All Products
Search
Document Center

NAT Gateway:Deploy multiple Internet NAT gateways in one VPC

Last Updated:Aug 23, 2023

You can create multiple Internet NAT gateways in one virtual private cloud (VPC) to forward traffic to different IP addresses. This way, you can better manage traffic that is destined for the Internet. You can also use different services to protect each Internet NAT gateway based on your requirements.

Scenarios

The following scenario is used as an example to show how to deploy multiple Internet NAT gateways in one VPC.

Architecture

The following content describes the vSwitches used in this example:

  • Create a VPC, and then create three vSwitches in the VPC. Deploy an Internet NAT gateway (NATGW-1) in Security Domain 1 and another Internet NAT gateway (NATGW-2) in Security Domain 2. Associate vSwitch1 with NATGW-1. Then, associate vSwitch2 and vSwitch3 with NATGW-2.

    • vSwitch1 belongs to Security Domain 1 and is associated with the system route table. A dedicated public IP address is used to route network traffic. The maximum bandwidth is 50 Mbit/s. The public IP address is not exposed to the Internet. Elastic Compute Service (ECS) instances that are attached to vSwitch1 can send requests to the Internet, but cannot receive requests from the Internet. The ECS instances require a private network environment.

    • vSwitch2 and vSwitch3 belong to Security Domain 2 and are associated with a subnet route table of the VPC. The ECS instances that are attached to vSwitch 2 share the same egress to communicate with the Internet. They can both send requests to the Internet and receive requests from the Internet. The maximum bandwidth is 1 Gbit/s.

  • Create a 50 Mbit/s elastic IP address (EIP) named EIP1 and specify EIP1 in an SNAT entry on NATGW-1.

  • Purchase an Internet Shared Bandwidth of 1 Gbit/s in size, and associate it with NATGW-2. Create three 5 Mbit/s EIPs (EIP2, EIP3, and EIP4), and associate the EIPs with the Internet Shared Bandwidth. Specify an EIP in a DNAT entry for vSwitch2, specify another EIP in a DNAT entry for vSwitch3, and then specify the last EIP in SNAT entries for the two vSwitches.

  • Configure monitoring for the vSwitches of NATGW-2.

Flowchart

Deploy multiple Internet NAT gateways in one VPC

Step 1: Create cloud resources

Before you deploy Internet NAT gateways for vSwitches, you must first create the following cloud resources: a VPC, vSwitches, ECS instances, EIPs, and an Internet Shared Bandwidth.

Cloud resource

Specification

Quantity

References

VPC

Region: Select China (Hohhot).

1

Create a VPC and a vSwitch

vSwitch

Zone:

  • One vSwitch named vSwitch1 is created in Hohhot Zone A.

  • Two vSwitches named vSwitch2 and vSwitch3 are created in Hohhot Zone B.

3

Create a VPC and a vSwitch

ECS instance

  • Billing method: Select Pay-As-You-Go.

  • Region: Select China (Hohhot).

  • Instance: ecs.g6e.large is selected in this example.

  • Image: Alibaba Cloud Linux 3.2104 64-bit is selected in this example.

  • Network Type: Select the VPC and vSwitches that you created.

    • One ECS instance named ECS1 is created in Hohhot Zone A where vSwitch1 is deployed.

    • Two ECS instances named ECS2 and ECS3 are created in Hohhot Zone B where vSwitch2 and vSwitch3 are deployed.

  • Public IP Address: Clear the check box.

  • Security Group: Use the default security group.

3

Create ECS instances

EIP

  • Billing method: Select Pay-As-You-Go.

  • Region: Select China (Hohhot).

  • Max bandwidth: Specify 50 Mbit/s for one EIP and specify 5 Mbit/s for three EIPs.

4

Apply for an EIP

Internet Shared Bandwidth

  • Billing Mode: Select Pay-As-You-Go.

  • Region: Select China (Hohhot).

