Alibaba Cloud provides enhanced Internet NAT gateways. Enhanced Internet NAT gateways are upgraded from standard Internet NAT gateways and use a more advanced architecture. Compared with standard Internet NAT gateways, enhanced Internet NAT gateways provide higher elasticity and stability. This helps you manage data transfer in a more efficient manner. The term "enhanced NAT gateway" in this topic refers to an enhanced Internet NAT gateway.
Overview
Both enhanced NAT gateways and standard NAT gateways support basic features such as DNAT and SNAT. You can use DNAT to provide Internet-facing services and use SNAT to access the Internet. Enhanced NAT gateways provide more features than standard NAT gateways.
- More metrics for monitoring
Enhanced NAT gateways support 22 metrics. You can monitor NAT gateways in real time, which improves the stability of your system. For more information, see Monitor and maintain Internet NAT gateways.
- Multiple NAT gateways in one virtual private cloud (VPC)
You can create multiple enhanced NAT gateways in one VPC to forward traffic to different destinations. This way, you can better manage traffic that is destined for the Internet. You can also use security services to protect each NAT gateway based on your business requirements.
You can add the same SNAT entry to multiple NAT gateways to access the Internet, or add the same DNAT entry to multiple NAT gateways to provide Internet-facing services. You can also configure routes to forward network traffic to a specified egress.
Important- To replace a standard NAT gateway with an enhanced NAT gateway, you must reconfigure the routes. This may cause transient connections. To minimize the impact of transient connections on your business, we recommend that you reconfigure the routes during off-peak hours.
- If you create both SNAT and DNAT entries on an enhanced NAT gateway, an Elastic Compute Service (ECS) instance configured with an SNAT entry cannot access another ECS instance configured with a DNAT entry of the same NAT gateway. To allow an ECS instance to access another ECS instance configured with a DNAT entry in the same VPC, we recommend that you create another enhanced NAT gateway and create DNAT and SNAT entries on different NAT gateways.
- High performance to withstand traffic spikes (pay-as-you-go NAT gateways)
Metrics SessionNewConnection SessionActiveConnection Data forwarding Default metric 100,000 2,000,000 5 Gbit/s to 15 Gbit/s (automatic scaling) The following content describes the preceding metrics:- SessionNewConnection: the number of new connections per second.
- SessionActiveConnection: the number of concurrent connections per minute.
- Data forwarding: the amount of inbound and outbound traffic processed per hour.
Comparison between enhanced NAT gateways and standard NAT gateways
The following tables describe the differences and similarities in features and limits between enhanced NAT gateways and standard NAT gateways.
| Feature | Enhanced Internet NAT gateway | Standard Internet NAT gateway | References |
|---|---|---|---|
| Deploying multiple Internet NAT gateways in the same virtual private cloud (VPC) | Supported | Not supported | Deploy multiple Internet NAT gateways in one VPC |
| Associating a vSwitch with an Internet NAT gateway | Supported | Not supported | N/A |
| Billed on an hourly basis | Supported | Not supported | |
| Processing TCP, UDP, and ICMP fragments | Supported | Not supported | N/A |
| Monitoring metrics | 22 | 4 | Monitor and maintain Internet NAT gateways |
| Associating multiple elastic IP addresses (EIPs) with an Internet NAT gateway | Supported | Supported | Associate an EIP with an Internet NAT gateway |
| SNAT | Supported | Supported | Create and manage SNAT entries |
| Creating multiple SNAT entries in an SNAT table | Supported | Supported | |
| Associating multiple EIPs with an SNAT table | Supported | Supported | |
| DNAT | Supported | Supported | Create and manage DNAT entries |
| DNAT port mapping | Supported | Supported | |
| DNAT IP mapping | Supported | Supported | |
| Elastic Compute Service (ECS) instances using SNAT to access services that use DNAT to provide Internet-facing services when the same Internet NAT gateway is used for SNAT and DNAT | Not supported | Supported | N/A |
| Specifying an EIP in both SNAT and DNAT tables | Supported | Not supported |
| Item | Enhanced Internet NAT gateway | Standard Internet NAT gateway |
|---|---|---|
| The maximum number of Internet NAT gateways that can be created in a VPC | 5 ( You can increase the quota by performing the following operations: )
| 1. You cannot adjust the quota. |
