This topic describes how to use a NAT gateway to enable multiple applications to share the bandwidth of an EIP bandwidth plan. This reduces the data egress costs.

Scenarios

The following scenario is used as an example. An enterprise has created two Elastic Compute Service (ECS) instances (ECS 1 and ECS 2) and has deployed an application on each ECS instance. The enterprise wants the ECS instances to provide Internet-facing services. The service port is port 80. The amount of bandwidth required by the two ECS instances varies within a day:
  • The peak hours of ECS 1 are from 13:00:00 to 18:00:00. During this period of time, the bandwidth that is required by ECS 1 is 700 Mbit/s. During the remaining hours of the day, the bandwidth that is required by ECS 1 is 300 Mbit/s.
  • The peak hours of ECS 2 are from 19:00:00 to 23:00:00. During this period of time, the bandwidth that is required by ECS 2 is 700 Mbit/s. During the remaining hours of the day, the bandwidth that is required by ECS 2 is 300 Mbit/s.

If you want to separately purchase bandwidth plans for the ECS instances, you must purchase two bandwidth plans. Each bandwidth plan provides 700 Mbit/s of bandwidth, and the two bandwidth plans provide 1400 Mbit/s of bandwidth in total. However, the ECS instances cannot make full use of the bandwidth plans during off-peak hours. This causes bandwidth resource waste.

To resolve this problem, you can configure DNAT on your NAT gateway and purchase an EIP bandwidth plan.
  • DNAT maps elastic IP addresses (EIPs) to the private IP addresses of ECS instances in a virtual private cloud (VPC). Then, the ECS instances can receive requests from the Internet.
  • The EIP bandwidth plan can be shared among multiple applications to reduce the data egress costs.
Scenarios

Prerequisites

  • A VPC and a vSwitch are created. For more information, see Create a VPC and Create a vSwitch.
  • Elastic Compute Service (ECS) instances are created and attached to the vSwitch. Applications are deployed on the ECS instances. For more information, see Create an instance by using the wizard.
  • Two EIPs are created for a NAT gateway. The EIPs must meet the following requirements:
    • The EIPs and the NAT gateway that you want to associate with the EIPs must be in the same region.
    • The EIPs are billed on a pay-as-you-go basis.

    For more information, see Apply for an EIP.

Procedures

Procedures

Step 1: Create a NAT gateway

NAT gateways are enterprise-class gateways that provide network address translation services for Internet access. You must create a NAT gateway before you can create DNAT entries.

  1. Log on to the NAT Gateway console.
  2. On the NAT Gateway page, click Create NAT Gateway.
  3. In the Create NAT Gateway panel, set the following parameters, click Buy Now, and then complete the payment:
    • Region and Zone: Select the region where you want to deploy the NAT gateway.
    • Zone: Select the zone where you want to deploy the NAT gateway.
    • VPC ID: Select the VPC where you want to deploy the NAT gateway. After the NAT gateway is created, you cannot change the VPC in which the NAT gateway is deployed.
      Note If you cannot find the VPC that you want to manage in the list, troubleshoot the issue in the following ways:
      • Check whether the VPC is associated with a NAT gateway. Each VPC can be associated with only one standard NAT gateway.
      • Check whether the VPC has a custom route entry with the destination CIDR block set to 0.0.0.0/0. If the custom route entry exists, delete the route entry.
      • If your account is a Resource Access Management (RAM) user, check whether the RAM user is authorized to access the VPC. If the RAM user is unauthorized to access the VPC, contact the owner of the Alibaba Cloud account to acquire the permissions.
    • VSwitch ID: Select the vSwitch to which the NAT gateway is attached.
      Note This parameter is available only when you create an enhanced NAT gateway.
    • Gateway Type: Select the type of NAT gateway that you want to create. By default, Enhanced is selected.
    • Billing Method: Select a billing method for the NAT gateway.
    • Billing Cycle:displays the billing cycle of the NAT gateway.

