You can configure SNAT for a NAT gateway to allow Elastic Compute Service (ECS) instances in a virtual private cloud (VPC) to access the Internet when the ECS instances do not have public IP addresses.

Limits

EIPs in an SNAT IP address pool have the following limits:
  • The bandwidth limit of each EIP that is associated with a standard NAT gateway cannot be higher than 200 Mbit/s.
  • The maximum number of concurrent connections to each EIP is 55,000.
To make full use of your EIP bandwidth plan and avoid port conflicts caused by insufficient EIPs, we recommend that you add EIPs to the SNAT IP address pool based on the following rules:
  • For standard NAT gateways, if the bandwidth limit of the EIP bandwidth plan is 1,024 Mbit/s, specify at least five EIPs in each SNAT entry.
  • For standard NAT gateways, if the bandwidth limit of the EIP bandwidth plan is higher than 1,024 Mbit/s, specify one additional EIP for every 200 Mbit/s that exceeds 1,024 Mbit/s in each SNAT entry.

If an ECS instance is assigned a static public IP address, associated with an EIP, or configured with DNAT IP mapping, the ECS instance uses the preceding methods to access the Internet instead of using SNAT. If you want ECS instances in a VPC to use the same EIP to access the Internet, see Configure ECS instances that are assigned static public IP addresses to use the same EIP to access the Internet and Configure ECS instances that configured with DNAT IP mapping to use the same NAT IP address to access the Internet.

For enhanced NAT gateways, you can specify an EIP in both an SNAT entry and a DNAT entry.

Prerequisites

Before you create an SNAT entry, make sure that the following requirements are met:
  • A NAT gateway is created and an EIP is associated with the NAT gateway. For more information, see Create a NAT gateway and Associate EIPs.
    Note If you purchased a NAT service plan before January 26, 2018, make sure that the NAT service plan contains idle public IP addresses.
  • To create SNAT entries for a vSwitch, make sure that the vSwitch is created in the VPC that is associated with the NAT gateway. For more information, see Work with vSwitches.
  • To create SNAT entries for an ECS instance, make sure that the ECS instance is created in the VPC that is associated with the NAT gateway. For more information, see Create an instance by using the wizard.

Create an SNAT entry

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where the NAT gateway is created.
  3. On the NAT Gateway page, find the NAT gateway and click Configure SNAT in the Actions column.
  4. On the SNAT Management tab, click Create SNAT Entry.
  5. On the Create SNAT Entry page, set the following parameters and click Confirm.
    Parameter Description
    SNAT Entry Specify whether you want to create an SNAT entry for a VPC, a vSwitch, an ECS instance, or a custom CIDR block.
    • Specify VPC: All ECS instances in the VPC to which the NAT gateway belongs use the SNAT entry to access the Internet.
    • Select vSwitch: The ECS instances that belong to the specified vSwitch use the configured EIP to access the Internet.
      • Select VSwitch: Select a vSwitch from the drop-down list.
        Note
        • If no vSwitch is available in the drop-down list, click Create VSwitch from the drop-down list. Then, you can log on to the VPC console and create a vSwitch.
        • If you select multiple vSwitches, the system creates multiple SNAT entries that use the same EIP.
      • VSwitch CIDR Block: displays the CIDR block of the vSwitch.
    • ECS Granularity: The specified ECS instance uses the configured EIP to access the Internet.
      • Select ECS Instance: Select an ECS instance from the drop-down list. The selected ECS instance uses the configured EIP to access the Internet. Make sure that the following requirements are met:
        • The ECS instance is in the Running state.
        • No EIP is associated with the ECS instance. In addition, the ECS instance is not assigned a static public IP address.
        Note
        • If no ECS instance is available in the drop-down list, click Create ECS Instance to create one in the ECS console.
        • If you select multiple ECS instances, the system creates multiple SNAT entries that use the same EIP.
      • ECS CIDR Block: displays the CIDR block of the ECS instance.
    • Specify Custom CIDR Block: After you enter a CIDR block, all ECS instances that belong to the CIDR block use the SNAT entry to access the Internet.
    Select Public IP Address Select an EIP. The EIP is used to communicate with the Internet.
    • Use One IP Address: Select an EIP from the drop-down list. If no EIPs are available in the drop-down list, click Purchase and Associate EIP from the drop-down list. Then, you can purchase an EIP in the dialog box that appears.
    • Use Multiple IP Addresses: Select multiple EIPs from the Public IP Address list.

      When multiple EIPs are configured in the SNAT IP address pool, service connections are allocated to the EIPs based on the hash algorithm. Traffic may be unevenly distributed to the EIPs because different connections process different traffic. We recommend that you associate EIPs that are configured in the same SNAT entry with the same EIP bandwidth plan to ensure service availability.

    Entry Name Enter a name for the SNAT entry.

    The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

Modify an SNAT entry

You can modify the name and EIP of an SNAT entry after you create the SNAT entry. However, you cannot modify the vSwitch or ECS instance specified in the SNAT entry.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where the NAT gateway is created.
  3. On the NAT Gateway page, find the NAT gateway and click Configure SNAT in the Actions column.
  4. In the Used in SNAT Entry section, find the SNAT entry that you want to manage and click Edit in the Actions column.
  5. On the Edit SNAT Entry page, modify the EIP or name of the SNAT entry and click Confirm.
    Notice Your service may be temporarily interrupted when you add EIPs to or remove EIPs from an SNAT entry. The service resumes after your workloads are reconnected. Proceed with caution.

Delete an SNAT entry

You can delete an SNAT entry if the ECS instances that do not have public IP addresses in a VPC no longer need the SNAT service to access the Internet.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where the NAT gateway is created.
  3. On the NAT Gateway page, find the NAT gateway and click Configure SNAT in the Actions column.
  4. In the Used in SNAT Entry section, find the SNAT entry that you want to delete and click Remove in the Actions column.
  5. In the message that appears, click OK.