An Internet NAT gateway enhances security by translating and hiding the private IP addresses of your cloud services, which prevents their direct exposure.
After you create an Internet NAT gateway and associate an EIP with it, you can:
-
Configure SNAT: Allow multiple ECS instances to share EIPs for outbound Internet access, which conserves public IP resources.
-
Configure DNAT: Enable ECS instances to provide services to the Internet through port mapping or IP mapping.
|
SNAT - Access the internet |
DNAT - Provide web services to the internet |
An Internet NAT gateway supports two disaster recovery modes. You can select a Disaster Recovery when you create the gateway.
The single-zone disaster recovery mode is available in all regions that support Internet NAT gateways. To use this mode, contact your account manager to have it enabled.
-
Cross-zone disaster recovery: The NAT gateway is deployed across multiple zones for redundancy. If a zone fails, traffic automatically fails over. This mode is suitable for scenarios where your resources, such as ECS instances, are distributed across multiple zones and need to share an Internet NAT gateway to access the Internet.
-
Single-zone disaster recovery: The NAT gateway is deployed within a single zone and provides high availability only within that zone. This mode is suitable for scenarios where your services are concentrated in a single zone and use a dedicated Internet NAT gateway for Internet access.
SNAT - Access the internet
Assigning an EIP to each ECS instance for Internet access is costly. The SNAT feature of an Internet NAT gateway allows multiple ECS instances to share EIPs for outbound access. This reduces costs and enhances security by hiding the real IP addresses of your instances and restricting inbound connections.
How it works
The following example shows how an ECS instance with the private IP address 192.168.1.100 accesses the Internet.
-
Route forwarding: The VPC forwards a request packet to the Internet NAT gateway based on the corresponding route entry in its route table.
-
SNAT (Source Network Address Translation): When the NAT gateway receives the packet, it translates the source IP address 192.168.1.100 to an EIP that is associated with the gateway, as defined by the SNAT rule. The gateway also records the mapping between the original five-tuple (protocol, source IP, source port, destination IP, destination port) and the translated five-tuple (protocol, EIP, public source port, destination IP, destination port).
-
Outbound to the Internet: The gateway sends the packet with the translated address to the Internet. The request originates from the EIP, not the private IP address of the ECS instance.
When the destination server on the Internet returns a response packet, the gateway uses the session mapping to restore the original private IP address and forwards the packet back to the ECS instance.
SNAT rule precedence
Whether an SNAT entry takes effect depends on the following rules:
-
Outbound Internet traffic from the VPC must be correctly routed to the Internet NAT gateway. This means that in the VPC route table, the route entry for the destination CIDR block on the Internet must have the Internet NAT gateway as its next hop.
-
Automatic configuration: If no
0.0.0.0/0route exists in the system route table of the VPC, the system automatically adds such a route when the first Internet NAT gateway is created in that VPC. -
Manual configuration: If you use a custom route table, or if a
0.0.0.0/0route already exists in the system route table, you must manually add or modify the custom route entry. We recommend that you follow the principle of least privilege by configuring the destination CIDR block to be the specific public CIDR block you need to access. -
Route priority: If multiple routes have overlapping destination CIDR blocks, traffic is forwarded based on the longest prefix match principle.
-
-
Egress IP priority: A static public IP or EIP associated with an instance > DNAT IP mapping (Any Port) > EIP associated with an SNAT entry. Refer to Centralized Egress IP to adjust your network architecture.
-
SNAT entry priority: If multiple SNAT entries have overlapping source CIDR blocks, the rule with the longest subnet mask match takes precedence. For example, the source CIDR block of an ECS-level SNAT entry has a subnet mask of
/32, which is the longest possible mask and therefore has the highest priority.
1. Create NAT gateway and associate EIP
An Internet NAT gateway must have an EIP associated with it to function. You can associate up to 20 EIPs with an Internet NAT gateway. You can go to the Quota Management page to request a quota increase.
Starting from September 19, 2022, associating an EIP with a newly created Internet NAT gateway consumes one private IP address from the gateway's vSwitch. This change does not affect existing NAT gateway instances. Ensure that the vSwitch has enough available private IP addresses; otherwise, the association will fail.
Console
Go to the NAT Gateway - Internet NAT Gateway purchase page.
-
Billing Method: Pay-as-you-go.
-
Region: Select the region where you want to create the Internet NAT gateway.
-
Network and Zone: Select the VPC and vSwitch for the Internet NAT gateway. The selected vSwitch is used to assign a private IP address to the NAT gateway. Associating an EIP consumes one private IP address from this vSwitch. You cannot change these settings after the gateway is created.
-
Disaster Recovery: Select a disaster recovery mode for the NAT gateway.