After you create the NAT gateway, you can go to the NAT Gateway page to view the NAT gateway.

Step 2: Associate EIPs with the NAT gateway

A NAT gateway functions as expected only after it is associated with one or more EIPs. After you create a NAT gateway, you can associate EIPs with the NAT gateway.

  1. On the NAT Gateway page, find the NAT gateway that is created in Step 1 and choose What to do next > Bind Elastic IP Address in the Actions column.
  2. In the Associate EIP dialog box, set the following parameters:
    • Resource Group: Select the resource group to which the EIPs belong.
    • EIPs: Select the EIPs that you want to associate with the NAT gateway.

      In this example, Select Existing EIPs is selected. Then, select the two EIPs that are described in the Prerequisites section. For more information, see Prerequisites.

  3. Click OK.

Step 3: Create DNAT entries

A DNAT entry maps an EIP of a NAT gateway to the private IP address of an ECS instance. Then, the ECS instance can receive requests from the Internet.

To create DNAT entries for ECS 1 and ECS 2, perform the following operations:

  1. On the NAT Gateway page, find the NAT gateway that is created in Step 1 and click Configure DNAT in the Actions column.
  2. In the DNAT Entry List section, click Create DNAT Entry.
  3. On the Create DNAT Entry page, set the following parameters to create a DNAT entry for ECS 1:
    • Select Public IP Address: Select the EIP that is used to communicate with the Internet.

      EIP 1 is selected in this example.

    • Select Private IP Address: Specify the private IP address of the ECS instance that uses the DNAT entry to communicate with the Internet.
      You can use the following methods to specify the private IP address of the ECS instance.
      • Select by ECS or ENI: Select the ECS instance or elastic network interface (ENI) that is associated with the ECS instance from the drop-down list.
      • Manual Input: Enter the private IP address of the ECS instance.
        Note The private IP address that you enter must fall within the CIDR block of the VPC. You can also enter the private IP address of an existing ECS instance.

      ECS 1 that is attached to the vSwitch is selected in this example.

    • Port Settings: Select a DNAT mapping method.
      • Any Port: specifies IP mapping. All requests destined for the EIP are forwarded to the specified ECS instance. The specified ECS instance can use the EIP to access the Internet.
        Note
        • If IP mapping is configured for an EIP in a DNAT entry, the EIP cannot be used in another DNAT entry or SNAT entry.
        • If a NAT gateway is configured with both DNAT IP mapping entries and SNAT entries, ECS instances preferentially use the DNAT entries to access the Internet.
      • Specific Port: specifies port mapping. The NAT gateway forwards requests to the specified ECS instance based on the specified protocol and ports.
        After you select Specific Port, set the following parameters based on your business requirements:
        • Public Port: the external port that is used in port forwarding.

          If SNAT entries are created for the EIP that you selected, and you want to specify a public port whose number is lager than 1024, click Remove Limits on Port Range. In the message that appears, click OK. This operation may cause transient connections to existing SNAT connections. You can solve this problem by reestablishing the connections. Proceed with caution.

        • Private Port: the internal port that is used in port forwarding.
        • Protocol Type: the protocol used by the ports.

      Specific Port is selected in this example. Then, set Public Port to 80, Private Port to 80, and IP Protocol to TCP.

    • Entry Name: Enter a name for the DNAT entry.

      The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

      DNAT 1 is entered in this example.

  4. Click Confirm.
  5. In the DNAT Entry List section, click Create DNAT Entry again.
  6. On the Create DNAT Entry page, set the following parameters to create a DNAT entry for ECS 2:
    • Select Public IP Address: Select the EIP that is used to communicate with the Internet.

      EIP 2 is selected in this example.

    • Select Private IP Address: Specify the private IP address of the ECS instance that uses the DNAT entry to communicate with the Internet.

      ECS 2 that is attached to the vSwitch is selected in this example.

    • Port Settings: Select a DNAT mapping method.

      Specific Port is selected in this example. Then, set Public Port to 80, Private Port to 80, and IP Protocol to TCP.