  • Bandwidth: Specify 1,000 Mbit/s.

1

Create an Internet Shared Bandwidth

Step 2: Create two Internet NAT gateways

Create two Internet NAT gateways named NATGW-1 and NATGW-2 that are billed on a pay-as-you-go basis in the VPC. Associate NATGW-1 with vSwitch1, and associate NATGW-2 with vSwitch2 and vSwitch3.

  1. Log on to the NAT Gateway console.
  2. On the Internet NAT Gateway page, click Create NAT Gateway.
  3. When you create an Internet NAT gateway for the first time, click Create in the Notes on Creating Service-linked Roles section of the buy page to create a service-linked role. After the service-linked role is created, you can create Internet NAT gateways.

    创建角色 For more information, see Service-linked roles.

  4. On the buy page, set the following parameters and click Buy Now.

    Parameter

    Description

    Billing Method

    By default, Pay-As-You-Go is selected. You can pay for resources after you use them. For more information, see Billing of Internet NAT gateways.

    Resource Group

    Select the resource group to which the virtual private cloud (VPC) belongs. For more information, see Resource group overview.

    Tags

    • Tag Key: Select or enter a tag key.

      You can specify at most 20 tag keys. A tag key can be up to 128 characters in length. It cannot start with aliyun or acs:, and cannot contain http:// or https://.

    • Tag Value: Select or enter a tag value.

      You can specify at most 20 tag values. A tag value can be up to 128 characters in length. It cannot start with aliyun or acs:, and cannot contain http:// or https://.

    Region

    Select the region where you want to create the Internet NAT gateway.

    VPC

    Select the VPC where you want to create the Internet NAT gateway. After the Internet NAT gateway is created, you cannot change the VPC to which the Internet NAT gateway belongs.

    Associate vSwitch

    Select the vSwitch to which the Internet NAT gateway belongs.

    Metering Method

    By default, Pay-By-CU is selected. You are charged based on the resources that you use. For more information, see Billing of Internet NAT gateways.

    Billing Cycle

    By default, By Hour is selected. Bills are generated on an hourly basis. If you use an Internet NAT gateway for less than 1 hour, the usage duration is rounded up to 1 hour.

    Instance Name

    Enter a name for the Internet NAT gateway.

    The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.

    Access Mode

    Select the mode in which you want to create the Internet NAT gateway. The following modes are supported:

    • SNAT for All VPC Resources: If you select this value, the Internet NAT gateway is created in unified access mode. After the Internet NAT gateway is created, all resources in the VPC can access the Internet by using the SNAT feature of the NAT gateway.

      If you select SNAT for All VPC Resources, you must also specify an elastic IP address (EIP).

    • Configure Later: If you select this option, you can configure the Internet NAT gateway in the console after you complete the payment.

      If you select Configure Later, only the Internet NAT gateway is created. No SNAT entry is created.

    In this example, Configure Later is selected.

  5. On the Confirm page, confirm the information, select the Terms of Service check box, and then click Confirm.

    When the Purchased message appears, the Internet NAT gateway is created.

Step 3: Create a custom route table for vSwitch2 and vSwitch3

A route table consists of one or more route entries. Each route entry specifies the destination to which network traffic is routed. You can use the default route table or create a custom route table to manage network traffic.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Route Tables.

  3. Select the region where you want to create a route table.

    In this example, China (Hohhot) is selected.

    For more information about the regions that support custom route tables, see Route table overview.

  4. On the Route Tables page, click Create Route Table.

  5. In the Create Route Table dialog box, set the following parameters and click OK.

    Parameter

    Description

    Resource Group

    Select the resource group to which the route table belongs.

    VPC

    Select the VPC to which the route table belongs.

    Name

    Enter a name for the route table.

    The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.

    Description

    Enter a description for the route table.

    The description must be 2 to 256 characters in length. It cannot start with http:// or https://.

