All Products
Search
Document Center

NAT Gateway:CreateNatGateway

Last Updated:Mar 05, 2024

Creates an enhanced Internet NAT gateway or a Virtual Private Cloud (VPC) NAT gateway.

Operation description

Before you call this operation, take note of the following items:

  • The first time you create a NAT gateway, the system automatically creates the service-linked role AliyunServiceRoleForNatgw. Then, the system attaches the permission policy AliyunServiceRolePolicyForNatgw to the role. This allows the NAT gateway to access other resources on Alibaba Cloud. For more information, see Service-linked roles.

  • After you create an enhanced Internet NAT gateway, a route entry is automatically added to the route table of the VPC. The destination CIDR block of the route entry is 0.0.0.0/0 and the next hop is the NAT gateway. This ensures that traffic is routed to the NAT gateway.

  • CreateNatGateway is an asynchronous operation. After a request is sent, the system returns a request ID and runs the task in the background. You can call the DescribeNatGateways operation to query the status of the task.

    • If a NAT gateway is in the Creating state, the NAT gateway is being created. In this case, you can query the NAT gateway but cannot perform other operations.
    • If a NAT gateway is in the Available state, the NAT gateway is created.

It takes 1 to 3 minutes to create a NAT gateway.

  • You cannot repeatedly call the CreateNatGateway operation within a specific period of time.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition Key: the condition key that is defined by the cloud service.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
OperationAccess levelResource typeCondition keyAssociated operation
vpc:CreateNatGatewayWrite
  • NatGateway
    acs:vpc:{#regionId}:{#accountId}:natgateway/*
    none
none

Request parameters

ParameterTypeRequiredDescriptionExample
RegionIdstringYes

The region ID of the NAT gateway.

You can call the DescribeRegions operation to obtain the region ID.

cn-hangzhou
VpcIdstringYes

The ID of the VPC where you want to create the NAT gateway.

vpc-bp1di7uewzmtvfuq8****
NamestringNo

The name of the NAT gateway.

The name must be 2 to 128 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). The name must start with a letter.

If this parameter is not set, the system assigns a default name to the NAT gateway.

fortest
DescriptionstringNo

The description of the NAT gateway.

You can leave this parameter empty or enter a description. If you enter a description, the description must be 2 to 256 characters in length and cannot start with http:// or https://.

testnat
ClientTokenstringNo

The client token that is used to ensure the idempotence of the request.

You can use the client to generate the token, but you must make sure that the token is unique among different requests.

Note If you do not specify this parameter, the system automatically uses the request ID as the client token. The request ID may be different for each request.
5A2CFF0E-5718-45B5-9D4D-70B3FF3898
SpecstringNo

Subscription Internet NAT gateways are no longer available for purchase. Ignore this parameter.

Invalid parameter.
InstanceChargeTypestringNo

The billing method of the NAT gateway.

Set the value to PostPaid (pay-as-you-go), which is the default value.

For more information, see Internet NAT gateway billing and VPC NAT gateway billing.

PostPaid
PricingCyclestringNo

Subscription Internet NAT gateways are no longer available for purchase. Ignore this parameter.

Invalid parameter.
DurationstringNo

Subscription Internet NAT gateways are no longer available for purchase. Ignore this parameter.

Invalid parameter.
AutoPaybooleanNo

Subscription Internet NAT gateways are no longer available for purchase. Ignore this parameter.

Invalid parameter.
VSwitchIdstringYes

The ID of the vSwitch to which the NAT gateway is attached.

When you create a NAT gateway, you must specify a vSwitch for the NAT gateway. Then, the system assigns an idle private IP address from the vSwitch to the NAT gateway.

  • To attach the NAT gateway to an existing vSwitch, make sure that the zone to which the vSwitch belongs supports NAT gateways. In addition, the vSwitch must have idle IP addresses.
  • If no vSwitch exists in the VPC, create a vSwitch in a zone that supports NAT gateways. Then, specify the vSwitch for the NAT gateway.
Note You can call the ListEnhanhcedNatGatewayAvailableZones operation to query zones that support NAT gateways. You can call the DescribeVSwitches operation to query idle IP addresses in a vSwitch.
vsw-bp1e3se98n9fq8hle****
NatTypestringYes

The type of NAT gateway. Set the value to Enhanced, which specifies enhanced NAT gateway.

