Creates an enhanced Internet NAT gateway or a Virtual Private Cloud (VPC) NAT gateway.

Usage notes

Before you call this operation, take note of the following items:

  • When you create an enhanced NAT gateway for the first time, the system automatically creates the service-linked role AliyunServiceRoleForNatgw. Then, the system attaches the permission policy AliyunServiceRolePolicyForNatgw to the role. This allows the NAT gateway to access other resources on Alibaba Cloud. For more information, see Service-linked roles.
  • After you create an enhanced Internet NAT gateway, a route entry is automatically added to the route table of the VPC. The destination CIDR block of the route entry is 0.0.0.0/0 and the next hop is the NAT gateway. This ensures that traffic is routed to the NAT gateway.
  • CreateNatGateway is an asynchronous operation. After a request is sent, the system returns a request ID and runs the task in the background. You can call the DescribeNatGateways operation to query the status of the task.
    • If a NAT gateway is in the Creating state, the NAT gateway is being created. In this case, you can query the NAT gateway but cannot perform other operations.

    • If a NAT gateway is in the Available state, the NAT gateway is created.

      It takes 1 to 3 minutes to create a NAT gateway.

  • You cannot repeatedly call the CreateNatGateway operation within a specific period of time.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes CreateNatGateway

The operation that you want to perform. Set the value to CreateNatGateway.

RegionId String Yes cn-hangzhou

The ID of the region where you want to create the NAT gateway.

You can call the DescribeRegions operation to query the most recent region list.

VpcId String Yes vpc-bp1di7uewzmtvfuq8****

The ID of the VPC where you want to create the NAT gateway.

Name String No fortest

The name of the NAT gateway.

The name must be 2 to 128 characters in length and can contain letters, digits, underscores (_), and hyphens (-). The name must start with a letter.

If this parameter is not set, the system assigns a default name to the NAT gateway.

Description String No testnat

The description of the NAT gateway.

You can leave this parameter empty or enter a description. If you enter a description, the description must be 2 to 256 characters in length and cannot start with http:// or https://.

ClientToken String No 5A2CFF0E-5718-45B5-9D4D-70B3FF3898

The client token that is used to ensure the idempotence of the request.

You can use the client to generate the token, but you must make sure that the token is unique among different requests.

Note If you do not specify this parameter, the system automatically uses the client token as the request ID. The request ID may be different for each request.
Spec String No Invalid parameter.

Subscription Internet NAT gateways are no longer available for purchase. Ignore this parameter.

InstanceChargeType String No PostPaid

The billing method of the NAT gateway.

Set the value to PostPaid (pay-as-you-go), which is the default value.

For more information, see Internet NAT gateway billing and VPC NAT gateway billing.

PricingCycle String No Invalid parameter.

Subscription Internet NAT gateways are no longer available for purchase. Ignore this parameter.

Duration String No Invalid parameter.

Subscription Internet NAT gateways are no longer available for purchase. Ignore this parameter.

AutoPay Boolean No Invalid parameter.

Subscription Internet NAT gateways are no longer available for purchase. Ignore this parameter.

VSwitchId String Yes vsw-bp1e3se98n9fq8hle****

The ID of the vSwitch to which the NAT gateway is attached.

When you create a NAT gateway, you must specify a vSwitch for the NAT gateway. Then, the system assigns an idle private IP address from the vSwitch to the NAT gateway.

  • To attach the NAT gateway to an existing vSwitch, make sure that the zone to which the vSwitch belongs supports NAT gateways. In addition, the vSwitch must have idle IP addresses.
  • If no vSwitch exists in the VPC, create a vSwitch in a zone that supports NAT gateways. Then, specify the vSwitch for the NAT gateway.
Note You can query the zones that support NAT gateways by calling the ListEnhanhcedNatGatewayAvailableZones operation. You can query the number of available IP addresses in a vSwitch by calling the DescribeVSwitches operation.
NatType String Yes Enhanced

The type of NAT gateway. Set the value to Enhanced (enhanced NAT gateway).

InternetChargeType String No PayByLcu

The metering method of the NAT gateway. Set the value to PayByLcu, which specifies the pay-by-CU metering method.

