You cannot use the NAT Gateway console to directly change the vSwitch or private IP address of an Internet NAT gateway in a virtual private cloud (VPC). However, you can create a new internet gateway in the same VPC and modify the route entry whose destination CIDR block is 0.0.0.0/0. This way, you can route traffic to the new Internet NAT gateway, which belongs to a different vSwitch and has a different private IP address.

Procedure

This topic describes how to change the vSwitch of an Internet NAT gateway by switching to a new Internet NAT gateway. Procedure for the International site

Prerequisites

Make sure that the following requirements are met:
  • A VPC named VPC1 is created in the China (Hangzhou) region and vSwitches named VSW1 and VSW2 are created in the VPC. VSW1 is created in Zone B, and VSW 2 is created in Zone H. For more information, see Create an IPv4 VPC.
  • An ECS instance named ECS1 is created in VSW1 and no static public address is allocated to ECS1. For more information, see Create an instance by using the wizard.
  • An Internet NAT gateway named NAT Gateway A is created in VSW1.An SNAT entry is created for VPC1. A DNAT entry that uses port mapping is configured. In the DNAT entry, the private IP address is set to the private IP address of ECS1, the public port and the private port are set to 22, and the protocol type is set to TCP.

Step 1: Check whether NAT Gateway A works as expected

  1. Log on to ECS1 in VSW1. For more information, see Connection methods.
  2. Run the ping command to check the network connectivity.
    The check result shows that ECS1 can access the Internet. Check the connectivity
  3. Run the curl myip.ipip.net command to query the public IP address that ECS1 uses to access the Internet.
    The query result shows the public IP address that ECS1 uses to access the Internet is the same as the elastic IP address (EIP) configured in the SNAT entry of NAT Gateway A. This indicates that ECS1 accesses the Internet by using the SNAT feature of NAT Gateway A. Query the public IP address
  4. Log on to an on-premises Linux machine.
  5. Run the ssh root @ public IP address command. In this command, the public IP address is the EIP configured in the DNAT entry of NAT Gateway A. Then, enter the password of ECS1 and check if you can connect to ECS1.
    If the message Welcome to Alibaba Cloud Elastic Compute Service! appears, you are connected to ECS1. This indicates that ECS1 can receive requests from the Internet by using the DNAT feature of NAT Gateway A. ssh

Step 2: Create NAT Gateway B and associate an EIP with NAT Gateway B

  1. Log on to the NAT Gateway console.
  2. On the Public NAT Gateway page, click Create NAT Gateway.
  3. On the NAT Gateway (Pay-As-You-Go) page, set the following parameters and click Buy Now.
    • Region and Zone: Select the region where you want to deploy the Internet NAT gateway. In this example, China (Hangzhou) is selected.
    • Zone: Select the zone where you want to deploy the Internet NAT gateway. In this example, Hangzhou Zone H is selected.
    • VPC ID: Select the VPC where you want to deploy the Internet NAT gateway. In this example, VPC1 is selected.
    • VSwitch ID: Select the vSwitch to which the Internet NAT gateway is attached. In this example. VSW2 is selected.
    • Gateway Type: By default, Enhanced is selected.
    • Billing Method: By default, Pay by Actual Usage is selected. Pay-as-you-go Internet NAT gateways support only the pay-by-actual-usage metering method.
    • Billing Cycle: By default, By Hour is selected.
  4. On the Confirm Order page, confirm the information, select the Terms of Service check box, and then click Activate Now.
    When the message Order complete. appears, the purchase is completed.
  5. On the Internet NAT Gateway page, find the Internet NAT gateway that you created, which is named NAT Gateway B in this example, and click Associate Now in the Elastic IP Address column.
  6. In the Associate EIP dialog box, set the following parameters and click OK.

    EIPs: Select the EIP that you want to associate with the Internet NAT gateway. In this example, Purchase EIPs is selected.

