All Products
Search
Document Center

NAT Gateway:Configure ECS instances that have DNAT IP mapping enabled to use the same EIP to access the Internet

更新時間:Nov 29, 2024

This topic describes how to configure Elastic Compute Service (ECS) instances that have DNAT IP mapping enabled to use the same elastic IP address (EIP) to access the Internet.

Prerequisites

SNAT is enabled for the virtual private cloud (VPC) where the ECS instances are deployed. For more information, see Create and manage SNAT entries.

Background information

NAT gateways support the SNAT feature. SNAT enables ECS instances in a VPC to access the Internet when the ECS instances are not assigned public IP addresses. If DNAT IP mapping is configured for ECS instances in a VPC, the ECS instances preferentially use the EIPs in the DNAT entries to access the Internet. ECS instances that are not configured with DNAT IP mapping access the Internet through the SNAT service provided by the NAT gateway. Consequently, the ECS instances in the VPC use different IP addresses to access the Internet, which complicates management operations.

image

You can configure ECS instances in the VPC to use the same EIP to access the Internet by associating elastic network interfaces (ENIs) with the ECS instances.

As shown in the following figure, you can assign a separate ENI to the ECS instance, remove the DNAT IP mapping entry from the NAT gateway, create a DNAT entry, and establish a mapping between a public IP address on the NAT gateway and the ENI. This way, traffic goes through the NAT gateway when the ECS instance communicates with the Internet.

image

Step 1: Create an ENI

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Network & Security > Elastic Network Interfaces.

  3. Select the region where you want to create the ENI.

    Note

    The ENI and the ECS instance must belong to the same region.

  4. On the Elastic Network Interfaces page, click Create ENI.

  5. In the Create ENI dialog box, set the following parameters and click OK:

    This topic lists only the key parameters. For more information, see Create a secondary ENI.

    Parameter

    Description

    ENI Name

    Enter a name for the ENI.

    VPC

    Select the VPC to which the ECS instance belongs.

    vSwitch

    Select a vSwitch in the zone of the ECS instance.

    Security Group

    Select a security group.

    Primary Private IP Address (Optional)

    Enter the primary private IPv4 address of the ENI. The IPv4 address must be an idle IP address within the CIDR block of the vSwitch. If you do not specify an IPv4 address, an idle private IPv4 address is automatically assigned to the ENI after the ENI is created. In this example, the primary private IP address is not specified.

    Secondary Private IPv4 Address (Optional)

    Select an option. In this example, Not Assign is selected.

Step 2: Associate the ENI with the ECS instance

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Network & Security > ENIs.

  3. In the upper-left corner, select the region where the secondary ENI is deployed.

  4. On the Network Interfaces page, find the ENI that you want to manage and click Bind to Instance in the Actions column.

  5. In the dialog box that appears, select the ECS instance with which you want to associate the ENI and click OK.

Step 3: Delete the DNAT IP mapping entry

  1. Log on to the NAT Gateway console.

  2. Select the region where the NAT gateway is deployed.

  3. On the NAT Gateway page, find the NAT gateway that you want to manage and click Configure DNAT in the Configure DNAT column.

  4. On the DNAT Management tab, find the DNAT entry that you want to delete and click Delete in the Actions column.

  5. In the message that appears, click OK.

Step 4: Create a DNAT entry

To create a DNAT entry that maps a public IP address on the NAT gateway to the ENI of the ECS instance, perform the following operations:

  1. Log on to the NAT Gateway console.

  2. On the NAT Gateway page, find the NAT gateway that you want to manage and click Actions in the Configure DNAT column.

  3. On the DNAT Management tab, click Create DNAT Entry.

  4. On the Create DNAT Entry page, set the following parameters and click OK.

    Parameter

    Description

    Select EIP

    Select an EIP.

    Select Private IP Address

    Specify the IP address of the ECS instance that uses the DNAT entry to communicate with the Internet. In this example, Select by ECS or ENI is selected.

    Port Settings

    Select a DNAT mapping method. In this example, Any Port is selected.

    Entry Name

    Enter a name for the DNAT entry.

Step 5: Test the network connectivity

Perform the following operations to check whether the ECS instance can use the EIP that is associated with the ENI to receive requests from the Internet. In this example, an on-premises Linux machine is used to remotely connect to the ECS instance.

Note

To remotely connect to the ECS instance, make sure that the security group rules of the ECS instance allow network traffic on SSH port 22. For more information, see Add security group rules.

  1. Log on to an on-premises Linux machine.

  2. Run the ssh <your username>@public IP command and enter the password of the ECS instance to check whether you can remotely connect to the ECS instance. If the following message appears, the ECS instance is connected.

    Welcome to Alibaba Cloud Elastic Compute Service!

    实例1

Perform the following operations to check whether the ECS instance can access the Internet through the SNAT. The following example shows how to view the IP address used by the ECS instance to access the Internet.

  1. Log on to the ECS instance.

  2. Run the curl https://myip.ipip.net command to check the EIP that the ECS instance uses to access the Internet. If the NAT IP address is the same as the one in the SNAT entry that is created for the ECS instance, it indicates that the ECS instance preferably uses the SNAT service to access the Internet.实例2