VPC NAT gateways translate private IP addresses to resolve address conflicts and enable access from specified IPs.
Create and delete VPC NAT gateways
Console
Create a VPC NAT gateway
-
Go to the NAT Gateway purchase page.
-
Billing Method: pay-as-you-go.
-
Region: Select the region.
-
Network and Zone: Select the VPC and vSwitch.
-
-
On the Confirm page, review your configuration, accept the terms of service, and click Activate Now.
-
View the created instance on the VPC NAT Gateway page.
-
The Basic Information tab shows the VPC and vSwitch of the gateway.
-
The NAT IP Address tab shows the default NAT CIDR block and NAT IP address.
The default NAT IP address is randomly allocated from the vSwitch CIDR block. Neither the default CIDR block nor the default IP address can be deleted.
-
Delete a VPC NAT gateway
In the Actions column of the target VPC NAT gateway instance, click Delete.
Before deletion, remove all SNAT entries, DNAT entries, custom NAT IP addresses, and custom NAT CIDR blocks. Alternatively, force delete the instance to permanently remove the gateway and all associated resources. Proceed with caution.
API
-
Call CreateNatGateway to create a VPC NAT gateway.
-
Call DeleteNatGateway to delete a VPC NAT gateway.
Configure NAT IPs and CIDR blocks
When you create a VPC NAT gateway, the system uses the gateway's vSwitch CIDR block as the default NAT CIDR block. You can create additional NAT CIDR blocks as needed.
NAT IP addresses are used to create SNAT or DNAT entries. The default NAT IP address is randomly allocated from the vSwitch CIDR block. Add more NAT IP addresses from a NAT CIDR block to increase the pool of private addresses available for translation.
Console
Create a NAT CIDR block
-
Go to the VPC NAT Gateway page and select the region.
-
Click the gateway ID to open its details page. Click the NAT IP Address tab, and then click Create CIDR Block. The CIDR block must meet these conditions:
-
Use private CIDR blocks from RFC 1918 (such as 10.0.0.0/16, 172.16.0.0/16, or 192.168.0.0/16) with subnet masks of 16 to 32 bits. To use a public CIDR block, first add it as a user-defined CIDR block in the VPC.
-
The NAT CIDR block cannot overlap with the VPC's private CIDR block. To translate addresses within the VPC's CIDR block, create a vSwitch in that CIDR block and then create a new VPC NAT gateway in that vSwitch.
-
Add a NAT IP address
-
Go to the VPC NAT Gateway page and select the region.
-
Click the gateway ID to open its details page. Click the NAT IP Address tab, and then click Add NAT IP Address.
-
Select CIDR Block: Select an existing NAT CIDR block or create a new one.
-
Allocation Method: Select Randomly Allocate, or select Manually Allocate and specify an IP Address from the selected CIDR block.
-
Delete a NAT IP address
The default NAT IP address cannot be deleted.
In the Actions column of the target NAT IP address, click Delete. To delete multiple NAT IP addresses at once, select them and click Delete at the bottom of the list.
Delete a NAT CIDR block
The default NAT CIDR block cannot be deleted.
Click the
icon next to the target NAT CIDR block. Delete all NAT IP addresses in the CIDR block before deleting it.
API
-
Call CreateNatIpCidr to create a NAT CIDR block.
-
Call CreateNatIp to add a NAT IP address.
-
Call DeleteNatIp to delete a NAT IP address.
-
Call DeleteNatIpCidr to delete a NAT CIDR block.
Configure SNAT entries
SNAT entries allow VPC resources to access other VPCs or on-premises networks using NAT IP addresses.
Console
Create an SNAT entry
-
Go to the VPC NAT Gateway page and select the region.
-
In the Actions column of the target VPC NAT gateway instance, click SNAT, and then click Create SNAT Entry.
-
SNAT Entry: Select the SNAT entry scope.
-
Specify VPC: All VPC CIDR blocks can access external private networks through this rule.
-
Select vSwitch: ECS instances in the selected vSwitch can access external private networks through this rule.
-
VPC: Select a vSwitch, or click Create vSwitch to create one in the VPC console.
-
vSwitch CIDR Block: Shows the CIDR block of the selected vSwitch.
-
-
Specify ECS Instance: Selected ECS instances can access external private networks through this rule.
