You can use Virtual Private Cloud (VPC) NAT gateways to translate private IP addresses. This enables Elastic Compute Service (ECS) in VPCs to access external private networks and provide services to external private networks. This topic describes how to create a VPC NAT gateway.

Prerequisites

Create a VPC NAT gateway

  1. Log on to the NAT Gateway console.
  2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
  3. On the VPC NAT Gateway page, click Create VPC NAT Gateway.
  4. On the VPC NAT Gateway (Pay-As-You-Go) page, set the following parameters and click Buy Now.
    Parameter Description
    Region Select the region where you want to create the VPC NAT gateway.
    VPC ID Select the VPC to which the VPC NAT gateway belongs. After you create a VPC NAT gateway, you cannot change the VPC to which it belongs.
    Zones Select the zone to which the VPC NAT gateway belongs.
    vSwitch ID Select the vSwitch to which the VPC NAT gateway belongs. We recommend that you select an independent vSwitch.
    Name Enter a name for the VPC NAT gateway.

    The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

    Service-linked Role Displays whether a service-linked role is created for the VPC NAT Gateway.

    If this is your first time using a NAT gateway, including a public NAT gateway and a VPC NAT gateway, you must click Create Service-linked Role to create a service-linked role.

  5. On the Confirm Order page, confirm the information, select the Terms of Service check box, and then click Activate Now.
    When the message Order complete. appears, the purchase is completed.
  6. Return to the VPC NAT Gateway page and view the VPC NAT gateway that you created.
    • Click the ID of the VPC NAT gateway. On the Basic Information tab, view the VPC and vSwitch to which the VPC NAT gateway belongs.
    • Click the NAT IP Address tab to view the default NAT IP address and the default NAT CIDR block.
      Note The default NAT CIDR block refers to the CIDR block of the vSwitch to which the VPC NAT gateway belongs. The default NAT IP address refers to an IP address that is randomly allocated from the vSwitch CIDR block. You cannot delete the default NAT CIDR block or the default NAT IP address.

Create a NAT CIDR block

After you create a VPC NAT gateway, the system uses the CIDR block of the vSwitch to which the VPC NAT gateway belongs as the default NAT CIDR block. You can also create a NAT CIDR block for the VPC NAT gateway to meet your business requirements.

  1. Log on to the NAT Gateway console.
  2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
  3. In the top navigation bar, select the region where the VPC NAT gateway is deployed.
  4. On the VPC NAT Gateway page, find the VPC NAT gateway that you want to manage and click the ID of the VPC NAT gateway.
  5. Click the NAT IP Address tab and click Create CIDR Block.
  6. In the Create CIDR Block dialog box, enter CIDR Block Name and CIDR Block, and then click OK.
    The new CIDR block must meet the following conditions:
    • It must be 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or one of their subnets.
    • The subnet mask must be 16 to 32 bits in length.
    • If you want to use a public CIDR block as the NAT CIDR block, the VPC to which the VPC NAT gateway belongs must be authorized to use public CIDR blocks. For more information, see Limits on VPCs and vSwitches.
    When The CIDR block is added. appears, it indicates that the CIDR block is created.

Add a NAT IP address

A NAT IP address is used to create an SNAT entry or a DNAT entry. To meet your business requirements, you can add NAT IP addresses to a NAT CIDR block as needed. This way, the VPC NAT gateway can use the NAT IP addresses to translate private IP addresses.

  1. Log on to the NAT Gateway console.
  2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
  3. In the top navigation bar, select the region where the VPC NAT gateway is deployed.
  4. On the VPC NAT Gateway page, find the VPC NAT gateway that you want to manage and click the ID of the VPC NAT gateway.
  5. On the NAT IP Address tab, click Add NAT IP Address.
  6. In the Add NAT IP Address dialog box, set the following parameters and click OK.
    Parameter Description
    Select CIDR Block Select the CIDR block to which you want to add a NAT IP address.

    You can select an existing NAT CIDR block of the VPC NAT gateway or create a CIDR block.

    Allocation Method Select a method to allocate the NAT IP address.
    • Randomly Allocate: The system randomly allocates an IP address from the selected CIDR block.
    • Manually Allocate: You can specify an IP address from the selected CIDR block.
    IP Address Enter an IP address from the selected CIDR block. This parameter is required if Allocation Method is set to Manually Allocate.
    NAT IP Address Name Enter a name for the NAT IP address.

    The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.

Configure routes

Refer to the following operations to configure routes to manage network traffic.