  6. On the Route Tables page, find the route table that you want to manage and click its ID.

  7. In the Route Table Details section, click the Associated vSwitch tab and click Associate vSwitch.

  8. In the Associate vSwitch dialog box, select vSwitch2 and click OK. Repeat this step to associate the route table with vSwitch3.

  9. Click the Route Entry List > Custom Route tab and click Add Route Entry. In the Add Route Entry panel, set the following parameters.

    Parameter

    Description

    Name

    Enter a name for the route entry.

    The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

    Destination CIDR Block

    Enter the destination CIDR block to which you want to route traffic. In this example, the destination CIDR block is set to 0.0.0.0/0.

    Next Hop Type

    NAT Gateway is selected in this example. Traffic destined for the specified CIDR block is routed to the specified NAT gateway.

    NAT Gateway

    Select NATGW-2 that is created in Step 2: Create two Internet NAT gateways.

    After you complete the preceding operations, a custom route entry that points to NATGW-2 is added to the newly created custom route table.

Step 4: Associate the three 5 Mbit/s EIPs with an Internet Shared Bandwidth

  1. Log on to the Internet Shared Bandwidth console.

  2. In the top navigation bar, select the region where the Internet Shared Bandwidth is created.

    In this example, China (Hohhot) is selected.

  3. On the Internet Shared Bandwidth page, find the EIP bandwidth plan that you want to manage and click AddIP in the Actions column.

  4. In the Add IP panel, click Select from EIP List.Then, select an EIP and click OK.

    After you associate the three 5 Mbit/s EIPs with the 1,000 Mbit/s Internet Shared Bandwidth, the EIPs share the 1,000 Mbit/s bandwidth.

Step 5: Associate the four EIPs with the Internet NAT gateways separately

Associate the EIPs with the Internet gateways created in Step 2: Create two Internet NAT gateways. Associate EIP1 with NATGW-1, and associate EIP2, EIP3, and EIP4 with NATGW-2.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where the Internet NAT gateway is deployed.

    In this example, China (Hohhot) is selected.

  3. On the Internet NAT Gateway page, find the Internet NAT gateway that you want to manage and click Associate Now in the Elastic IP Address column.

  4. In the Associate EIP dialog box, set the following parameters and click OK.

    Parameter

    Description

    Resource Group

    Select the resource group of the EIP.

    EIPs

    Select Select Existing EIPs and select an EIP from the drop-down list.

    • Associate the 50 Mbit/s EIP with NATGW-1.

    • Associate the other three EIPs with NATGW-2.

    After you complete the preceding operations, the EIPs are displayed in the Elastic IP Address column.

Step 6: Create SNAT entries

ECS instances in VPCs can access the Internet by using SNAT if the ECS instances are not assigned public IP addresses. Create one SNAT entry on NATGW-1, and create two SNAT entries on NATGW-2.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where the Internet NAT gateway is deployed.

    In this example, China (Hohhot) is selected.

  3. On the Internet NAT Gateway page, find the NAT gateway that you want to manage and click Configure SNAT in the Actions column.
  4. On the SNAT Management tab, click Create SNAT Entry.

  5. On the Create SNAT Entry page, set the parameters and click Confirm.

    • Configure an SNAT entry on NATGW-1 for vSwitch1.

    • When you configure SNAT entries on NATGW-2, specify the same EIP in the SNAT entries for vSwitch2 and vSwitch3.

    Parameter

    Description

    SNAT Entry

    Specify whether to create an SNAT entry for a VPC, a vSwitch, an ECS instance, or a custom CIDR block. Specify vSwitch is selected in this example. The ECS instances that are attached to the specified vSwitch use the EIP to access the Internet.

    • Select VSwitch: Select a vSwitch from the drop-down list.

      Note

      If you select multiple vSwitches, the system creates multiple SNAT entries that use the same EIP.

    • VSwitch CIDR Block: displays the CIDR block of the vSwitch.