NetworkType String No internet

The network type of the NAT gateway. Valid values:

  • internet: Internet
  • intranet: VPC
SecurityProtectionEnabled Boolean No false

Specifies whether to enable the firewall feature. Valid values:

  • false (default)
  • true
IcmpReplyEnabled Boolean No true

Specifies whether to enable ICMP retrieval. Valid values:

  • true (default)
  • false
EipBindMode String No MULTI_BINDED

The mode in which the EIP is associated with the NAT gateway. Valid values:

  • MULTI_BINDED (default): Multi-EIP-to-ENI mode.
  • NAT: NAT mode. IPv4 gateways are supported.
    Note If the EIP is associated with the NAT gateway in NAT mode, the EIP occupies a private IP address of the vSwitch to which the NAT gateway belongs. Make sure that the vSwitch has sufficient private IP addresses. Otherwise, the EIP cannot be associated with the NAT gateway. In NAT mode, you can associate a NAT gateway with at most 50 EIPs.
Tag.N.Key String No TestKey

The tag key. The format of Tag.N.Key when you call the operation. Valid values of N: 1 to 20. It cannot be an empty string. It can be up to 128 characters in length and cannot start with acs: or aliyun. It cannot contain http:// or https://.

Tag.N.Value String No TestValue

The tag value. The format of Tag.N.Value when you call the operation. Valid values of N: 1 to 20. It cannot be an empty string. It can be up to 128 characters in length and cannot start with acs: or aliyun. It cannot contain http:// or https://.

Response parameters

Parameter Type Example Description
NatGatewayId String ngw-112za33e4****

The ID of the NAT gateway.

RequestId String 2315DEB7-5E92-423A-91F7-4C1EC9AD97C3

The request ID.

ForwardTableIds Array of String ftb-11tc6xgmv****

The list of DNAT entries.

SnatTableIds Array of String stb-SnatTableIds****

The list of SNAT entries.

FullNatTableIds Array of String fulltb-gw88z7hhlv43rmb26****

The list of FULLNAT entries.

Examples

Sample requests

http(s)://[Endpoint]/?Action=CreateNatGateway
&RegionId=cn-hangzhou
&VpcId=vpc-bp1di7uewzmtvfuq8****
&Name=fortest
&Description=testnat
&ClientToken=5A2CFF0E-5718-45B5-9D4D-70B3FF3898
&Spec=Invalid parameter
&InstanceChargeType=PostPaid
&PricingCycle=Invalid parameter
&Duration=Invalid parameter
&AutoPay=false
&VSwitchId=vsw-bp1e3se98n9fq8hle****
&NatType=Enhanced
&InternetChargeType=PayByLcu
&NetworkType=internet
&SecurityProtectionEnabled=false
&IcmpReplyEnabled=true
&EipBindMode=MULTI_BINDED
&Tag=[{"Key":"TestKey","Value":"TestValue"}]
&Common request parameters

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<CreateNatGatewayResponse>
    <NatGatewayId>ngw-112za33e4****</NatGatewayId>
    <RequestId>2315DEB7-5E92-423A-91F7-4C1EC9AD97C3</RequestId>
    <ForwardTableIds>ftb-11tc6xgmv****</ForwardTableIds>
    <SnatTableIds>stb-SnatTableIds****</SnatTableIds>
    <FullNatTableIds>fulltb-gw88z7hhlv43rmb26****</FullNatTableIds>
</CreateNatGatewayResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "NatGatewayId" : "ngw-112za33e4****",
  "RequestId" : "2315DEB7-5E92-423A-91F7-4C1EC9AD97C3",
  "ForwardTableIds" : [ "ftb-11tc6xgmv****" ],
  "SnatTableIds" : [ "stb-SnatTableIds****" ],
  "FullNatTableIds" : [ "fulltb-gw88z7hhlv43rmb26****" ]
}

