All Products
Search

This Product

    NAT Gateway:Use Internet NAT gateways to allow ECS instances to communicate with the Internet through the same EIP

    Document Center

    NAT Gateway:Use Internet NAT gateways to allow ECS instances to communicate with the Internet through the same EIP

    Last Updated:Mar 06, 2024

    This topic describes how to use Internet NAT gateways, Classic Load Balancer (CLB) instances, and elastic IP addresses (EIPs) that are associated with Internet NAT gateways to allow Elastic Compute Service (ECS) instances to communicate with the Internet over the same EIP. This allows you to manage your services in an efficient way.

    Example

    The following scenario is used as an example.配置场景

    A company has two ECS instances deployed in the China (Shanghai) region and workloads are deployed on both ECS instances. Due to business growth, the following requirements must be met:

    • High availability is required to prevent service interruption caused by the failure of one ECS instance.

    • Both ECS instances can access the Internet.

    • When the ECS instances access the Internet or receive requests from the Internet, the same EIP is used.

    You can use Internet NAT gateways, CLB instances, and EIPs to meet the preceding requirements.

    • You can use the DNAT feature of Internet NAT Gateway and CLB to implement high availability. When one ECS instance is down, CLB automatically stops forwarding traffic to the ECS instance and distributes workloads to the other ECS instance.

    • The SNAT feature of Internet NAT gateways allows ECS instances to access the Internet.

    • The DNAT feature and SNAT feature of an Internet NAT gateway can use the same EIP. This way, backend ECS instances of CLB can use the same EIP to communicate with the Internet. This allows you to manage your services in an efficient way.

    Prerequisites

    • A virtual private cloud (VPC) and a vSwitch are created in the China (Shanghai) region. For more information, see Create a VPC with an IPv4 CIDR block.

    • Two ECS instances named ECS1 and ECS2 are deployed in the vSwitch and workloads are deployed on both ECS instances. For more information, see Create an instance on the Custom Launch tab.

    • Make sure that the security group rules of the ECS instances allow the ECS instances to access the Internet and receive requests from the Internet. For more information, see Add a security group rule.

    Procedure

    配置步骤

    Step 1: Create a CLB instance

    CLB forwards requests to backend ECS instances based on forwarding policies. You can use CLB to improve the responsiveness and availability of your applications.

    1. Log on to the CLB console.

    2. On the Instances page, click Create CLB.

    3. On the buy page, set the following parameters, click Buy Now, and then complete the payment.

      • Region: CLB does not support cross-region deployment by default. Make sure that the CLB instance and the ECS instances that are specified as backend servers are deployed in the same region. China (Shanghai) is selected in this example.

      • Zone Type: Multi-zone is selected by default.

      • Primary Zone: In this topic, China East 2 Zone D is selected.

      • Backup Zone: In this topic, China East 2 Zone B is selected.

      • Instance Name: Enter a name for the instance or use the instance name that is automatically created by the system.

      • SLB instance: In this topic, Intranet is selected.

      • Specification: In this topic, Small Ⅰ (slb.s1.small) is selected.

      • Network Type: Select the network type of the CLB instance. In this topic, VPC is selected.

      • IP Version: IPv4 is selected by default.

      • Feature: Standard is selected by default.

      • VPCId: In this topic, the VPC that you created is selected.

      • VswitchId: In this topic, the vSwitch that you created is selected.

      • Internet Data Transfer Fee: The metering method of the CLB instance is displayed. By default, By traffic is displayed.

      • Resource Group: Select the resource group to which the CLB instance belongs.

      • Quantity: In this example, one CLB instance is purchased.

    After you create the CLB instance, the system allocates a private IP address to the CLB instance. The private IP address is used to establish private connections.创建SLB

    Step 2: Configure the CLB instance

    After you create the CLB instance, you must configure the CLB instance. The CLB instance can forward requests only after you configure it. When you configure the CLB instance, you must add at least one listener and one group of backend servers.

    1. Log on to the CLB console.

    2. On the Instances page, find the CLB instance that you created in Step 1 and click Configure Listener in the Actions column.

    3. On the Protocol & Listener wizard page, set the following parameters and click Next.

      • Select Listener Protocol: TCP is selected in this topic.

      • Listener Port: Specify the port that the CLB instance uses to receive requests and forward requests to backend servers.

        In this example, port 80 is selected.

      • Listener Name: The name is not specified in this topic. In this case, the default name protocol_port is used.

      Use the default settings for other parameters.