    • Entry Name: Enter a name for the DNAT entry.

      The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

      DNAT 2 is entered in this example.

  7. Click Confirm.
The following table describes the details about the DNAT entries that are added for ECS 1 and ECS 2.
Entry name EIP Public port Protocol Private IP address Private port
DNAT1 EIP1 80 TCP ECS1 80
DNAT2 EIP2 80 TCP ECS2 80

Step 4: Create an EIP bandwidth plan

EIP bandwidth plans support bandwidth sharing and multiplexing on a regional scale. You can use EIP bandwidth plans to reduce bandwidth resource costs.

  1. Log on to the EIP bandwidth plan console.
  2. On the Internet Shared Bandwidth page, click Buy Internet Shared Bandwidth.
  3. On the buy page, set the following parameters, click Buy Now, and then complete the payment:
    • Region: Select the region where you want to create the EIP bandwidth plan.

      Make sure that the EIP bandwidth plan is created in the same region as the EIP that you want to associate with the EIP bandwidth plan.

    • ISP: Select a line type for the EIP bandwidth plan.
      • BGP (Multi-ISP): If you select this option, you can associate only EIPs of BGP (Multi-ISP) with the EIP bandwidth plan.
      • BGP(Multi-ISP)_PRO: If you select this option, you can associate only EIPs of BGP (Multi-ISP) Pro with the EIP bandwidth plan.
        Note Only the China (Hong Kong) region supports BGP (Multi-ISP) Pro.

        BGP (Multi-ISP) is selected in this example.

    • Billing Method: Select a billing method for the EIP bandwidth plan.

      Only pay-by-data-transfer is supported. For more information, see Billing.

    • Bandwidth: Specify the maximum bandwidth of the EIP bandwidth plan.

      1000 Mbps is selected in this example.

    • Name: Enter a name for the EIP bandwidth plan.

      The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

    • Resource Group: Select the resource group to which the EIP bandwidth plan belongs.
    • Purchase Quantity: Specify the number of EIP bandwidth plans that you want to purchase.

      One EIP bandwidth plan is purchased in this example.

Step 5: Associate EIPs with the EIP bandwidth plan

You can associate EIP 1 and EIP 2 with the EIP bandwidth plan that you created. After the EIPs are associated with the EIP bandwidth plan:
  • Services attached to the NAT gateway with which the EIPs are associated share the bandwidth of the EIP bandwidth plan.
  • The previous bandwidth limits of the EIPs become invalid. The bandwidth limits of the EIPs equal the bandwidth limit of the associated EIP bandwidth plan.
  • The previous billing methods of the EIPs become invalid. The EIPs function as public IP addresses. Data transfer and bandwidth usage are not charged for the EIPs.

To associate EIP 1 and EIP 2 with the EIP bandwidth plan, perform the following operations:

  1. On the Internet Shared Bandwidth page, find the EIP bandwidth plan that is created in Step 4 and click AddIP in the Actions column.
  2. In the Add IP panel, click Select from EIP List.Then, select the EIPs that you want to associate with the EIP bandwidth plan.
    EIP 1 and EIP 2 are selected in this example.
  3. Click OK.

Step 6: Test the connectivity

You can verify the network connectivity by using a computer to access the applications that are deployed on ECS 1 and ECS 2.
Note Make sure that the security group rules of the ECS instances allow the ECS instances to receive requests from the Internet.
  1. Open a browser on a computer that can access the Internet.
  2. Enter one of the EIPs that are associated with the NAT gateway into the address bar of the browser and access the application that runs on an ECS instance.
    The results indicate that you can access the applications that are deployed on ECS 1 and ECS 2 over the Internet. In addition, the ECS instances share the bandwidth of the EIP bandwidth plan and can handle traffic spikes.
    Figure 1. Access the application that runs on ECS 1
    Access the application that runs on ECS 1
    Figure 2. Access the application that runs on ECS 2
    Access the application that runs on ECS 2