×
Community Blog SNAT vs. DNAT and Some Tips for the ACP/ACE Cloud Computing Exam

SNAT vs. DNAT and Some Tips for the ACP/ACE Cloud Computing Exam

This article explains how to make ECS connect to the Internet with SNAT/DNAT.

By Vincent Siu, Alibaba Cloud Certified Expert – Cloud Computing

ECS is the fundamental unit in Alibaba Cloud. Depending on your design, you may only need a private connection within a VPC. In this case, Class A/B/C Private IP Address Range would be enough for you. However, if you need your ECS to be public-facing, you have two options: EIP or NAT.

There is no quick answer for which one to use. Each option has pros and cons. I would consider NAT first and then EIP because:

  • Never expose the IP of a machine (security viewpoint) unless you have a good reason.
  • It is not cost-effective to assign one EIP to one ECS (budget viewpoint).

NAT could hide your IP and help you utilize resources wisely. Let's get started on what to do in Alibaba Cloud.

Acronym

NAT stands for Network Address Translation. In Alibaba, we have Public (Internet) NAT Gateway and VPC NAT Gateway. There are three types of NAT: SNAT, DNAT, and PAT. This article discusses SNAT and DNAT under Public NAT Gateway.

SNAT stands for Source Network Address Translation. (Sometimes, it refers to Static Network Address Translation.) The direction of the traffic is outbound. SNAT allows ECS instances to access the Internet through the Public NAT gateway.

DNAT stands for Destination Network Address Translation. (Sometimes, it refers to Dynamic Network Address Translation.) The direction of the traffic is inbound. DNAT maps the EIPs associated with the Internet NAT gateway to ECS instances. This way, end users from the Internet can access ECS instances through the Public NAT gateway.

1
The figure above illustrates the traffic direction from VPC to the Internet and vice-versa.

Procedure

1. Create and Manage SNAT Entries

Note: Please refer to this page for details:

1.1 Log on to the NAT Gateway console

1.2 In the top navigation bar, select the region where you want to create the NAT gateway

1.3 On the Internet NAT Gateway page, find the NAT gateway you want to manage and click Configure SNAT in the Actions column

1.4 On the SNAT Management tab, click Create SNAT Entry

1.5 On the Create SNAT Entry page, set the parameters and click Confirm

2
The figure above shows the end result after creating SNAT entries.

2. Create and Manage DNAT Entries

Note: Please refer to this page for details:

2.1 Log on to the NAT Gateway console

2.2 In the top navigation bar, select the region where you want to create the NAT gateway

2.3 On the Internet NAT Gateway page, find the NAT gateway you want to manage and click Configure DNAT in the Actions column

2.4 On the DNAT Management tab, click Create DNAT Entry

2.5 On the Create DNAT Entry page, set the parameters and click Confirm

3
The figure above shows the end result after creating DNAT entries.

Some Tips for the ACP/ACE Cloud Computing Exam

  • Remember the direction; it could help you to find the correct answer. There are about three SNAT/DNAT questions in the exam. They are easy, but the wording could mislead you.
  • This is a helpful table:
SNAT DNAT
TCP/UDP Port Not Required Required
Direction of Traffic Outbound Inbound
  • Let's look at one sample question (This is a fictional question I wrote. It is not official.):
  1. There is a VPC, and there are a number of ECS instances running. The company seeks a secure environment. The company wants to provide a service to customers on the Internet. You are the engineer, and you need to:

A: Navigate to the VPC NAT gateway, pair up an EIP, configure SNAT, and open TCP ports

B: Navigate to the VPC NAT gateway, pair up an EIP, configure DNAT, and open TCP ports

C: Navigate to the Internet NAT gateway, pair up an EIP, configure SNAT, and open TCP ports

D: Navigate to the Internet NAT gateway, pair up an EIP, configure DNAT, and open TCP ports

E: Assign an EIP to the ECS

What do you think? Here is my answer:

Answers A and B are incorrect because we are talking about Internet traffic, not VPC NAT traffic.

Answer E is incorrect.
It works, but the company seeks a secure environment. It doesn't meet the requirement, so it is incorrect.

Answer C is incorrect.
We shall look for the Internet NAT gateway, but SNAT doesn't help in this case. The direction of the traffic of SNAT is outbound, and it doesn't match the circumstance in the question. Customers are the initiator, so the start point is the Internet.

Answer D is correct.
We shall look for the Internet NAT gateway, and DNAT could help in this case. Customers are the initiator, and the start point is the Internet. The direction of the traffic of DNAT is inbound. On top of that, we need to open TCP ports.

0 0 0
Share on

vincentsiu

7 posts | 0 followers

You may also like

Comments

vincentsiu

7 posts | 0 followers

Related Products