Error codes

HttpCode Error code Error message Description
400 Forbidden.NatPayBySpec Pay-by-specification NAT is no longer supported. Newly purchased pay-as-you-go NAT gateways only support the pay-by-CU metering method. Pay-by-specification NAT gateways are no longer available for purchase. Set the InternetChargeType parameter to PayByLcu.
400 InvalidVPCStatus vpc incorrect status. The operation is not supported when the VPC is in the current state. Check whether the state of the VPC is valid.
400 InvalidNatGatewayName.MalFormed NatGateway name is not valid. The specified name of the NAT gateway is invalid.
400 InvalidNatGatewayDescription.MalFormed NatGateway description is not valid. The gateway description is invalid.
400 MissingParameter.BandwidthPackage only support one BandwidthPackage be created with NatGateway. No EIP bandwidth plan is specified. You must specify an EIP bandwidth plan.
400 MissingParameter Miss mandatory parameter. One or more required parameters are not set. Check whether you have set all required parameters before you call this operation.
400 QuotaExceeded.BandwidthPackageIps The specified ipCount exceeded quota. The number of IP addresses has reached the upper limit. Request a quota increase on the Quota Management page.
400 InvalidParameter.Name.Malformed The specified Name is not valid. The specified name format is invalid. Enter the name in the valid format.
400 InvalidParameter.Description.Malformed The specified Description is not valid. The specified description is invalid.
400 ZONE_NO_AVAILABLE_IP The Zone have no available ip. No IP address is available in the zone.
400 InvalidParameter.BandwidthPackage.n.ISP.ValueNotSupport The specified ISP of BandwidthPackage is not valid. The specified Internet service provider (ISP) of the EIP bandwidth plan is invalid.
400 InvalidNatGatewayId.NotFound The NatGatewayId not exist. The specified NAT gateway ID does not exist. Check whether the value of the NatGatewayId parameter is valid.
400 VswitchStatusError The VSwitch is creating . The operation is not supported when the vSwitch is being created.
400 VpcStatusError The Vpc is creating . The operation is not supported when the VPC is being created.
400 InvalidParameter.Spec.ValueNotSupported The specified Spec is not valid. The specified size is invalid.
400 TaskConflict The operation is too frequent, TaskConflict. The system is busy. Try again later.
400 Forbidden.CheckEntryRuleQuota Route entry quota rule check error. An error occurred when the system was checking the quota of route entries.
400 OperationFailed.UnpaidBillsExist The account has unpaid bills. Please pay your overdue bill first. The account has unpaid orders.
400 OperationFailed.RiskControl Risk control check failed. Security risks are detected in your payment method. Click the link in the email that is sent to you or in the ApsaraDB RDS console to continue with the verification. After you complete the verification, submit the order again.
400 OperationFailed.EnhancedQuotaExceed Enhanced nat gateway per vpc quota is exceeded The number of enhanced NAT gateways in the specified VPC has reached the upper limit.
400 OperationFailed.VswNotBelongToVpc Operation failed because the specified VSwitch is not bound to the same VPC with NAT gateway. The vSwitch and NAT gateway do not belong to the same VPC.
400 OperationFailed.EnhancedUserIsUnAuthorized Operation failed because the user is not authorized to create an enhanced NAT gateway. You do not have the permissions to create enhanced NAT gateways.
400 OperationUnsupported.PrePaidPyByLcu The operation failed because the subscription NAT gateway does not support the pay-by-LCU billing method. Subscription NAT gateways do not support the pay-by-LCU metering method.
400 OperationFailed.NormalInventoryNotEnough Standard NAT gateways are no longer offered. You can create enhanced NAT gateways and set the correct natType. You can no longer create standard NAT gateways. Set the NatType parameter to Enhanced.
400 UnsupportedFeature.IcmpReplyEnabled The feature of IcmpReplyEnabled is not supported. The value of the IcmpReplyEnabled parameter cannot be modified.
400 ExclusiveParam.%sAnd%s The param of %s and %s are mutually exclusive. You cannot set %s and %s at the same time.
400 SecurityGroupType.NotSupported The specified security group type is not supported. The security group is already hosted and cannot be used.
400 SecurityGroup.NotExist The specified security group is not exist. The security group does not exist in this VPC.
404 InvalidRegionId.NotFound The specified RegionId does not exist in our records. The specified region ID does not exist.
404 InvalidVpcId.NotFound Specified value of VpcId is not found in our record. The specified VPC does not exist. Check whether the specified VPC ID is valid.
404 InvalidZoneId.NotFound Specified value of ZoneId is not exists. The specified zone does not exist.
404 InvalidZoneId.NotFound Can not find ZoneId for allocated ip. The zone of the specified IP address is invalid.
404 UnsupportedZoneForFwNat The zone is unsupported for FW NAT. The specified zone does not support enhanced NAT gateways that have firewalls enabled.

For a list of error codes, see Service error codes.