| The maximum number of DNAT entries that can be added to an Internet NAT gateway | 100. You can increase the quota. For more information, see Manage NAT Gateway quotas. | 100. You can increase the quota. For more information, see Manage NAT Gateway quotas. |
| The maximum number of SNAT entries that can be added to an Internet NAT gateway | 40. You can increase the quota. For more information, see Manage NAT Gateway quotas. | 40. You can increase the quota. For more information, see Manage NAT Gateway quotas. |
| The maximum number of EIPs that you can specify in an SNAT entry | 64. You cannot adjust the quota. | 64. You cannot adjust the quota. |
| Creating an Internet NAT gateway for a VPC that contains a custom route whose destination CIDR block is 0.0.0.0/0 | Supported. | Not supported. You must delete the custom route whose destination CIDR block is 0.0.0.0/0 before you can create an Internet NAT gateway for the VPC. |
| Whether the bandwidth of a vSwitch is limited by the maximum bandwidth of the EIPs in the SNAT entry that is created for the vSwitch | Yes. If the EIPs are associated with an EIP bandwidth plan, the bandwidth of the vSwitch is limited by the maximum bandwidth of the EIP bandwidth plan. | Yes. If the EIPs are associated with an EIP bandwidth plan, the bandwidth of the vSwitch is limited by the maximum bandwidth of the EIP bandwidth plan. |
| The maximum number of EIPs that can be associated with an Internet NAT gateway | 20. You can increase the quota. For more information, see Manage NAT Gateway quotas. | 20. You can increase the quota. For more information, see Manage NAT Gateway quotas. |
| The maximum bandwidth of an Internet NAT gateway | 5 Gbit/s. If the total bandwidth of the EIPs or EIP bandwidth plans is greater than 5 Gbit/s, submit a ticket. | An Internet NAT gateway does not have a bandwidth limit itself. However, the bandwidth of an Internet NAT gateway is limited by the bandwidth of the EIPs that are specified in SNAT or DNAT entries. The bandwidth is also limited by the maximum bandwidth of the EIP bandwidth plan with which the EIPs are associated. For example, you create an SNAT entry for an Internet NAT gateway, and specify five pay-by-data-transfer EIPs and two pay-by-bandwidth EIPs whose maximum bandwidth is 500 Mbit/s. The maximum bandwidth of the Internet NAT gateway is 2,000 Mbit/s. This value is calculated based on the following formula: 5 × 200 Mbit/s + 2 × 500 Mbit/s = 2,000 Mbit/s. If the seven EIPs are associated with the same EIP bandwidth plan and the maximum bandwidth of the EIP bandwidth plan is 1,000 Mbit/s, the maximum bandwidth of the Internet NAT gateway is 1,000 Mbit/s. |
| Whether the maximum number of concurrent connections for an EIP is 55,000 | Yes | Yes |
| Whether the maximum bandwidth of an EIP in an EIP bandwidth plan is 200 Mbit/s | No | Yes |
| Whether users of NAT service plans can associate EIPs with NAT gateways | No | No |
| Whether service interruptions occur when you change the maximum bandwidth of an EIP bandwidth plan that is associated with an Internet NAT gateway, such as increasing the maximum bandwidth from less than 1 Gbit/s to greater than 1 Gbit/s, or decreasing the maximum bandwidth from greater than 1 Gbit/s to less than 1 Gbit/s | No | Yes |
| Whether service interruptions occur when the number of EIPs in existing SNAT entries is reduced | Yes | Yes |
| Whether service interruptions occur when the number of EIPs in existing SNAT entries is increased | No | Yes |
| Whether an ECS instance can be accessed from the Internet in the following scenario: Multiple elastic network interfaces (ENIs) are attached to the ECS instance, and EIPs are associated with some of the ENIs. Different ENIs are used to forward the inbound and outbound traffic of the ECS instance. | No. You must modify the routes of the ECS instance before you upgrade the standard Internet NAT gateway to an enhanced Internet NAT gateway. Make sure that the inbound traffic and outbound traffic of the ECS instance are forwarded by the same ENI. For more information, see Configure routes for a secondary ENI that is bound to an instance that runs an Alibaba Cloud Linux 2 or CentOS 7 operating system. | Yes |
Procedure
Enhanced NAT gateways are used in the same way as standard NAT gateways. However, when you create an enhanced NAT gateway, you must specify the gateway type. In addition, you must specify the VPC and vSwitch that you want to associate with the enhanced NAT gateway. After an enhanced NAT gateway is created, the system assigns an idle private IP address from the vSwitch to the enhanced NAT gateway.
Note If your account is a Resource Access Management (RAM) user and you want to create an enhanced NAT gateway, you must acquire the permissions from the Alibaba Cloud account.
The following figure shows how to use an enhanced NAT gateway.