  • Use the default NAT CIDR block as the address pool of the VPC NAT gateway.
    • Add the following route entry to the system route table of the VPC to which the VPC NAT gateway belongs: The destination CIDR block of the route entry is the peer CIDR block and the next hop points to the custom route entry of the VPC NAT gateway. For more information, see Create and delete route entries.
    • Add a custom route table to the vSwitch to which the VPC NAT gateway belongs and add the following route entry to the route table: The destination CIDR block of the route entry is the peer CIDR block and the next hop points to the custom route entry of the peer device, such as a virtual border router or a Cloud Enterprise Network (CEN) instance. For more information, see Add subnet routes to a route table.
  • Use a custom NAT CIDR block as the address pool of the VPC NAT gateway.
    • Add the following route entry to the system route table of the VPC to which the VPC NAT gateway belongs: The destination CIDR block of the route entry is the custom NAT CIDR block and the next hop points to the custom route entry of the VPC NAT gateway.
    • Add the following route entry to the system route table of the VPC to which the VPC NAT gateway belongs: The destination CIDR block of the route entry is the peer CIDR block and the next hop points to the custom route entry of the VPC NAT gateway.
    • Add a custom route table to the vSwitch to which the VPC NAT gateway belongs and add the following route entry to the route table: The destination CIDR block of the route entry is the peer CIDR block and the next hop points to the custom route entry of the peer device, such a router interface or a transit router.

Modify a VPC NAT gateway

You can modify the name and description of a VPC NAT gateway.

  1. Log on to the NAT Gateway console.
  2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
  3. In the top navigation bar, select the region where the VPC NAT gateway is deployed.
  4. On the VPC NAT Gateway page, find the VPC NAT gateway that you want to manage and click the ID of the VPC NAT gateway.
  5. On the Basic Information tab, click Edit next to Instance Name. In the dialog box that appears, enter a new name for the NAT gateway and click OK.
    The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.
  6. Click Edit next to Description. In the dialog box that appears, enter a new description, and click OK.
    The description must be 2 to 256 characters in length and cannot start with http:// or https://.

Delete a NAT CIDR block or a NAT IP address

You can delete a NAT CIDR block or a NAT IP address that you no longer need. You can delete a custom CIDR block and its NAT IP addresses. Before you can delete a custom CIDR block, you must delete its NAT IP addresses. You can delete custom NAT IP addresses in the default NAT CIDR block. However, you cannot delete the default NAT CIDR block or the default NAT IP address.

  1. Log on to the NAT Gateway console.
  2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
  3. In the top navigation bar, select the region where the VPC NAT gateway is deployed.
  4. On the VPC NAT Gateway page, find the VPC NAT gateway that you want to manage and click the ID of the VPC NAT gateway.
  5. Click the NAT IP Address tab and find the NAT CIDR block whose NAT IP addresses you want to delete on the left side of the page. In the NAT IP Address List section, select one or more NAT IP addresses that you want to delete and click Delete in the Actions column.
    Note You cannot delete the default NAT IP address.
  6. In the Delete NAT IP Address message, click OK.
  7. Click Delete next to the CIDR block that you want to delete.
  8. In the Delete CIDR Block message, click OK.

Delete a VPC NAT gateway

You can delete a VPC NAT gateway if the following conditions are met:

  • The VPC NAT gateway does not contain custom NAT CIDR blocks. If the VPC NAT gateway contains custom NAT CIDR blocks, delete the NAT IP addresses in the NAT CIDR blocks, and then delete the custom CIDR blocks.
  • The default NAT CIDR block of the VPC NAT gateway does not contain custom NAT IP addresses. If the default NAT CIDR block contains custom NAT IP addresses, delete them.
  • The DNAT table does not contain DNAT entries. If the DNAT table contains DNAT entries, delete them. For more information, see Delete a DNAT entry.
  • The SNAT table does not contain SNAT entries. If the SNAT table contains SNAT entries, delete them. For more information, see Delete an SNAT entry.
  • You cannot delete a VPC NAT gateway that has Deletion Protection enabled on the Basic Information page. Disable Deletion Protection before you delete the VPC NAT gateway.
  1. Log on to the NAT Gateway console.
  2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
  3. In the top navigation bar, select the region where the VPC NAT gateway is deployed.
  4. On the NAT Gateway VPC NAT Gateway page, find the VPC NAT gateway that you want to delete and choose More > Delete in the Actions column.
  5. In the Delete Gateway message, click OK.
    If you want to forcibly delete a VPC NAT gateway and its resources, select Delete (Delete NAT gateway and resources) in the Delete Gateway dialog box. When you forcibly delete a VPC NAT gateway, you do not need to delete its SNAT entries, DNAT entries, custom NAT IP addresses, or custom NAT CIDR blocks. Proceed with caution.

What to do next