Billing of Internet NAT gateways.
Resource Group
Select the resource group to which the virtual private cloud (VPC) belongs. For more information, see Resource group overview.
Tags
Tag Key: Select or enter a tag key.
You can specify at most 20 tag keys. A tag key can be up to 64 characters in length and cannot start with aliyun or acs:. It cannot contain http:// or https://.
Tag Value: Select or enter a tag value.
You can specify at most 20 tag values. A tag value can be up to 128 characters in length. It cannot start with aliyun or acs:, and cannot contain http:// or https://.
Region
Select the region where you want to create the Internet NAT gateway.
VPC
Select the VPC where you want to create the Internet NAT gateway. After the Internet NAT gateway is created, you cannot change the VPC to which the Internet NAT gateway belongs.
Associate vSwitch
Select the vSwitch to which the Internet NAT gateway belongs.
Metering Method
By default, Pay-By-CU is selected. You are charged based on the resources that you use. For more information, see Billing of Internet NAT gateways.
Billing Cycle
By default, By Hour is selected. Bills are generated on an hourly basis. If you use an Internet NAT gateway for less than 1 hour, the usage duration is rounded up to 1 hour.
Instance Name
Enter a name for the Internet NAT gateway.
The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.
Access Mode
Select the mode in which you want to create the Internet NAT gateway. The following modes are supported:
SNAT for All VPC Resources: If you select this value, the Internet NAT gateway is created in unified access mode. After the Internet NAT gateway is created, all resources in the VPC can access the Internet by using the SNAT feature of the NAT gateway.
If you select SNAT for All VPC Resources, you must also specify an EIP.
Configure Later: If you select this option, you can configure the Internet NAT gateway in the console after you complete the payment.
If you select Configure Later, only the Internet NAT gateway is created. No SNAT entry is created.
In this example, Configure Later is selected.
On the Confirm page, confirm the information, select the Terms of Service check box, and then click Confirm.
When the Purchased message appears, the Internet NAT gateway is created.
On the Internet NAT Gateway page, find NAT Gateway B, and click Associate Now in the Elastic IP Address column.
In the Associate EIP dialog box, set the following parameters and click OK.
EIPs: Select the EIP that you want to associate with the Internet NAT gateway. In this example, Purchase and Associate EIP is selected.
Step 3: Configure an SNAT entry and a DNAT entry on NAT Gateway B
Configure an SNAT entry and a DNAT entry on NAT Gateway B. Use the same configurations of NAT Gateway A for NAT Gateway B. However, the EIP of NAT Gateway B must be different from the EIP of NAT Gateway A.
- Log on to the NAT Gateway console.
- In the top navigation bar, select the region where you want to create the NAT gateway.
- On the Internet NAT Gateway page, find the NAT gateway that you want to manage and click Configure SNAT in the Actions column.
On the SNAT Management tab, click Create SNAT Entry.
On the Create SNAT Entry page, set the following parameters and click Confirm.
Parameter
Description
SNAT Entry
Specify whether you want to create an SNAT entry for a VPC, a vSwitch, an ECS instance, or a custom CIDR block.
In this example, Specify VPC is selected. All ECS instances in VPC1 can access the Internet by using the SNAT entry.
Select Public IP Address
Select one or more EIPs that are used to access the Internet.
In this example, Use One IP address is selected and the EIP associated with NAT Gateway B is selected from the drop-down list.
Entry Name
Enter a name for the SNAT entry.
The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.
Go back to the Internet NAT Gateway page, find NAT Gateway B and click Configure DNAT in the Actions column.
On the DNAT Management tab, click Create DNAT Entry.
On the Create DNAT Entry page, set the following parameters and click Confirm.
Parameter
Description
Select Public IP Address
Select an EIP that is used to provide Internet-facing services. In this example, the EIP associated with NAT Gateway B is selected.
Select Private IP Address
Select the ECS instance that uses the DNAT entry to provide Internet-facing services.
In this example, Select by ECS or ENI is selected and ECS1 is selected from the drop-down list.
Port Settings
Select a DNAT mapping method.
In this example, Specific Port is selected. Public Port is set to 22, Private Port is set to 22, and Protocol Type is set to TCP.
Entry Name
Enter a name for the DNAT entry.
The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.
Step 4: Modify the custom route in the system route table
After you create the first Internet NAT gateway in a VPC, a route is automatically added to the route table of the VPC. The destination CIDR block of the route is 0.0.0.0/0 and the next hop is the Internet NAT gateway. This ensures that network traffic is routed to the Internet NAT gateway. After you create NAT Gateway B, the system does not add a route whose destination CIDR block is 0.0.0.0/0 and whose next hop is NAT Gateway B to the system route table. Therefore, network traffic cannot be routed to NAT Gateway B. You must modify the route whose destination CIDR block is 0.0.0.0/0 by specifying NAT Gateway B as the next hop. This way, network traffic is routed to NAT Gateway B instead of NAT Gateway A.
Log on to the VPC console.
In the left-side navigation pane, click Route Tables.
In the top navigation bar, select the region to which the route table belongs.
On the Route Tables page, find the route table of VPC1 and click its ID.
Choose , find the custom route whose destination CIDR block is 0.0.0.0/0 and whose next hop is NAT Gateway A, and then click Delete in the Actions column.
In the Delete Route Entry message, click OK.
Click Add Route Entry. In the Add Route Entry panel, set the following parameters and click OK.
Parameter
Description
Name
Enter a name for the route entry.
The name must be 2 to 128 characters, and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.
Destination CIDR Block
Enter the destination CIDR block. In this example, IPv4 CIDR Block is selected and 0.0.0.0/0 is entered.
Next Hop Type
Select the next hop type. In this example, NAT Gateway is selected.
NAT Gateway
Select a NAT gateway as the next hop. In this example, NAT Gateway B is selected.
NoteAfter the route is created, existing connections can resume only after your workloads are reconnected. We recommend that you create the route during off-peak hours.
Step 5: Test network connectivity
Check whether network traffic is switched from NAT Gateway A to NAT gateway B. In this example, network traffic is switched to an Internet NAT gateway that belongs to a different vSwitch and uses a different private IP address. If you want to switch to an Internet NAT gateway that uses a different private IP address in the same vSwitch, you can also refer to the procedure in this topic.
Log on to ECS1 in VSW1.
Run the
ping
command to test the network connectivity.Run the
curl myip.ipip.net
command to query the public IP address that ECS1 uses to access the Internet.The query result shows the public IP address that ECS1 uses to access the Internet is the same as the EIP configured in the SNAT entry of NAT Gateway B. This indicates that ECS1 accesses the Internet by using the SNAT feature of NAT Gateway B.
Log on to an on-premises Linux machine.
Run the
ssh root@public IP address
command. In this command, the public IP address is the EIP configured in the DNAT entry of NAT Gateway B. Then, enter the password of ECS1 and check if you can connect to ECS1.If Welcome to Alibaba Cloud Elastic Compute Service! is returned, it indicates that ECS1 can use the DNAT feature of NAT Gateway B to provide services over the Internet.