-
Cross-zone disaster recovery (Default): Deploys the gateway in a primary and a secondary zone. If the primary zone fails, traffic automatically fails over to the secondary zone.
-
Single-zone disaster recovery: Deploys the gateway within the selected zone, with high availability ensured through device-level redundancy. The instance fee is 50% of the cross-zone mode, and the CU fee is 80%.
-
-
EIP: Select an option based on whether you have an existing EIP.
-
Select EIP: Select an EIP that is not associated with an instance.
-
Purchase EIP: Select this option if you do not have an available EIP. By default, a pay-by-traffic BGP (Multi-ISP) EIP is created. You can set the Maximum Bandwidth based on your business requirements.
To associate a BGP (Multi-ISP)_Premium EIP or an EIP with a different billing method, first apply for an EIP, and then select Select EIP during creation.
-
Configure Later: The NAT gateway is created without Internet access.
After the NAT gateway is created, find the target instance and click Associate Now in the EIP column. You can then select an existing EIP or purchase and associate a new one.
-
API
-
Call CreateNatGateway to create an Internet NAT gateway.
-
Call ModifyNatGatewayAttribute to modify the configuration of an Internet NAT gateway.
-
Call AssociateEipAddress to associate an EIP.
2. Configure an SNAT entry
Console
Go to the Internet NAT Gateway page. Find the target instance, click Configure SNAT in the Actions column, and then click Create SNAT Entry.
-
SNAT Entry: The scope of the SNAT rule. Select a scope based on your management needs.
-
Specify VPC: All ECS instances in the VPC can access the Internet through the configured SNAT rule.
-
Select vSwitch: Configure SNAT rules at the vSwitch level. All ECS instances in the selected vSwitch can access the Internet through this SNAT entry. The selected vSwitch determines the scope of the SNAT rule and is independent of the vSwitch selected when you created the NAT gateway.
-
Specify ECS Instance/ENI: Only the specified ECS instances or ENIs can access the Internet.
-
Specify Custom CIDR Block: Provides Internet access for resources within the specified CIDR block.
-
-
Select EIP: From the drop-down list, select an EIP to provide Internet access.
-
If no EIPs are available, click Purchase and Associate EIP in the drop-down list and complete the purchase in the dialog box that appears.
-
You can select multiple EIPs. A hash algorithm distributes connections across the EIPs. Because traffic varies for each connection, traffic may not be evenly distributed across the EIPs. We recommend that you add each EIP to the same Internet Shared Bandwidth instance to avoid service disruptions that can occur when a single EIP reaches its bandwidth limit.
-
-
EIP Affinity: If you select multiple EIPs and EIP affinity is disabled, a private IP address may use different EIPs to access a single destination IP address. If you enable this feature, the same EIP is used. However, if there are too many concurrent connections to a single destination, port allocation may fail. You must monitor the ErrorPortAllocationCount metric.
After the entry is created, you can click Edit in the Actions column for the entry to modify the EIP and EIP affinity settings.
API
-
Call CreateSnatEntry to create an SNAT entry.
-
Call ModifySnatEntry to modify the specified SNAT entry.
3. Configure routes
Configure routes to ensure that traffic from ECS instances to the Internet is correctly routed to the NAT gateway.
Console
Go to the VPC console - Route Tables page. In the top navigation bar, select the region where the Internet NAT gateway is deployed. Find the route table that is associated with the vSwitch of the ECS instance, and click its ID to go to the details page.
-
Automatic configuration: If you are creating the first Internet NAT gateway in the VPC and the vSwitch of the ECS instance is associated with the system route table, a route entry with the destination CIDR block
0.0.0.0/0and the NAT gateway as the next hop is automatically added. In this case, no action is required. -
Manual configuration: If a
0.0.0.0/0route already exists in the VPC or the vSwitch is bound to a custom route table, you must add a custom route to the corresponding route table. The destination of the route must be the specific public CIDR block that you want to access, and the next hop must be the NAT gateway.
API
-
Call CreateRouteEntry to add a single route entry.
-
Call ModifyRouteEntry to modify the next hop of a route entry.
Verify network connectivity
Log on to the ECS instance and run the following commands.
# Make sure that the security group of the ECS instance allows outbound traffic to the Internet.
# Test connectivity to the Internet.
ping www.aliyun.com
# View the current egress public IP address. It should be the EIP associated with the NAT gateway.
curl ifconfig.me
DNAT - Provide public services
If an ECS instance needs to provide web services, assigning an EIP directly to the instance exposes all of its ports, which increases security risks. Using the DNAT feature of an Internet NAT gateway, you can forward only specific ports or all traffic from the NAT gateway's EIP to the ECS instance. This keeps the instance's private IP address hidden. Before you can configure a DNAT entry, make sure that the ECS instance does not have an EIP associated with it.
