This topic describes how to create a DNAT entry. DNAT is used to map elastic IP addresses (EIPs) to the private IP addresses of Elastic Compute Service (ECS) instances in a virtual private cloud (VPC). After you configure DNAT, the ECS instances can provide Internet-facing services. DNAT supports port mapping and IP mapping.

What is a service-linked role?

You cannot create DNAT entries for ECS instances that are associated with EIPs.

Before you can create DNAT entries for the ECS instances, you must disassociate the EIPs from the ECS instances. Then, you can create DNAT entries for the ECS instances. For more information, see Disassociate an EIP from a cloud resource.
Note If you create a DNAT entry for an ECS instance that is associated with an EIP, the ECS instance preferentially uses the EIP to communicate with the Internet.

Prerequisites

A NAT gateway is created and an EIP is associated with the NAT gateway. For more information, see Create a NAT gateway and Associate EIPs.
Note If you purchased a NAT service plan before January 26, 2018, make sure that the NAT service plan contains idle public IP addresses.

Create a DNAT entry

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where the NAT gateway is created.
  3. On the NAT Gateway page, find the NAT gateway that you want to manage and click Configure DNAT in the Actions column.
  4. On the DNAT Management tab, click Create DNAT Entry.
  5. On the Create DNAT Entry page, set the parameters that are described in the following table and click Confirm.
    Parameter Description
    Select Public IP Address Select an EIP. The EIP is used to communicate with the Internet.
    Note For enhanced NAT gateways, you can specify an EIP in both an SNAT entry and a DNAT entry.
    Select Private IP Address Select the ECS instance that uses the DNAT entry to provide Internet-facing services. You can specify the private IP address of the ECS instance in the following ways:
    • Select by ECS or ENI: Select the ECS instance or the elastic network interface (ENI) associated with the ECS instance from the drop-down list.
    • Manual Input: Enter the private IP address of the ECS instance.
      Note The private IP address that you enter must fall within the CIDR block of the VPC. You can also enter the private IP address of an existing ECS instance.
    Port Settings Choose a DNAT mapping method.
    • Any Port: specifies IP mapping. All requests destined for the EIP are forwarded to the specified ECS instance. The specified ECS instance can use the EIP to access the Internet.
      Note
      • If IP mapping is configured for an EIP in a DNAT entry, the EIP cannot be used in another DNAT entry or SNAT entry.
      • If a NAT gateway is configured with both DNAT IP mapping entries and SNAT entries, ECS instances preferentially use the DNAT entries to access the Internet.
    • Specific Port: specifies port mapping. The NAT gateway forwards requests to the specified ECS instance based on the specified protocol and ports.
      After you select Specific Port, set the following parameters based on your business requirements:
      • Public Port: the external port that is used in port forwarding.

        If SNAT entries are created for the EIP that you selected, and you want to specify a public port whose number is lager than 1024, click Remove Limits on Port Range. In the message that appears, click OK. This operation may cause transient connections to existing SNAT connections. You can solve this problem by reestablishing the connections. Proceed with caution.

      • Private Port: the internal port that is used in port forwarding.
      • Protocol Type: the protocol used by the ports.
    Entry Name Enter a name for the DNAT entry.

    The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

Modify a DNAT entry

After you create a DNAT entry, you can modify the public IP address, private IP address, port settings, and name of the DNAT entry.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where the NAT gateway is created.
  3. On the NAT Gateway page, find the NAT gateway that you want to manage and click Configure DNAT in the Actions column.
  4. In the DNAT Entry List section, find the DNAT entry that you want to manage and click Edit in the Actions column.
  5. On the Edit DNAT Entry page, modify the public IP address, private IP address, port settings, and name of the DNAT entry. Then, click Confirm.

Delete a DNAT entry

If you no longer need an ECS instance to provide Internet-facing services, you can delete the DNAT entry created for the ECS instance.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where the NAT gateway is created.
  3. On the NAT Gateway page, find the NAT gateway that you want to manage and click Configure DNAT in the Actions column.
  4. In the DNAT Entry List section, find the DNAT entry that you want to manage and click Remove in the Actions column.
  5. In the message that appears, click OK.