    4. On the Backend Servers wizard page, select Default Server Group and click Add More to add backend servers.

      1. In the My Servers panel, select ECS1 and ECS2, and click Next.

      2. Set weights for the servers and click Add.

        A backend server with a higher weight receives more requests. In this topic, the default value 100 is used.

      3. On the Backend Servers wizard page, configure the backend port. The ECS instance uses the backend port to receive requests. You can specify duplicate backend ports within the same CLB instance. In this topic, 80 is used.

    5. On the Backend Servers wizard page, click Next to configure health checks. In this example, the default value is used.

      If an ECS instance is declared unhealthy after you enable health checks, CLB forwards requests to healthy ECS instances. After the ECS instance is declared healthy, CLB automatically forwards requests to it.

    6. On the Health Check wizard page, click Next to go to the Confirm wizard page. After you confirm the configurations, click Submit.

    7. In the dialog box that appears, click OK. Return to the Instances page and click 刷新 to view the CLB instance.

      If the health check status of an ECS instance is Normal, it indicates that the ECS instance is ready to process requests from the CLB instance.配置监听

    Step 3: Create an Internet NAT gateway

    1. Log on to the NAT Gateway console.
    2. On the Internet NAT Gateway page, click Create NAT Gateway.

    3. When you create an Internet NAT gateway for the first time, click Create in the Notes on Creating Service-linked Roles section of the buy page to create a service-linked role. After the service-linked role is created, you can create Internet NAT gateways.

      创建角色 For more information, see Service-linked roles.

    4. On the buy page, set the following parameters and click Buy Now.

      Parameter

      Description

      Billing Method

      By default, Pay-As-You-Go is selected. You can pay for resources after you use them. For more information, see Billing of Internet NAT gateways.

      Resource Group

      Select the resource group to which the virtual private cloud (VPC) belongs. For more information, see Resource group overview.

      Tags

      • Tag Key: Select or enter a tag key.

        You can specify at most 20 tag keys. A tag key can be up to 64 characters in length and cannot start with aliyun or acs:. It cannot contain http:// or https://.

      • Tag Value: Select or enter a tag value.

        You can specify at most 20 tag values. A tag value can be up to 128 characters in length. It cannot start with aliyun or acs:, and cannot contain http:// or https://.

      Region

      Select the region where you want to create the Internet NAT gateway.

      VPC

      Select the VPC where you want to create the Internet NAT gateway. After the Internet NAT gateway is created, you cannot change the VPC to which the Internet NAT gateway belongs.

      Associate vSwitch

      Select the vSwitch to which the Internet NAT gateway belongs.

      Metering Method

      By default, Pay-By-CU is selected. You are charged based on the resources that you use. For more information, see Billing of Internet NAT gateways.

      Billing Cycle

      By default, By Hour is selected. Bills are generated on an hourly basis. If you use an Internet NAT gateway for less than 1 hour, the usage duration is rounded up to 1 hour.

      Instance Name

      Enter a name for the Internet NAT gateway.

      The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.

      Access Mode

      Select the mode in which you want to create the Internet NAT gateway. The following modes are supported:

      • SNAT for All VPC Resources: If you select this value, the Internet NAT gateway is created in unified access mode. After the Internet NAT gateway is created, all resources in the VPC can access the Internet by using the SNAT feature of the NAT gateway.

        If you select SNAT for All VPC Resources, you must also specify an EIP.

      • Configure Later: If you select this option, you can configure the Internet NAT gateway in the console after you complete the payment.

        If you select Configure Later, only the Internet NAT gateway is created. No SNAT entry is created.

      In this example, Configure Later is selected.

    5. On the Confirm page, confirm the information, select the Terms of Service check box, and then click Confirm.

      When the Purchased message appears, the Internet NAT gateway is created.

    After you create an enhanced Internet NAT gateway, you can view it on the Internet NAT Gateway page.创建增强型NAT网关

    Step 4: Associate an EIP with the NAT gateway

    You can associate an EIP with the Internet NAT gateway. After you associate an EIP with the Internet NAT gateway, the EIP can be used in both SNAT and DNAT entries.

    1. Log on to the NAT Gateway console.

    2. On the Internet NAT Gateway page, find the Internet NAT gateway that you created in Step 3 and choose 更多操作 > Bind Elastic IP Address in the Actions column.

    3. In the Associate EIP dialog box, set the following parameters and click OK.

      • Resource Group: Select the resource group to which the EIP belongs.

      • Select EIP: Select the EIP that you want to associate with the Internet NAT gateway.

        • Select Existing EIP: Select an existing EIP from the drop-down list.

