This topic provides answers to some frequently asked questions (FAQ) about Internet NAT gateways. The term "NAT gateway" in this topic refers to an Internet NAT gateway.

Why are NAT gateways unavailable in some zones?

NAT gateways are unavailable in some zones due to insufficient resources. You can purchase NAT gateways in other zones of the same region. NAT gateways can provide cross-zone services. An Elastic Compute Service (ECS) instance created in one zone of a virtual private cloud (VPC) can use a NAT gateway created in another zone of the same VPC to access the Internet.

Why are NAT service plans unavailable in the NAT Gateway console?

If you did not purchase a NAT service plan before January 26, 2018, you must associate an EIP with the NAT gateway before the NAT gateway can access the Internet. For more information, see Associate an EIP with a NAT gateway.

How many NAT gateways can I create with an Alibaba Cloud account?

The number of NAT gateways that you can create with an Alibaba Cloud account is unlimited.

How many NAT gateways can I create in a VPC?

The number of NAT gateways that can be created in a virtual private cloud (VPC) is based on the type of NAT gateway.
  • You can create only one standard NAT gateway in a VPC. The quota cannot be increased.
  • You can create up to five enhanced NAT gateways in a VPC. To increase the quota, submit a ticket.

How many EIPs can I associate with a NAT gateway?

By default, each NAT gateway can be associated with at most 20 EIPs.

You can go to the Quota Management page to request a quota increase. For more information, see Manage quotas.

Why is the outbound traffic unable to reach the bandwidth limit of an EIP after I associate the EIP with a NAT gateway?

The maximum number of concurrent connections supported by a NAT gateway is limited by the number of EIPs that are associated with the NAT gateway. If only one EIP is associated with the NAT gateway, the maximum number of concurrent connections that the NAT gateway supports is 55,000.

For example, you have multiple ECS instances that are deployed in a VPC. The ECS instances use a NAT gateway to access the same destination IP address and port on the Internet. The bandwidth of the NAT gateway is higher than 2 Gbit/s. To avoid packet loss caused by the limit on concurrent connections for each EIP, we recommend that you associate four to eight EIPs with the NAT gateway and create an SNAT IP address pool. For more information, see Create a SNAT IP address pool.

Why am I unable to associate elastic IP addresses (EIPs) with a NAT gateway in the NAT Gateway console?

If you purchased a NAT service plan before January 26, 2018, you can associate only public IP addresses in the NAT service plan with the NAT gateway to enable Internet access. To associate EIPs with the NAT gateway, perform the following operations based on the metering method of your NAT service plan.
  • If the NAT service plan is charged on a pay-by-bandwidth basis, you can convert the public IP addresses to EIPs in the NAT Gateway console. For more information, see Convert a NAT service plan to an EIP bandwidth plan.
  • If the NAT service plan is charged on a pay-by-data-transfer basis, submit an application to convert the public IP addresses in the NAT service plan to EIPs. For more information, see Convert a NAT service plan to an EIP bandwidth plan. To submit an application, search for the DingTalk group ID 35128151 or scan the following QR code to join the DingTalk group. DingTalk group for NAT service plans

Can I specify the same EIP in an SNAT entry and a DNAT entry?

The type of NAT gateway determines whether you can specify the same EIP in an SNAT entry and a DNAT entry.
  • You cannot specify the same EIP in an SNAT entry and a DNAT entry on a standard NAT gateway.
  • You can specify the same EIP in an SNAT entry and a DNAT entry on an enhanced NAT gateway.

Can Elastic Compute Service (ECS) instances use SNAT to access services that use DNAT to receive external requests if the same enhanced NAT gateway is used for SNAT and DNAT?

No, the ECS instances cannot access the services in this case.

If you create SNAT and DNAT entries on an enhanced NAT gateway and some services use DNAT of the enhanced NAT gateway to receive external requests, the ECS instances in the VPC cannot use SNAT to access the services.

If you want the ECS instances to access the services that use DNAT to receive external requests in the same VPC, we recommend that you create another enhanced NAT gateway. Then, create DNAT entries on the new enhanced NAT gateway.

Can I modify the vSwitch and private IP address of a NAT gateway?

No, you cannot modify the vSwitch or private IP address of a NAT gateway in the console. For more information about how to modify the vSwitch and private IP address of a NAT gateway, see Change the vSwitch or private IP address of an Internet NAT gateway.