All Products
Search
Document Center

NAT Gateway:Create and manage an Internet NAT gateway

Last Updated:Feb 29, 2024

Internet NAT gateways provide the network address translation feature to enable Elastic Compute Service (ECS) instances in virtual private clouds (VPCs) to access the Internet or provide services over the Internet.

Background information

  • You can purchase an Internet NAT gateway in one of the following modes.

    Mode

    Description

    Procedure

    Standard mode

    When you create an Internet gateway, only an Internet gateway is purchased. After you create an Internet NAT gateway, you must associate an elastic IP address (EIP) with the gateway and configure an SNAT entry.

    1. Create an Internet NAT gateway. For more information, see Create an Internet NAT gateway.

    2. Create an EIP. For more information, see Apply for an EIP.

    3. Associate the EIP with the Internet NAT gateway. For more information, see Associate an EIP with the Internet gateway.

    4. Create an SNAT entry. For more information, see Create an SNAT entry.

    SNAT-enabled mode

    When you create an Internet NAT gateway, you can associate an EIP with the Internet NAT gateway. Then, the system automatically creates an SNAT entry by using the EIP.

    The SNAT-enabled mode supports the following configuration methods:

    • You can purchase an Internet NAT gateway and an EIP on the buy page. After the Internet NAT gateway is created, the EIP is automatically associated with the Internet NAT gateway.

    • You can purchase an Internet NAT gateway and select an existing EIP that you want to associate with the Internet NAT gateway on the buy page.

    For more information, see Purchase an Internet NAT gateway and an EIP.

    In this topic, the Internet NAT gateway is created in the standard mode.

  • The first time an Internet NAT gateway is created in a VPC, a route is automatically added to the route table of the VPC. The destination CIDR block of the route is 0.0.0.0/0 and the next hop is the Internet NAT gateway. This ensures that all traffic is routed through the Internet NAT gateway. Traffic destined for the Internet can reach the Internet NAT gateway only after the preceding route is added to the route table of the VPC. After you create an Internet NAT gateway, make sure that the VPC route table contains a 0.0.0.0/0 route whose next hop is the Internet NAT gateway. If the route does not exist, add the route. For more information, see Add and delete routes.

    If the VPC route table already contains a 0.0.0.0/0 route before you create the Internet NAT gateway, the system does not add another 0.0.0.0/0 route whose next hop is the Internet NAT gateway to the VPC route table. In this case, you must change the next hop of the existing 0.0.0.0/0 route to the Internet NAT gateway after the Internet NAT gateway is created.

Prerequisites

A VPC and a vSwitch are created. For more information, see Create a VPC with an IPv4 CIDR block.

Create an Internet NAT gateway

  1. Log on to the NAT Gateway console.
  2. On the Internet NAT Gateway page, click Create NAT Gateway.
  3. When you create an Internet NAT gateway for the first time, click Create in the Notes on Creating Service-linked Roles section of the buy page to create a service-linked role. After the service-linked role is created, you can create Internet NAT gateways.

    创建角色 For more information, see Service-linked roles.

  4. On the buy page, set the following parameters and click Buy Now.

    Parameter

    Description

    Billing Method

    By default, Pay-As-You-Go is selected. You can pay for resources after you use them. For more information, see Billing of Internet NAT gateways.

    Resource Group

    Select the resource group to which the virtual private cloud (VPC) belongs. For more information, see Resource group overview.

    Tags

    • Tag Key: Select or enter a tag key.

      You can specify at most 20 tag keys. A tag key can be up to 64 characters in length and cannot start with aliyun or acs:. It cannot contain http:// or https://.

    • Tag Value: Select or enter a tag value.

      You can specify at most 20 tag values. A tag value can be up to 128 characters in length. It cannot start with aliyun or acs:, and cannot contain http:// or https://.

    Region

    Select the region where you want to create the Internet NAT gateway.

    VPC

    Select the VPC where you want to create the Internet NAT gateway. After the Internet NAT gateway is created, you cannot change the VPC to which the Internet NAT gateway belongs.

    Associate vSwitch

    Select the vSwitch to which the Internet NAT gateway belongs.

    Metering Method

    By default, Pay-By-CU is selected. You are charged based on the resources that you use. For more information, see Billing of Internet NAT gateways.

    Billing Cycle

    By default, By Hour is selected. Bills are generated on an hourly basis. If you use an Internet NAT gateway for less than 1 hour, the usage duration is rounded up to 1 hour.

    Instance Name

    Enter a name for the Internet NAT gateway.

    The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.

    Access Mode

    Select the mode in which you want to create the Internet NAT gateway. The following modes are supported:

    • SNAT for All VPC Resources: If you select this value, the Internet NAT gateway is created in unified access mode. After the Internet NAT gateway is created, all resources in the VPC can access the Internet by using the SNAT feature of the NAT gateway.

      If you select SNAT for All VPC Resources, you must also specify an EIP.

    • Configure Later: If you select this option, you can configure the Internet NAT gateway in the console after you complete the payment.

      If you select Configure Later, only the Internet NAT gateway is created. No SNAT entry is created.

    In this example, Configure Later is selected.

  5. On the Confirm page, confirm the information, select the Terms of Service check box, and then click Confirm.

    When the Purchased message appears, the Internet NAT gateway is created.

Associate an EIP with an Internet NAT gateway

Note

Starting September 19, 2022, if you associate an EIP with a newly created Internet NAT gateway, a random private IP address of the vSwitch where the NAT gateway resides is used. Make sure that the vSwitch has sufficient private IP addresses available for use. Otherwise, you cannot associate an EIP with the NAT gateway. Existing NAT gateways are not affected.