How it works
The following example shows how an ECS instance with the private IP address 192.168.1.100 provides services to the Internet.
-
A client accesses the service: The destination IP address of the data packet is the EIP that is associated with the Internet NAT gateway and used to provide the service.
-
DNAT (Destination Network Address Translation): After the NAT gateway receives the packet, it translates the destination EIP to the private IP address of the ECS instance based on the DNAT rule. The gateway also records this address mapping.
-
The service is accessed: The packet with the translated address is forwarded to the destination ECS instance.
When the destination ECS instance returns a response packet, the packet is forwarded to the Internet NAT gateway according to the route. The gateway then translates the source IP address back to the EIP according to the session mapping table and sends the packet to the client on the Internet.
When only DNAT entries are configured, the source IP of packets received by the ECS instance is the public IP of the client. Therefore, when you configure inbound rules for the security group of the ECS instance, you must use the actual source IP address (the public IP).
Configure a DNAT entry
This section describes only how to configure a DNAT entry. To learn how to create a NAT gateway, associate an EIP, and configure routes, see SNAT - Access the Internet.
Console
-
Go to the Internet NAT Gateway page. In the top navigation bar, select the region of the Internet NAT gateway.
-
Click Configure DNAT in the Actions column of the target Internet NAT gateway instance, and then click Create DNAT Entry.
-
Select EIP: Choose the EIP that Internet clients will access. You can use the same EIP for both DNAT and SNAT entries.
-
Select Private IP Address: Select the private IP address of the backend server that provides the service. You can select it by specifying an ECS instance or an ENI, or enter it manually.
-
Port Settings: Configure the DNAT mapping.
-
Any Port: This is an IP mapping. All requests to this EIP are forwarded to the destination ECS instance, which occupies all ports.
-
The destination ECS instance can also use this EIP to access the Internet. This EIP cannot be used by other DNAT or SNAT entries.
-
If an Internet NAT gateway has both a DNAT IP mapping and an SNAT entry configured, the ECS instance prioritizes using the EIP from the DNAT IP mapping for Internet access.
-
-
Custom Port: This is a port mapping. Requests to the EIP with a specified protocol and port are forwarded to a specified port on the destination ECS instance. Configure the Public Port (the external port or port range for forwarding), the Private Port (the internal port or port range for forwarding), and the Protocol (the protocol for the forwarded port).
-
The port range must be between 1 and 65535. To specify a port range, separate the start and end ports with a forward slash (/), such as 10/20. The number of ports in the public and private port ranges must be the same, and both must be either single ports or port ranges of the same size. For example, if you set Public Port to 10/20, you must set Private Port to a range of the same size, such as 80/90.
-
The default port range for SNAT is 1025 to 65535. If an SNAT entry is already created for the selected EIP and you need to set a public port for DNAT that is greater than
1024, you must click Remove Port Limits to avoid conflicts.ImportantEnabling port override may cause brief interruptions to some existing SNAT connections. These connections can be restored by reconnecting. Proceed with caution.
-
-
After the entry is created, you can click Edit in the Actions column for the entry to modify the EIP, private IP address, and port settings.
-
API
-
Call CreateForwardEntry to create a DNAT entry.
-
Call ModifyForwardEntry to modify the specified DNAT entry.
Clean up resources
You are charged an instance fee for an Internet NAT gateway from the moment it is created until it is released. You are also charged a capacity unit (CU) fee for the traffic it processes. To avoid unnecessary costs, follow these steps to clean up resources you no longer need:
Console
-
Delete entries: On the SNAT and DNAT tabs of the instance details page, delete the configured entries.
-
Unbind and release EIPs: On the Associated EIP tab of the instance details page, unbind the EIPs. You are still charged an EIP configuration fee if you only unbind an EIP. To stop being charged, you must go to the EIP console to release the EIP.
If you have not deleted the configuration entries, you can Disassociate.
-
Delete the Internet NAT gateway: In the Actions column of the target Internet NAT gateway instance, click .
If you have not unbound the EIPs or deleted the configuration entries, you can select Force Delete (Delete the NAT gateway and associated SNAT/DNAT entries). The system will then delete the instance and its related resources.
You can enable release protection for the instance to prevent accidental deletion. Before deleting the instance, you must disable release protection.
API
-
Call DeleteSnatEntry and DeleteForwardEntry to delete the SNAT and DNAT entries, respectively.
-
Call UnassociateEipAddress to unbind an EIP.
-
Call DeleteNatGateway to delete the Internet NAT gateway.
Use in production environments
Best practices
-
Network planning: Create a dedicated vSwitch for the Internet NAT gateway and reserve enough private IP addresses. This prevents IP exhaustion from blocking future EIP associations.