        • Purchase and Associate EIP: The system automatically creates an EIP that is billed on a pay-by-data-transfer basis and associates the EIP with the Internet NAT gateway.

        In this topic, Purchase and Associate EIP is selected.

    After you associate an EIP with the NAT gateway, you can view the EIP on the Internet NAT Gateway page.绑定弹性公网IP

    Step 5: Create a DNAT entry

    Internet NAT gateways support the DNAT feature. The EIP associated with the Internet NAT gateway can be mapped to the internal-facing CLB instance. This way, the internal-facing CLB instance can provide services over the Internet.

    1. Log on to the NAT Gateway console.

    2. On the Internet NAT Gateway page, find the Internet NAT gateway that you created in Step 3 and click Configure DNAT in the Actions column.

    3. In the DNAT Entry List section, click Create DNAT Entry.

    4. On the Create DNAT Entry page, set the following parameters and click OK.

      • Select EIP: Select the EIP used for Internet access. In this topic, the EIP that is associated with the Internet NAT gateway in Step 4 is selected.

        Note

        In this topic, the same EIP is used in both the SNAT entry and DNAT entry.

      • Select Private IP Address: In this example, Manual Input is selected, and the private IP address of the CLB instance 192.168.24.206 is used.

      • Port Settings: Select a DNAT mapping method.

        • Any Port: specifies IP mapping. The requests destined for the EIP are forwarded to the selected ECS instance.

        • Custom Port: specifies port mapping. The Internet NAT gateway forwards requests to the selected ECS instance based on the specified protocol and ports.

        In this topic, Custom Port is selected, Public Port is set to 80, Private Port is set to 80, and Protocol is set to TCP.

      • Entry Name: Enter a name for the DNAT entry.

        The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.

    After a DNAT entry is created, you can view the DNAT entry whose status is Available in the DNAT Entry List section.创建DNAT条目

    Step 6: Create an SNAT entry

    Internet NAT gateways support the SNAT feature. This feature allows ECS instances that are not assigned public IP addresses in a VPC to access the Internet.

    1. Log on to the NAT Gateway console.

    2. On the Internet NAT Gateway page, find the Internet NAT gateway that you created in Step 3 and click Configure SNAT in the Actions column.

    3. In the SNAT Entry List section, click Create SNAT Entry.

    4. On the Create SNAT Entry page, set the following parameters and click OK.

      • SNAT Entry: In this topic, Specify VPC is selected. In this case, all ECS instances in the VPC to which the Internet NAT gateway belongs use the SNAT entry to access the Internet.

      • Select EIP: Select the EIP used for Internet access. In this topic, Use Single IP is selected, and the EIP associated with the Internet NAT gateway in Step 4 is selected.

        Note

        In this topic, the same EIP is used in both the SNAT entry and DNAT entry.

      • Entry Name: Enter a name for the SNAT entry.

        The name must be 2 to 128 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). The name must start with a letter.

    Step 7: Test network connectivity

    After you create the SNAT and DNAT entries, you can test the network connectivity between the ECS instances and the Internet.

    1. Test whether the ECS instances can access the Internet.

      1. Log on to ECS1. For more information, see Connection method overview.

      2. Run the ping command to test the connectivity as shown in the following figure.

        The test result shows that ECS1 can access the Internet.测试连通性

        Note

        Refer to the preceding steps to test the connectivity between ECS2 and the Internet.

      3. Run the curl myip.ipip.net command to check the public IP address that ECS1 uses to access the Internet.

        The test result shows that the public IP address that ECS1 uses to access the Internet is the same as the EIP specified in the SNAT entry. This indicates that ECS1 uses the SNAT feature of the Internet NAT gateway to access the Internet.IP

    2. Test whether the services deployed on the ECS instances can be accessed over the Internet.

      1. Open a browser on a PC that can access the Internet.

      2. Enter the EIP associated with the Internet NAT gateway to access the services deployed on the ECS instances.

        The test result shows that the services deployed on the ECS instances can be accessed over the Internet and the CLB instance can forward requests to ECS2 when ECS1 is down. This implements high availability.访问测试

    3. Test whether the CLB instance can forward requests.

      1. Stop ECS1. For more information, see Stop an instance.

      2. Open a browser on a PC that can access the Internet.

      3. Enter the EIP associated with the Internet NAT gateway to access the services deployed on the ECS instances.

        The test result shows that the services deployed on the ECS instances can be accessed over the Internet and the CLB instance can forward requests to ECS2 when ECS1 is down. This ensures high availability.ecs2