All Products
Search
Document Center

NAT Gateway:Create and manage DNAT entries

Last Updated:Feb 18, 2024

Internet NAT gateways support the DNAT feature. DNAT can map an elastic IP address (EIP) to the private IP address of an Elastic Compute Service (ECS) instance through port mapping or IP mapping. This way, the ECS instance can provide services over the Internet.

Background information

If your ECS instance is already associated with an elastic IP address (EIP), you cannot create a DNAT entry for the ECS instance. Before you can create a DNAT entry for the ECS instance, you must disassociate the EIP from the ECS instance. For more information about how to disassociate an EIP, see Disassociate an EIP from a cloud resource.

Note

If you create a DNAT entry for an ECS instance that is associated with an EIP, the ECS instance preferentially uses the EIP to communicate with the Internet.

Prerequisites

An Internet NAT gateway is created and an EIP is associated with the Internet NAT gateway. For more information, see Create a NAT gateway and Associate an EIP with an Internet NAT gateway.

Create a DNAT entry

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where you want to create the NAT gateway.
  3. On the Internet NAT Gateway page, find the NAT gateway that you want to manage and click Configure DNAT in the Actions column.
  4. On the DNAT Management tab, click Create DNAT Entry.

  5. On the Create DNAT Entry page, set the following parameters and click Confirm.

    Parameter

    Description

    Select Public IP Address

    Select an EIP.

    Note

    For Internet NAT gateways, you can specify the same EIP in an SNAT entry and a DNAT entry.

    Select Private IP Address

    Specify the IP address of the ECS instance that uses the DNAT entry to communicate with the Internet. You can specify a destination private IP address in one of the following ways:

    • Select by ECS or ENI: Specify the private IP address by selecting the ECS instance or the elastic network interface (ENI) that is associated with the ECS instance from the drop-down list.

    • Manual Input: Enter the destination private IP address.

    Port Settings

    Choose a DNAT mapping method:

    • Any Port: specifies IP mapping. The requests destined for the EIP are forwarded to the specified ECS instance. The specified ECS instance can use the EIP to access the Internet.

      Note
      • If IP mapping is configured for an EIP in a DNAT entry, the EIP cannot be used in another DNAT entry or SNAT entry.

      • If an Internet NAT gateway is configured with an SNAT entry and a DNAT entry that uses IP mapping, the ECS instance preferentially uses DNAT to access the Internet.

    • Specific Port: specifies port mapping. The Internet NAT gateway forwards requests to the selected ECS instance based on the specified protocol and ports.

      After you select Specific Port, set the following parameters based on your business requirements:

      • Public Port: the external port or port range that is used in port forwarding.

        • Valid values: 1 to 65535.

        • To specify a port range, separate the first port and the last port with a forward slash (/), such as 10/20.

        • If Public Port is set to a port range, you must also set Private Port to a port range. In addition, the public port range and private port range must specify the same number of ports. For example, if you set Public Port to 10/20, you can set Private Port to 80/90.

        If SNAT entries are created for the EIP that you selected, and you want to specify a public port whose number is larger than 1024, click Remove Limits on Port Range and click OK in the message that appears.

        Warning

        This operation may temporarily interrupt existing SNAT connections. You can solve this problem by reestablishing the connections. Proceed with caution.

      • Private Port: the private port or port range that is used in port forwarding.

      • Protocol Type: the protocol used by the ports.

    Entry Name

    Enter a name for the DNAT entry.

    The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

Modify a DNAT entry

After you create a DNAT entry, you can modify the public IP address, private IP address, port settings, and name of the DNAT entry.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where you want to create the NAT gateway.
  3. On the Internet NAT Gateway page, find the NAT gateway that you want to manage and click Configure DNAT in the Actions column.
  4. In the DNAT Entry List section, find the DNAT entry that you want to manage and click Edit in the Actions column.

  5. On the Edit DNAT Entry page, modify the public IP address, private IP address, port settings, and name of the DNAT entry. Then, click Confirm.

Delete a DNAT entry

If you no longer need an ECS instance to provide Internet-facing services, you can delete the DNAT entry created for the ECS instance.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where you want to create the NAT gateway.
  3. On the Internet NAT Gateway page, find the NAT gateway that you want to manage and click Configure DNAT in the Actions column.
  4. In the DNAT Entry List section, find the DNAT entry that you want to manage and click Delete in the Actions column.

  5. In the dialog box that appears, click OK.

References