-
Select ECS Instance: Select ECS instances, or click Create ECS Instance to create one. Selecting multiple instances creates multiple SNAT entries with the same NAT IP address. Instances must be in the Running state.
-
ECS CIDR Block: Shows the CIDR block of the selected ECS instance.
-
-
Specify Custom CIDR Block: All ECS instances within the specified CIDR block can access external private networks through this rule.
-
-
Select NAT IP Address: Select one or more NAT IP addresses for external private network access. Select Create NAT IP Address to create a new one.
-
NAT IP Affinity: When multiple NAT IP addresses are selected, affinity is disabled by default — the same source IP may use different NAT IPs for the same destination. Enable affinity to always use the same NAT IP address.
After an entry is created, you can click Edit in the Actions column of the entry to modify the NAT IP address and NAT IP affinity settings.
-
Delete an SNAT entry
On the SNAT tab of the VPC NAT gateway details page, click Delete in the Actions column of the target SNAT entry.
API
-
Call CreateSnatEntry to create an SNAT entry.
-
Call DeleteSnatEntry to delete an SNAT entry.
Configure DNAT entries
DNAT entries map NAT IP addresses to ECS instances in the VPC, allowing those instances to provide services to external private networks.
Console
Create a DNAT entry
-
Go to the VPC NAT Gateway page and select the region.
-
In the Actions column of the target VPC NAT gateway instance, click DNAT, and then click Create DNAT Entry.
-
Select NAT IP Address: Select the NAT IP address for external private network access. The same NAT IP address can be shared between a DNAT port mapping entry and an SNAT entry.
-
Select Private IP Address: Select the private IP address to receive DNAT traffic. You can Select by ECS or ENI or Manually Enter the address.
-
Port Settings: Configure the DNAT mapping.
-
Any Port: Creates an IP mapping. All requests to this NAT IP address are forwarded to the target ECS instance, which can also use this NAT IP address for outbound access.
A NAT IP address used for IP mapping cannot be shared with other DNAT or SNAT entries.
If both a DNAT IP mapping entry and an SNAT entry exist, the ECS instance prioritizes the DNAT IP mapping NAT IP address for outbound access.
-
Specific Port: Creates a port mapping. The gateway forwards requests on a specified protocol and port of the NAT IP address to a specified port on the target ECS instance. Configure the Frontend Port (port accessed by external networks), Backend Port (port on the target ECS instance), and Protocol.
-
The port number must be within the range of 1 to 65535.
-
If the NAT IP address is already used in an SNAT entry and you need a port number greater than
1024, you must Remove Port Limits. The default SNAT port range is 1025–65535. Enabling this option may cause transient interruptions for existing SNAT connections.
-
-
After an entry is created, you can click Edit in the Actions column of the entry to modify the NAT IP address, private IP address, and port settings.
-
Delete a DNAT entry
On the DNAT tab of the VPC NAT gateway details page, click Delete in the Actions column of the target DNAT entry.
API
-
Call CreateForwardEntry to create a DNAT entry.
-
Call DeleteForwardEntry to delete a DNAT entry.
Configure routes
Configure routes based on the type of NAT CIDR block you use.
-
If you use the default NAT CIDR block:
-
In the VPC's system route table, add a route with the destination set to the peer network's CIDR block and the next hop set to the VPC NAT gateway.
-
Create a custom route table for the gateway's vSwitch. Check whether a dynamic route to the peer network (for example, from CEN) has been learned.
-
If a dynamic route exists, no manual route is needed.
-
If no dynamic route exists, manually add a route with the destination set to the peer network's CIDR block and the next hop set to the peer device (such as a VBR or CEN).
-
-
-
If you use a custom NAT CIDR block:
-
In the VPC's system route table, add a route with the destination set to the custom NAT CIDR block and the next hop set to the VPC NAT gateway.
-
In the same route table, add another route with the destination set to the peer network's CIDR block and the next hop set to the VPC NAT gateway.
-
Create a custom route table for the gateway's vSwitch. Add a route with the destination set to the peer network's CIDR block and the next hop set to the peer device (such as a router interface or transit router).
-
To enable communication between resources using a custom NAT CIDR block and on-premises or cross-VPC resources, use an Enterprise Edition transit router.
-