Alibaba Cloud has released enhanced NAT gateways. Enhanced NAT gateways are an upgrade from standard NAT gateways and use a more advanced architecture. Compared with standard NAT gateways, enhanced NAT gateways provide higher elasticity and stability. This helps you manage data transfer in a more efficient manner.
Overview of enhanced NAT gateways
- More metrics for data transfer monitoring
Up to 22 metrics are collected in real time. You can use the metrics to monitor data transfer and ensure system stability. For more information, see Monitor and maintain NAT gateways.
- Multiple NAT gateways for one virtual private cloud (VPC)
You can deploy more than one enhanced NAT gateway for one VPC to forward network traffic to different destinations. In addition, you can use various security services to protect different enhanced NAT gateways. This facilitates how you manage network traffic sent to and received from the Internet.
You can also specify the same SNAT (to access the Internet) entry or DNAT (to provide Internet-facing services) entry on different NAT gateways, and configure routes to forward network traffic to a specific egress.
Notice- To replace a standard NAT gateway with an enhanced NAT gateway, you must reconfigure the routes. During this process, your service may be interrupted for a short period of time. We recommend that you reconfigure the routes during off-peak hours.
- If you created both SNAT and DNAT entries on an enhanced NAT gateway, the Elastic Compute Service (ECS) instances cannot use SNAT to access services that use DNAT of the same enhanced NAT gateway to provide external access in the same VPC. If you want the ECS instances to access the services that use DNAT to provide external access in the same VPC, we recommend that you create another enhanced NAT gateway. Then, create DNAT entries on one NAT gateway and create SNAT entries on the other NAT gateway.
Comparison between enhanced NAT gateways and standard NAT gateways
The following tables describe differences and similarities in features and limits between enhanced NAT gateways and standard NAT gateways.
| Item | Enhanced NAT gateway | Standard NAT gateway | Reference |
|---|---|---|---|
| Multiple NAT gateways for one virtual private cloud (VPC) | Supported | Not supported | Create a NAT gateway |
| Attach a NAT gateway to a vSwitch | Supported | Not supported | |
| Billing on an hourly basis | Supported | Not supported | Pay-by-data-transfer |
| Billing on a daily basis | Not supported | Supported | Pay-as-you-go |
| Process TCP, UDP, and ICMP segments | Supported | Not supported | N/A |
| Monitoring metrics | 22 | 4 | Monitor and maintain NAT gateways |
| Network traffic monitoring (TOP ECS) | Supported | Not supported | Monitor and maintain NAT gateways |
| Associate multiple elastic IP addresses (EIPs) with a NAT gateway | Supported | Supported | Associate an EIP with a NAT gateway |
| SNAT | Supported | Supported | Create a SNAT entry to access the Internet |
| Create multiple SNAT entries in a SNAT table | Supported | Supported | Create a SNAT entry to access the Internet |
| Associate multiple EIPs with a SNAT table | Supported | Supported | |
| DNAT | Supported | Supported | Create a DNAT entry to provide Internet-facing services |
| DNAT port mapping | Supported | Supported | Create a DNAT entry to provide Internet-facing services |
| DNAT IP mapping | Supported | Supported | |
| Elastic Compute Service (ECS) instances use SNAT to access services that use DNAT to provide Internet-facing services when the same enhanced NAT gateway is used for SNAT and DNAT | Not supported | Supported | Use SNAT of enhanced NAT gateways to enable ECS instances to access services that use DNAT to provide external access in the same VPC |
| Item | Enhanced NAT gateway | Standard NAT gateway |
|---|---|---|
| The maximum number of NAT gateways that can be deployed for a VPC | 5. To increase the quota,submit a ticket. | 1 (not adjustable) |
| Use an EIP for both SNAT and DNAT | Only selected users can use an EIP for both SNAT and DNAT. To apply to be added to the whitelist,submit a ticket. | Not supported (not adjustable) |
| The maximum number of DNAT entries that can be added to a NAT gateway | 100. You can increase the quota. For more information, see Quota management. | 100. You can increase the quota. For more information, see Quota management. |
| The maximum number of SNAT entries that can be added to a NAT gateway | 40. You can increase the quota. For more information, see Quota management. | 40. You can increase the quota. For more information, see Quota management. |
| The maximum number of EIPs that can be specified in a SNAT entry | 64 (not adjustable) | 64 (not adjustable) |
| Create a NAT gateway for a VPC that contains a custom route entry whose destination CIDR block is 0.0.0.0/0 | Yes | Not supported. You must delete the custom route entry whose destination CIDR block is 0.0.0.0/0 before you can create a NAT gateway for the VPC. |
| Limits on a vSwitch by the maximum bandwidth of the EIPs specified in the SNAT entry that is added to the vSwitch | Yes. If the EIPs are associated with an EIP bandwidth plan, the vSwitch is limited by the maximum bandwidth of the EIP bandwidth plan. | Yes. If the EIP is associated with an EIP bandwidth plan, the vSwitch is limited by the maximum bandwidth of the EIP bandwidth plan. |
| The maximum number of EIPs that can be associated with a NAT gateway | 20. You can increase the quota. For more information, see Quota management. | 20. You can increase the quota. For more information, see Quota management. |
| The maximum number of pay-by-data-transfer EIPs that can be associated with a NAT gateway | 10. You can increase the quota. For more information, see Quota management. | 10. You can increase the quota. For more information, see Quota management. |
| The maximum bandwidth supported by a pay-by-data-transfer EIP that is associated with a NAT gateway | N/A | 200 Mbit/s (not adjustable) |
| The maximum bandwidth of a NAT gateway | 5 Gbit/s. If the total bandwidth of the EIPs or EIP bandwidth plans is greater than 5 Gbit/s,submit a ticket to increase the quota. | A NAT gateway does not have a bandwidth limit. The bandwidth limit depends on the
bandwidth of the EIPs that are specified in a SNAT entry or a DNAT entry, and the
bandwidth of the EIP bandwidth plans with which the EIPs are associated.
For example, you create a SNAT entry for a NAT gateway, and specify five pay-by-data-transfer EIPs and two pay-by-bandwidth EIPs with 500 Mbit/s bandwidth each in the SNAT entry. The bandwidth of the NAT gateway is limited to 2,000 Mbit/s. This value is based on the following calculation: 5 × 200 Mbit/s + 2 × 500 Mbit/s = 2,000 Mbit/s. If the seven EIPs are associated with the same EIP bandwidth plan, and the bandwidth of the EIP bandwidth plan is limited to 1,000 Mbit/s, the bandwidth limit of the NAT gateway is 1,000 Mbit/s. |
| The maximum number of concurrent connections for an EIP is 55,000. | Yes | Yes |
| The maximum bandwidth of an EIP in an EIP bandwidth plan is 200 Mbit/s. | No | Yes |
| Users of NAT service plans are not allowed to associate EIPs with NAT gateways. | Yes | Yes |
| Transient connection errors may occur when you change the maximum bandwidth of the EIP bandwidth plan that is associated with a NAT gateway. For example, you can upgrade the maximum bandwidth from less than 1 Gbit/s to greater than 1 Gbit/s, or downgrade the maximum bandwidth from greater than 1 Gbit/s to less than 1 Gbit/s. | No | Yes |
| Transient connection errors may occur when IP addresses in the existing SNAT entries are reduced. | Yes | Yes |
| Transient connection errors may occur when IP addresses in the existing SNAT entries are increased. | No | Yes |
Configure an enhanced NAT gateway