    Select Public IP Address

    Select one or more EIPs that are used to access the Internet. Use One IP Address is selected and an EIP is selected from the drop-down list.

    Entry Name

    Enter a name for the SNAT entry.

Step 7: Create DNAT entries

DNAT allows ECS instances to use EIPs on NAT gateways to provide services over the Internet. Create two DNAT entries on NATGW-2.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where the Internet NAT gateway is deployed.

    In this example, China (Hohhot) is selected.

  3. On the Internet NAT Gateway page, find the NAT gateway that you want to manage and click Configure DNAT in the Actions column.
  4. On the DNAT Management tab, click Create DNAT Entry.

  5. On the Create DNAT Entry page, set the parameters that are described in the following table and click Confirm.

    Set the following parameters to create DNAT entries for vSwitch2 and vSwitch3.

    Parameter

    Description

    Select Public IP Address

    Select an EIP from the drop-down list. The EIP is used to communicate with the Internet.

    Select Private IP Address

    Select the ECS instance that uses the DNAT entry to communicate with the Internet. Select Select by ECS or ENI, and then select the ECS instance or the elastic network interface (ENI) associated with the ECS instance from the drop-down list.

    Port Settings

    Select a DNAT mapping method. Specific Port is selected in this example.

    Use the following settings for vSwitch2 and vSwitch3:

    • vSwitch2:

      • Public Port: the external port that is used in port forwarding. Port 22 is specified in this example.

      • Private Port: the internal port that is used in port forwarding. Port 22 is specified in this example.

      • Protocol Type: the protocol that is used by the ports. TCP is selected in this example.

    • vSwitch3:

      • Public Port: the external port that is used in port forwarding. Port 22 is specified in this example.

      • Private Port: the internal port that is used in port forwarding. Port 22 is specified in this example.

      • Protocol Type: the protocol that is used by the ports. TCP is selected in this example.

    Make sure that the security group rules of ECS2 and ECS3 allow inbound TCP requests from port 22.

    Entry Name

    Enter a name for the DNAT entry.

    The name must be 2 to 128 characters in length, and can contain digits, periods (.), underscores (_), and hyphens (-). It must start with a letter.

Step 8: Test network connectivity and check monitoring metrics

Check whether the ECS instance can access the Internet

Log on to ECS1 in vSwitch1 and perform the following operations to check whether ECS1 can access the Internet. You can also query the EIP specified in the SNAT entry that is associated with ECS1.

  1. Log on to ECS1 in vSwitch1. For more information, see Connection methods.

  2. Run the ping command to ping ping www.aliyun.com.

    If you can receive echo reply packets, it indicates that ECS1 can access the Internet.

    The result shows that ECS1 can access the Internet. ping

  3. Run the curl myip.ipip.net command to query the EIP that ECS1 uses to access the Internet. Then, run the ifconfig command to query the private IP address of ECS1.

    The result shows that the EIP that the ECS1 uses to access the Internet is the EIP specified in the SNAT entry configured on NATGW-1. Query the EIP specified in the SNAT entry

Check whether ECS2 can provide services over the Internet

  1. Log on to an on-premises Linux machine.

  2. Run the ssh root@public IP address command. Set the public IP address to the EIP specified in the DNAT entry configured on NATGW-2. Then, enter the password of ECS2 and check if you can access ECS2.

    If Welcome to Alibaba Cloud Elastic Compute Service! is returned, it indicates that ECS2 can use the DNAT feature of NATGW-2 to provide services over the Internet. test

  3. Run the ifconfig command. If the IP address returned is the same as the private IP address of ECS2, it indicates that the ECS2 can provide services over the Internet.

    Access records

View metrics

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where the Internet NAT gateway is deployed.

  3. On the Internet NAT Gateway page, find the Internet NAT gateway that you want to manage and click Monitoring in the Monitoring column.

    For more information about the monitoring metrics of Internet NAT gateways, see View monitoring data.