-
Fine-grained control: Use vSwitch-level or ECS-level SNAT entries. Follow the principle of least privilege and grant Internet access only to the resources that require it.
Disaster recovery strategies
An Internet NAT gateway supports the following two disaster recovery modes. You can select a mode by using the Disaster Recovery parameter during creation.
|
Cross-zone recovery (default) |
Single-zone recovery |
|
|
Deployment mode |
The gateway is deployed in both a primary and a secondary zone. The secondary zone is selected by Alibaba Cloud. |
The gateway is deployed in a single, user-specified zone and provides device-level redundancy. |
|
Failover |
Automatic failover in case of a zone failure. |
No automatic failover if the entire zone fails. |
|
Use cases |
Services that require automatic cross-zone disaster recovery. |
Ideal for services that do not require cross-zone capabilities, aim to reduce costs, or must limit the blast radius to a single zone. |
|
Fees |
Baseline price |
The instance fee is approximately 50% of the cross-zone mode, and the CU fee is approximately 80%. |
EIP redundancy: Associate multiple EIPs with your SNAT entry. If one EIP becomes unavailable due to an attack or other issues, outbound traffic automatically switches to other available EIPs.
Risk prevention
-
Security group configuration: An Internet NAT gateway performs address translation, but the security of backend ECS instances still relies on security groups and network ACLs. You must configure strict inbound security group rules for your ECS instances and allow traffic on only the necessary ports.
-
Monitoring and alerts: Configure alert rules for key NAT gateway metrics, such as concurrent connections and inbound/outbound bandwidth, to receive timely notifications and scale resources before bottlenecks occur.
-
Connection limits: If your services require a large number of connections to a single public service (such as a payment gateway), note the maximum number of concurrent connections (
N × 55,000, where N is the number of EIPs configured in the SNAT entry). We recommend that you plan for a sufficient number of EIPs in advance and monitor the Failed Port Allocations metric. -
ICMP echo reply: This feature is enabled by default. When you use the ping command for detection, you receive a normal reply packet from the NAT gateway, but this does not guarantee that the backend server is running properly. For scenarios that rely on ping for fine-grained monitoring, you must disable ICMP Retrieval on the instance details page.
-
ICMP packets are forwarded to the backend server only when DNAT is configured with Any Port mapping.
-
In Custom Port mapping scenarios, ping probes will fail. You can use
telnet <EIP> <Public Port>to directly probe the mapped service port.
-
FAQ
SNAT internet access failure
To troubleshoot this issue, follow these steps:
-
Route configuration: On the instance details page of the Internet NAT gateway, check the VPC routes that point to the NAT gateway section to confirm that a route entry points to the gateway.
-
SNAT entry configuration: On the SNAT tab of the Internet NAT gateway instance details page, confirm that the status of the SNAT entry is Available. Also confirm that the source address used to access the Internet is within the Source CIDR Block.
-
Access control: Check whether the public endpoint you are trying to access has an access control policy configured, or if the EIP associated with the instance has been added to a whitelist.
-
IPv4 gateway configuration: When used with an IPv4 gateway, ensure that the NAT gateway is in NAT mode and that the routing is configured correctly.
Slow internet access or timeouts
This issue typically has the following causes:
-
Insufficient bandwidth: View monitoring data for EIPs associated with the NAT gateway and check the bandwidth usage. If the usage is close to 100%, increase the bandwidth or add more EIPs and associate them with an Internet Shared Bandwidth instance.
-
Connection limit exceeded: When the number of concurrent connections to a single destination exceeds the limit, the system drops connections due to failed port allocation. View the ErrorPortAllocationCount metric in NAT gateway monitoring. If this value continuously increases, add more EIPs to the SNAT rule.
NAT gateway and private traffic
The NAT gateway itself does not determine the traffic path; it only performs address translation. The VPC route table controls whether traffic is sent to the NAT gateway and where it is routed after translation.
More information
Billing
Internet NAT gateways incur instance fees and capacity unit (CU) fees. Associated EIPs have their own billing rules and are charged separately.
Quotas
|
Quota name |
Description |
Default limit |
Actions |
|
natgw_quota_nat_num_per_vpc |
The number of NAT gateways that can be created in a VPC. |
5 |
Go to the Quota Management page or Quota Center to request a quota increase. |
|
natgw_quota_eip_num_per_nat |
The number of EIPs that can be associated with each NAT gateway. |
20 |
|
|
natgw_quota_snat_entry_num |
The number of SNAT entries that can be created for each NAT gateway. |
40 |
|
|
natgw_quota_dnat_entry_num |
The number of DNAT entries that can be created for each NAT gateway. |
100 |