VPC workloads run on private addresses and cannot be reached from the internet by default. Most deployments need controlled bidirectional reachability outbound for package fetches, API calls, and telemetry; inbound for selected services. The NAT Gateway is the managed translation tier that handles both SNAT and DNAT rule sets, which are configured independently on the same gateway.
Figure 1: Alibaba Cloud NAT Gateway architecture
A NAT Gateway is provisioned within a VPC and bound to a vSwitch. It is fully managed. There is no underlying instance to size or patch. Capacity is governed by two parameters. First, the specification tier (Small, Medium, Large, Super Large) sets connection and throughput limits. Second, the bandwidth is allocated to its bound Elastic IPs. Size specifications to match peak concurrent connections, not bandwidth. Connection-heavy microservice fleets often reach the connection ceiling before hitting bandwidth limits.
Outbound traffic reaches the gateway via a default route (0.0.0.0/0) in the subnet route tables. Inbound traffic needs no route change. DNAT entries match directly on the destination IP.
SNAT rewrites the source address of outbound packets, substituting a private IP for a public EIP bound to the gateway. Entries can be scoped three ways: VPC-wide, vSwitch-scoped, or instance-scoped. The most specific match wins, so a VPC-wide entry can cover general egress while instance-scoped entries pin specific workloads to dedicated EIPs when downstream systems require deterministic source IPs.
The main operational risk is port exhaustion. Each translation consumes a source port on the assigned EIP, and workloads opening many concurrent connections to a small set of remote endpoints can exhaust that port space and trigger connection failures. The mitigation is to bind multiple EIPs to the SNAT entry through an EIP Address Pool, distributing translations across the combined port space.
DNAT rewrites the destination of inbound packets, mapping a public IP and port to a private IP and port inside the VPC. Two forms exist: port-mapped entries forward a specific public port to a specific backend, while IP-mapped entries forward all ports on an EIP to a single instance. Port-mapped is the appropriate default; IP-mapped should be reserved for workloads that genuinely need all-port exposure, since it removes a layer of access scoping at the gateway.
DNAT is not a load balancer. It performs stateless destination rewriting and forwards each entry to a single backend. For multi-instance distribution, TLS termination, or health-aware routing, Server Load Balancer is the correct service. DNAT is the right tool when one-to-one public exposure of a specific backend port is the actual requirement, bastion access, or stateful services that cannot tolerate load-balancer session handling.
A single EIP can serve both SNAT outbound translation and DNAT inbound mapping, which is useful when a service needs a consistent public identity in both directions. The trade-off is contention: the EIP's bandwidth budget must absorb both directions, and outbound traffic competes for the same source-port space. Heavy outbound API consumption is best separated into a distinct EIP; lightweight bidirectional services can share without issue.
EIPs are billed either by fixed bandwidth or by data transfer. For NAT Gateway, Internet Shared Bandwidth aggregates capacity across multiple EIPs, smoothing bursty or unevenly distributed traffic so that idle capacity on one EIP absorbs spikes on another. A single EIP is both a per-flow throughput ceiling and a single point of failure for any DNAT entry bound to it. High-availability inbound services should bind multiple EIPs with DNS-level distribution across them. NAT Gateway itself is a redundant managed service within a region; workloads with strict zone-level isolation requirements should plan for cross-region deployment with independent gateways.
Three factors determine whether a deployment holds up under production load. The specification tier should be driven by peak concurrent connections and new connections per second, monitored through CloudMonitor, sustained utilisation above 70% signals the need to scale up. Every DNAT entry creates a directly addressable path from the internet to a private instance, so network ACLs and security groups should restrict inbound source ranges explicitly rather than relying on the DNAT mapping for scoping. ActionTrail should log all rule changes. Outbound data transfer is the dominant variable cost in most deployments. CloudMonitor alerts at 80% of allocated bandwidth provide a warning before saturation, and prepaid bandwidth packages are more economical for steady volumes, while pay-as-you-go suits bursty workloads.
NAT Gateway preserves VPC address isolation while enabling controlled internet reachability. SNAT and DNAT are configured independently and scale through EIP and bandwidth aggregation, not gateway replication. Deployment quality depends on the granularity of SNAT entries, the scope of DNAT exposure, the distribution of traffic across EIPs, and the match between specification tier and measured connection patterns.
For workloads that need request-level distribution, Server Load Balancer should sit in front of or replace DNAT. For outbound calls to other Alibaba Cloud services, VPC Endpoints bypass the NAT Gateway entirely and reduce both latency and translation cost. For multi-VPC architectures, Cloud Enterprise Network with a shared NAT Gateway in a transit VPC centralises egress policy and scales independently of the VPC fleet.
Disclaimer: The views expressed herein are for reference only and don't necessarily represent the official views of Alibaba Cloud.
Migration, Synchronisation, or Subscription: Picking the Right DTS Task Type
Express Connect and CEN: A Practical Guide to Alibaba Cloud Private Networking
102 posts | 2 followers
Followvincentsiu - May 20, 2022
Alibaba Clouder - January 25, 2021
Alibaba Clouder - December 2, 2020
JDP - April 29, 2022
AlibabaCloud_Network - May 31, 2021
Alibaba Clouder - February 25, 2020
102 posts | 2 followers
Follow
Networking Overview
Connect your business globally with our stable network anytime anywhere.
Learn More
Alibaba Cloud PrivateZone
Alibaba Cloud DNS PrivateZone is a Virtual Private Cloud-based (VPC) domain name system (DNS) service for Alibaba Cloud users.
Learn More
Alibaba Cloud Drive Solution
Build your cloud drive to store, share, and manage photos and files online for your enterprise customers
Learn More
Storage Capacity Unit
Plan and optimize your storage budget with flexible storage services
Learn MoreMore Posts by PM - C2C_Yuan
