This topic describes common faults of NAT gateways and provides solutions.

An Elastic Compute Service (ECS) instance is configured with a DNAT entry, but cannot be accessed over the Internet

The issue may arise due to the following reasons:
  • The security group rule does not allow Internet access to the private port of the ECS instance configured in the DNAT entry.

    Check whether the security group rule of the ECS instance allows Internet access to the private port of the ECS instance configured in the DNAT entry. If the security group does not allow Internet access to the private port, open the port. For more information, see Add security group rules.

    You can run the telnet <private IP address of the ECS instance> <private port> command on other ECS instances in the same VPC to check whether the private port configured in the DNAT entry is accessible.
    • If the following message is returned, the private port configured in the DNAT entry can be accessed.
      Connected to <private IP address of the ECS instance>
      The preceding message indicates that the private port configured in the DNAT entry can be accessed.
    • If the following message is returned, the private port configured in the DNAT entry is inaccessible.
      unable connect to remote host: Connection timed out
    If the private port cannot be accessed over the VPC, it cannot be accessed over the Internet.
  • The route table does not contain a custom route entry whose destination CIDR block is 0.0.0.0/0 and whose next hop is the NAT gateway.

    The ECS instance configured in the DNAT entry needs a route that points to the NAT gateway to return a response. Therefore, check whether the system route table or custom route table contains such a route entry. If not, add one. For more information, see Add routes to a route table.

ECS instances attached to a newly created vSwitch in a virtual private cloud (VPC) cannot use SNAT to access the Internet, but ECS instances attached to other vSwitches in the same VPC can use SNAT to access the Internet

The issue may arise due to the following reasons:
  • Existing SNAT entries of the NAT gateway do not contain the CIDR block of the newly created vSwitch.

    A NAT gateway does not automatically create an SNAT entry for a newly created vSwitch. You must check whether the CIDR block of the newly created vSwitch is included in the existing SNAT entries of the NAT gateway. If not, the ECS instances that are attached to the newly created vSwitch cannot access the Internet. You must manually create an SNAT entry for the vSwitch. For more information, see Configure SNAT to access the Internet.

  • The newly created vSwitch is associated with a custom route table, but the custom route table does not contain a custom route entry whose destination CIDR block is 0.0.0.0/0 and whose next hop is the NAT gateway.

    Check whether the custom route table contains such a route entry. If not, add one. For more information, see Add routes to a route table.

Multiple NAT gateways exist in a VPC, and ECS instances in a vSwitch cannot access the Internet

The issue arises when the following conditions are met: Only the system route table is used in the VPC. The route table contains only one custom route entry whose destination CIDR block is 0.0.0.0/0 and whose next hop is one of the NAT gateways. The CIDR block of the vSwitch is not included in the SNAT entries of the NAT gateway that the preceding route entry points to.

  • If you do not need to use multiple NAT gateways, we recommend that you delete the NAT gateways that are not needed and add SNAT entries to the reserved NAT gateways.
  • If you need multiple NAT gateways, see Deploy multiple NAT gateways in one VPC.

Exceptions such as connection timeouts and slow download speeds occur when a client, such as an application on an ECS instance, accesses a public service

  • If monitoring data shows that exceptions occur occasionally and do not occur due to the following two reasons, you can enable the traffic monitoring feature to identify the source of exceptions. This improves troubleshooting efficiency when multiple ECS instances are created.
    • If you use a pay-by-specification NAT gateway, check whether the number of concurrent connections, the rate of new connections, or other metrics exceed the upper limits of the specification. For more information, see Query monitoring data. If connections are dropped because the upper limits are reached, we recommend that you upgrade the specification of your NAT gateway.
    • View the monitoring data to check whether packets are dropped because the maximum bandwidth value of the EIP associated with your VPN gateway is exceeded. For more information, see Query the monitoring data of EIPs that are associated with NAT gateways. If packets are dropped due to bandwidth limits, we recommend that you increase the maximum bandwidth value of the EIP.
  • If multiple ECS instances that run Linux access a Linux server by using the NAT gateway, TCP connection requests may be dropped by the Linux kernel, and this may lead to connection timeouts or failures. We recommend that you disable the Linux net.ipv4.tcp_tw_recycle option on the server or the Linux net.ipv4.tcp_timestamps option on the client.