Enhanced
InternetChargeTypestringNo

The metering method of the NAT gateway. Set the value to PayByLcu, which specifies the pay-by-CU metering method.

PayByLcu
NetworkTypestringNo

The network type of the NAT gateway. Valid values:

  • internet: Internet
  • intranet: VPC
internet
SecurityProtectionEnableddeprecatedbooleanNo

Specifies whether to enable the firewall feature. Valid values:

  • false (default)
    Notice This parameter is deprecated.
false
IcmpReplyEnabledbooleanNo

Specifies whether to enable ICMP retrieval. Valid values:

  • true (default)
  • false
false
EipBindModestringNo

The mode in which the EIP is associated with the NAT gateway. Valid values:

  • MULTI_BINDED (default): Multi-EIP-to-ENI mode.

  • NAT: NAT mode. IPv4 gateways are supported in this mode.

    **

    Note If a NAT gateway is associated with an EIP in NAT mode, the EIP occupies one private IP address in the vSwitch. Make sure that the vSwitch has sufficient private IP addresses. Otherwise, the NAT gateway fails to be associated with the EIP. In NAT mode, a maximum number of 50 EIPs can be associated with each NAT gateway.

MULTI_BINDED
Tagobject []No

The tags.

KeystringNo

The tag key. The format of Tag.N.Key when you call the operation. Valid values of N: 1 to 20. The tag key cannot be an empty string. The tag key can be up to 128 characters in length, and cannot start with acs: or aliyun. It cannot contain http:// or https://.

TestKey
ValuestringNo

The tag value. The format of Tag.N.Value when you call the operation. Valid values of N: 1 to 20. The tag value cannot be an empty string. The tag value can be up to 128 characters in length, and cannot start with acs: or aliyun. It cannot contain http:// or https://.

TestValue

Response parameters

ParameterTypeDescriptionExample
object

The response parameters.

NatGatewayIdstring

The ID of the NAT gateway.

ngw-112za33e4****
RequestIdstring

The request ID.

2315DEB7-5E92-423A-91F7-4C1EC9AD97C3
ForwardTableIdsarray

A list of DNAT entries.

string

A list of DNAT entries.

ftb-11tc6xgmv****
SnatTableIdsarray

A list of SNAT entries.

string

A list of SNAT entries.

stb-SnatTableIds****
FullNatTableIdsarray

A list of FULLNAT entries.

string

A list of FULLNAT entries.

fulltb-gw88z7hhlv43rmb26****

Examples

Sample success responses

JSONformat

{
  "NatGatewayId": "ngw-112za33e4****",
  "RequestId": "2315DEB7-5E92-423A-91F7-4C1EC9AD97C3",
  "ForwardTableIds": {
    "ForwardTableId": [
      "ftb-11tc6xgmv****"
    ]
  },
  "SnatTableIds": {
    "SnatTableId": [
      "stb-SnatTableIds****"
    ]
  },
  "FullNatTableIds": {
    "FullNatTableId": [
      "fulltb-gw88z7hhlv43rmb26****"
    ]
  }
}