An Internet NAT gateway works as expected only after you associate it with an EIP. You can associate up to 20 EIPs with an Internet NAT gateway. You can go to the Quota Management page to request a quota increase. Before you associate an EIP with an Internet NAT gateway, make sure that an Internet NAT gateway is created.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where you want to create the NAT gateway.
  3. On the Internet NAT Gateway page, find the Internet NAT gateway and click Associate Now in the EIP column.

  4. In the Associate EIP dialog box, set the following parameters and click OK.

    Parameter

    Description

    Resource Group

    Select the resource group of the EIP.

    Select EIP

    Select the EIP that you want to associate with the Internet NAT gateway. Valid values:

    • Select Existing EIP: selects an existing EIP from the drop-down list.

    • Purchase and Associate EIP: The system automatically creates an EIP that is billed on a pay-by-data-transfer basis and associates the EIP with the Internet NAT gateway.

    After you associate an EIP with the Internet NAT gateway, the EIP is displayed in the Elastic IP Address column.

Disassociate an EIP from an Internet NAT gateway

Make sure that the EIP to be disassociated is not used in an SNAT entry or a DNAT entry. If the EIP is used in an SNAT or a DNAT entry, delete the SNAT or DNAT entry first. For more information, see Delete an SNAT entry and Delete a DNAT entry.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where you want to create the NAT gateway.
  3. On the Internet NAT Gateway page, find the Internet NAT gateway that you want to use and click the EIP in the EIP column.

  4. On the Associated Elastic IP Address tab, find the EIP that you want to disassociate and click Disassociate in the Actions column.

    Note

    If you did not delete the SNAT and DNAT entries in which the EIP is specified, click Force Unbind NAT in the Actions column. In the message that appears, click OK. The system deletes the SNAT and DNAT entries in which the EIP is specified and then disassociates the EIP from the Internet NAT gateway.

  5. In the dialog box that appears, click OK.

Delete an Internet NAT gateway

You can delete pay-as-you-go Internet NAT gateways, but you cannot delete existing subscription Internet NAT gateways. Before you delete an Internet NAT gateway, make sure that the following requirements are met:

  • No EIP is associated with the Internet NAT gateway. If an EIP is associated with the Internet NAT gateway, disassociate the EIP from the Internet NAT gateway. For more information, see Disassociate an EIP.

  • The DNAT table does not contain DNAT entries. If the DNAT table contains DNAT entries, delete them. For more information, see Delete a DNAT entry.

  • The SNAT table does not contain SNAT entries. If the SNAT table contains SNAT entries, delete them. For more information, see Delete an SNAT entry.

  • By default, Deletion Protection is in the Disabled state on the Basic Information tab of the Internet NAT gateway. If Deletion Protection is in the Enabled state, disable deletion protection.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where you want to create the NAT gateway.
  3. On the Internet NAT Gateway page, find the Internet NAT gateway that you want to delete and choose 更多操作 > Delete in the Actions column.

  4. In the Delete Gateway message, click OK.

    To forcefully delete an Internet NAT gateway and associated resources, select Force Delete (Delete the NAT gateway and associated SNAT/DNAT entries) in the Delete Gateway dialog box. When you forcefully delete an Internet NAT gateway, the system automatically disassociates EIPs from the Internet NAT gateway and deletes SNAT entries and DNAT entries of the Internet NAT gateway.

Add a tag to an Internet NAT gateway

As your business grows, the number of Internet NAT gateways may grow along with it. This results in a large number of gateways that may be hard to manage. We recommend that you add tags to the Internet NAT gateways to manage them by groups. After you add tags, you can search for and filter Internet NAT gateways by tag.

Tags are used to classify endpoints. Each tag consists of a key and a value. Before you use tags, take note of the following limits:

  • The key of each tag that is added to an Internet NAT gateway must be unique.

  • You cannot create tags without adding them to Internet NAT gateways. All tags must be added to Internet NAT gateways.

  • Tag information is not shared across regions.

    For example, tags created in the China (Hangzhou) region are not displayed in the China (Shanghai) region.

  • You can modify the key and value of a tag or remove a tag from an Internet NAT gateway. If you delete an Internet NAT gateway, the tags that are added to the Internet NAT gateway are deleted.

  • You can add up to 20 tags to each Internet NAT gateway. You cannot increase the quota.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where you want to create the NAT gateway.
  3. On the Internet NAT Gateway page, find the Internet NAT gateway, move the pointer over 标签图标 in the Tags column, and then click Add or Edit.

  4. In the Configure Tags dialog box, set the following parameters and click OK.

    Parameter

    Description

    Tag Key

    The key of the tag. You can select or enter a key.

    The tag key can be up to 128 characters in length. It cannot start with aliyun or acs:, and cannot contain http:// or https://.

    Tag Value

    The value of the tag. You can select or enter a value.

    The tag value can be up to 128 characters in length. It cannot start with aliyun or acs:, and cannot contain http:// or https://.

  5. Return to the Internet NAT Gateway page and click Filter by Tag. In the Filter by Tag dialog box, you can specify a tag key and a tag value to search for an Internet NAT gateway.

Modify an Internet NAT gateway

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where you want to create the NAT gateway.
  3. On the Internet NAT Gateway page, find the NAT gateway that you want to manage and click Manage in the Actions column.
  4. In the Basic Information section of the Basic Information tab, you can perform the following operations to modify the Internet NAT gateway.

    • Modify the name of the Internet NAT gateway

      Click Edit next to Instance Name. In the dialog box that appears, enter a new name and click OK.

    • Modify the description of the Internet NAT gateway

      Click Edit next to Description. In the dialog box that appears, enter a new description for the Internet NAT gateway and click OK.

    • Enable or disable deletion protection

      Click Enable Deletion Protection or Disable Deletion Protection next to Deletion Protection.

References