To better manage your workloads, you can configure Elastic Compute Service (ECS) instances in a virtual private cloud (VPC) to use the same NAT IP address to access the Internet. This topic describes how to configure ECS instances that are configured with DNAT IP mapping to use the same NAT IP address to access the Internet.

Prerequisites

SNAT entries are configured for the VPC of the ECS instances that use DNAT IP mapping. For more information, see Configure SNAT to access the Internet.

Background information

NAT gateways support the SNAT feature. SNAT enables ECS instances in a VPC to access the Internet when the ECS instances are not assigned public IP addresses. If DNAT IP mapping, which maps all ports, is configured for ECS instances in a VPC, the ECS instances preferentially use the elastic IP addresses (EIPs) in the DNAT entries to access the Internet. ECS instances that are not configured with DNAT IP mapping access the Internet through the SNAT service provided by the NAT gateway. Consequently, the ECS instances in the VPC use different IP addresses to access the Internet, which complicates management operations. NAT gateway list

You can configure ECS instances in the VPC to use the same NAT IP address to access the Internet by associating elastic network interfaces (ENIs) with the ECS instances.

In the following example, you can create an ENI for the ECS instance, attach the ENI to the ECS instance, and delete the DNAT IP mapping entry from the NAT gateway. Then, create a DNAT entry to map the public IP address of the NAT gateway to the ENI. This way, the ECS instance uses the ENI to receive requests from the Internet and accesses the Internet through the NAT gateway. NAT gateway 2

Step 1: Create an ENI

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Network & Security > ENIs.
  3. Select the region where you want to create the ENI.
    Note The ENI and the ECS instance must belong to the same region.
  4. On the Network Interfaces page,click Create ENI.
  5. In the Create ENI dialog box, set the following parameters and click OK:
    • ENI Name: Enter a name for the ENI.
    • VPC: Select the VPC where the ECS instance is deployed.
    • VSwitch: Select the vSwitch of the zone where the ECS instance is deployed.
    • Primary Private IP: Optional. Enter the primary private IPv4 address of the ENI. The IPv4 address must be an idle IP address within the CIDR block of the vSwitch. If you do not specify an IPv4 address, an idle private IPv4 address is automatically assigned to the ENI after the ENI is created. In this example, the primary private IP address is not specified.
    • Secondary Private IP Addresses: Optional. You can specify this parameter based on your business requirements. In this example, Not set is selected.
    • Security Group: Select a security group that is created for the selected VPC.
    For more information about the parameters, see Create an ENI.

Step 2: Associate the ENI with the ECS instance

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Network & Security > ENIs.
  3. Select the region where the ENI is deployed.
  4. On the Network Interfaces page, find the ENI that you want to manage and click Bind to Instance in the Actions column.
  5. In the dialog box that appears, select the ECS instance with which you want to associate the ENI and click OK.

Step 3: Delete the DNAT IP mapping entry

  1. Log on to the NAT Gateway console.
  2. Select the region where the NAT gateway is deployed.
  3. On the NAT Gateway page, find the NAT gateway that you want to manage, and click Configure DNAT in the Actions column.
  4. On the DNAT Management tab, find the DNAT entry that you want to delete, and click Remove in the Actions column.
  5. In the message that appears, click OK.

Step 4: Create a new DNAT entry

To create a DNAT entry that maps the public IP address of the NAT gateway to the ENI of the ECS instance, perform the following operations:

  1. Log on to the NAT Gateway console.
  2. On the NAT Gateway page, find the NAT gateway that you want to manage, and click Configure DNAT in the Actions column.
  3. On the DNAT Management tab, click Create DNAT Entry.
  4. On the Create DNAT Entry page, set the following parameters and click OK.
    • Select Public IP Address: Select an available public IP address.
    • Select Private IP Address: Select an ECS instance or an ENI.
    • Port Settings: Select Any Port.
    • Entry Name: Enter a name for the DNAT entry.

Step 5: Verify network connectivity

Perform the following operations to check whether the ECS instance can use the EIP that is associated with the ENI to receive requests from the Internet. In this example, an on-premises Linux device is used to remotely connect to the ECS instance.
Note To remotely connect to the ECS instance, make sure that the security group rule of the ECS instance allows traffic on SSH port 22. For more information, see Add security group rules.
  1. Log on to the on-premises Linux machine.
  2. Run the ssh root @ public IP command and enter the password of the ECS instance to check whether you can remotely connect to the ECS instance. If the following message appears, you are connected to the ECS instance.
    Welcome to Alibaba Cloud Elastic Compute Service!
    ECS instance 1

Perform the following operations to check whether the ECS instance can access the Internet through the SNAT service provided by the NAT gateway. In this example, the public IP address that the ECS instance uses to access the Internet is checked.

  1. Log on to the ECS instance.
  2. Run the curl https://myip.ipip.net command to check the public IP address that the ECS instance uses to access the Internet. If the public IP address is the same as the EIP in the SNAT entry that is created for the ECS instance, it indicates that the ECS instance preferentially uses the SNAT feature to access the Internet. ECS instance 2