Error codes

HTTP status codeError codeError messageDescription
400Forbidden.NatPayBySpecPay-by-specification NAT is no longer supported. Newly purchased pay-as-you-go NAT gateways only support the pay-by-CU metering method.Pay-by-specification NAT gateways are no longer available for purchase. Set InternetChargeType to PayByLcu.
400UnsupportedFeature.PrivateLinkThe feature of %s is not supported.-
400DependencyViolation.FullNatEntryThe specified resource of %s depends on %s, so the operation cannot be completed.-
400UnsupportedFeature.InternetChargeTypeThe feature of InternetChargeType is not supported.-
400InvalidVPCStatusvpc incorrect status.The VPC is in an invalid state.
400InvalidNatGatewayName.MalFormedNatGateway name is not valid.The gateway name is invalid.
400InvalidNatGatewayDescription.MalFormedNatGateway description is not valid.The gateway description is invalid.
400MissingParameter.BandwidthPackageonly support one BandwidthPackage be created with NatGateway.You must specify an EIP bandwidth plan.
400OperationDeniedThe user cannot allow to create natgw, please call PD to authorize-
400RouterEntryConflict.DuplicatedA route entry already exists, which CIDR is '0.0.0.0/0'-
400MissingParameterMiss mandatory parameter.Some required parameters are not specified. Specify all required parameters and try again.
400QuotaExceeded.BandwidthPackageIpsThe specified ipCount exceeded quota.The number of IP addresses has reached the upper limit. Request a quota increase on the Quota Management page.
400AllocateIpFailedAlloc bandwidthPackage ips failed, maybe no available ip.-
400InvalidParameter.Name.MalformedThe specified Name is not valid.The specified name format is invalid. Enter the name in the valid format.
400InvalidParameter.Description.MalformedThe specified Description is not valid.The specified description is invalid.
400ZONE_NO_AVAILABLE_IPThe Zone have no available ip.No IP address is available in the zone.
400ParameterIllegalipCount,bandwidth parameter invalid-
400InvalidParameter.BandwidthPackage.n.ISP.ValueNotSupportThe specified ISP of BandwidthPackage is not valid.The specified ISP of the EIP bandwidth plan is invalid.
400InvalidNatGatewayId.NotFoundThe NatGatewayId not exist.The value of the NatGatewayId parameter is invalid.
400VswitchStatusErrorThe VSwitch is creating .The operation is not supported when the vSwitch is being created.
400VpcStatusErrorThe Vpc is creating .The VPC is being created.
400InvalidParameter.Spec.ValueNotSupportedThe specified Spec is not valid.The specification is invalid.
400TaskConflictThe operation is too frequent, TaskConflict.The system is unavailable. Try again later.
400COMMODITY.INVALID_COMPONENTThe instance component is invalid.-
400CreateNatGateway.RouteConflict.DynamicRouteRoute conflict exists in routing table.-
400OperationUnsupported.MultiNatGatewayMore than one natGateway per vpc is unsupported.-
400Forbidden.CheckEntryRuleQuotaRoute entry quota rule check error.An error occurred when the system was checking the quota of route entries.
400OperationFailed.UnpaidBillsExistThe account has unpaid bills. Please pay your overdue bill first.This account has unpaid orders.
400IncorrectStatus.RouteEntrySpecified routeEntry status error.-
400OperationFailed.RiskControlRisk control check failed.The error message returned because your payment method has security risks. Click the link for verification in your email or console message and submit your order after verification.
400IncorrectStatus.RouteTableStatus%s-
400OperationFailed.TokenVerfiyToken verify failed.-
400%s%s-
400IllegalParam.NameThe specified Name is invalid, shorter than 2 characters.-
400OperationFailed.EnhancedQuotaExceedEnhanced nat gateway per vpc quota is exceeded-
400OrderError.NoAvailablePaymentMethod%s-
400OrderError.BasicInfoUncompleted%s-
400OperationUnsupported.EnhancedCURegion%s-
400NoPermission.CreateServiceLinkedRoleYou are not authorized to create service linked role-
400OperationUnsupported.EnhancedRegion%s-
400OperationFailed.EnhancedInventoryNotEnoughOperation failed because inventory is not enough.-
400OperationFailed.VswNotBelongToVpcOperation failed because the specified VSwitch is not bound to the same VPC with NAT gateway.The vSwitch and NAT gateway do not belong to the same VPC.
400OperationFailed.EnhancedUserIsUnAuthorizedOperation failed because the user is not authorized to create an enhanced NAT gateway.Operation failed because the user is not authorized to create an enhanced NAT gateway.
400OperationUnsupported.PrePaidPyByLcuThe operation failed because the subscription NAT gateway does not support the pay-by-LCU billing method.The operation failed because the subscription NAT gateway does not support the pay-by-LCU billing method.
400OperationFailed.NormalInventoryNotEnoughStandard NAT gateways are no longer offered. You can create enhanced NAT gateways and set the correct natType.Create an enhanced NAT gateway and ensure that the NatType parameters are configured correctly.
400OperationFailed.VSwitchNoAvailableIpOperation failed because the specified vswitch does not have availabe ip.-
400OperationFailed.EnhancedCheckInventoryOperation failed because check inventory result is unexpected.-
400UnsupportedFeature.IcmpReplyEnabledThe feature of IcmpReplyEnabled is not supported.The value of IcmpReplyEnabled cannot be modified.
400UnsupportedFeature.SecurityProtectionEnabledThe feature of SecurityProtectionEnabled is not supported.-
400OperationFailed.RegionConvertOperation failed because do not find region info.-
400OperationFailed.EnhancedUserIsUnAuthorizedOperation failed because user is unauthorized service account.-
400UnsupportedFeature.VpcNatThe feature of VpcNat is not supported.-
400InvalidVSWITCHID.NotFoundThe specified resource of %s is not found.-
400Forbidden.OperateShareResourceOperate share resource is forbidden.-
400IncorrectStatus.VSWITCHThe status of VSWITCH is incorrect.-
400OperationFailed.VpcNatGatewayInventoryNotEnoughThe operation is failed because of inventory is not enough.-
400OperationFailed.VpcNatGatewayCheckInventoryThe operation is failed because of check inventory result is unexpected-
400ExclusiveParam.%sAnd%sThe param of %s and %s are mutually exclusive.You cannot specify %s and %s at the same time.
400SecurityGroupType.NotSupportedThe specified security group type is not supported.The security group is already hosted and cannot be used.
400SecurityGroup.NotExistThe specified security group is not exist.The security group does not exist in this VPC.
404InvalidRegionId.NotFoundThe specified RegionId does not exist in our records.The specified region ID does not exist.
404InvalidVpcId.NotFoundSpecified value of VpcId is not found in our record.The VPC does not exist. Check whether the specified VPC is valid.
404InvalidZoneId.NotFoundSpecified value of ZoneId is not exists.The specified zone does not exist.
404InvalidZoneId.NotFoundCan not find ZoneId for allocated ip.The zone of the specified IP address is invalid.
404VPC_ONLY_CAN_CREATE_ONE_NAT_GATEWAYNatGateway in one vpc support only one.-
404OperationFailed.CrateEntryTimeOutOperation failed because create custom routeEntry timeout.-
404Forbidden.CreateSpecialSpecNatGatewayYou are not authorized to create special spec nat gateway.-
404UnsupportedZoneForFwNatThe zone is unsupported for FW NAT.-
500OrderError.NatGatewayThe Account failed to create order.-
500OperationFailed.NoAvailableResourceThe Zone have no available resource.No resources are available in the region.

For a list of error codes, visit the Service error codes.

Change history

Change timeSummary of changesOperation
2024-01-18The Error code has changedsee changesets
Change itemChange content
Error CodesThe Error code has changed.
    Error Codes 400 change
    delete Error Codes: 404
    delete Error Codes: 500
2023-12-14API Description Update. The Error code has changedsee changesets
Change itemChange content
API DescriptionAPI Description Update.
Error CodesThe Error code has changed.
    delete Error Codes: 400
    delete Error Codes: 404
    delete Error Codes: 500
2023-06-30The Error code has changedsee changesets
Change itemChange content
Error CodesThe Error code has changed.
    delete Error Codes: 400
    delete Error Codes: 404
    delete Error Codes: 500
2023-03-01The Error code has changedsee changesets
Change itemChange content
Error CodesThe Error code has changed.
    delete Error Codes: 400
    delete Error Codes: 404
    delete Error Codes: 500
2023-01-10The Error code has changed. The request parameters of the API has changedsee changesets
Change itemChange content
Error CodesThe Error code has changed.
    delete Error Codes: 400
    delete Error Codes: 404
    delete Error Codes: 500
Input ParametersThe request parameters of the API has changed.
    Added Input Parameters: Tag
2022-08-12The Error code has changedsee changesets
Change itemChange content
Error CodesThe Error code has changed.
    delete Error Codes: 400
    delete Error Codes: 404
    delete Error Codes: 500
2022-08-03The Error code has changedsee changesets
Change itemChange content
Error CodesThe Error code has changed.
    Error Codes 404 change
    delete Error Codes: 400
    delete Error Codes: 500
2022-07-22The Error code has changedsee changesets
Change itemChange content
Error CodesThe Error code has changed.
    Error Codes 404 change
    Error Codes 500 change
    delete Error Codes: 400