Step 3: Create an SNAT entry and a DNAT entry on NAT Gateway B

Create an SNAT entry and a DNAT entry on NAT Gateway B. Configure the SNAT entry and DNAT entry in the same manner in which you configure the SNAT entry and DNAT entry for NAT Gateway A. However, the EIP that you specify for NAT Gateway B must be different from the EIP that you specify for NAT Gateway A.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where you want to deploy the NAT gateway.
  3. On the Public NAT Gateway page, find the NAT gateway that you want to manage and click Configure SNAT in the Actions column.
  4. On the SNAT Management tab, click Create SNAT Entry.
  5. On the Create SNAT Entry page, set the parameters and click Confirm.
    • SNAT Entry: Specify the application scope of the SNAT entry. In this example, Specify VPC is selected. All ECS instances in VPC1 can access the Internet by using the SNAT entry.
    • Select Public IP Address: Select the EIP that is used to access the Internet. In this example, Use One IP address is selected and the EIP associated with NAT Gateway B is selected from the drop-down list.
    • Entry Name: Enter a name for the SNAT entry.

      The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

  6. Go back to the Internet NAT Gateway page, find NAT Gateway B and click Configure DNAT in the Actions column.
  7. On the DNAT Management tab, click Create DNAT Entry.
  8. On the Create DNAT Entry page, set the following parameters and click Confirm.
    • Select Public IP Address: Select the EIP that is used to communicate with the Internet. In this example, the EIP associated with NAT Gateway B is selected.
    • Select Private IP Address: Specify the ECS instance that uses the DNAT entry to communicate with the Internet. In this example, Select by ECS or ENI is selected and ECS1 is selected from the drop-down list.
    • Port Settings: Select a DNAT mapping method. In this example, Specific Port, which specifies port mapping, is selected. Public Port is set to 22, Private Port is set to 22, and Protocol Type is set to TCP.
    • Entry Name: Enter a name for the DNAT entry.

      The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

Step 4: Modify the custom route entry in the system route table

After you create the first Internet NAT gateway in a VPC, a route entry is automatically added to the route table of the VPC. The destination CIDR block of the route entry is 0.0.0.0/0 and the next hop is the Internet NAT gateway. This ensures that traffic is routed to the Internet NAT gateway. After you create NAT Gateway B, VPC does not automatically add a route entry whose destination CIDR block is 0.0.0.0/0 and whose next hop is NAT Gateway B to the system route table. NAT Gateway B does not work as expected. You must modify the route entry whose destination CIDR block is 0.0.0.0/0, and specify NAT Gateway B as the next hop of the route entry. This way, traffic is routed to NAT Gateway B instead of NAT Gateway A.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Route Tables.
  3. In the top navigation bar, select the region to which the route table belongs.
  4. On the Route Tables page, find the route table of VPC1 and click its ID.
  5. Choose Route Entry List > Custom, find the custom route entry whose destination CIDR block is 0.0.0.0/0 and whose next hop points to NAT Gateway A, and then click Delete in the Actions column.
  6. In the Delete Route Entry message, click OK.
  7. Click Add Route Entry. In the Add Route Entry panel, set the following parameters and click OK.
    • Name: Enter a name for the route entry.

      The name must be 2 to 128 characters, and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.

    • Destination CIDR Block: Enter the destination CIDR block. 0.0.0.0/0 is entered in this example.
    • Next Hop Type: Select the next hop type. In this example, NAT Gateway is selected.
    • NAT Gateway: Select the NAT gateway that the next hop points to. In this example, NAT Gateway B is selected.
    Note After the new route entry is created, existing connections can resume only after you reestablish the connections. We recommend that you create the new route entry during off-peak hours.

Step 5: Check the network connectivity

Check whether ECS instances use NAT Gateway B instead of NAT Gateway A to communicate with the Internet.

In this example, you change the vSwitch of a NAT gateway by switching to a new NAT gateway. During this process, you also change the private IP address of the NAT gateway. If you want to change the private IP address of a NAT gateway by switching to a different NAT gateway, you can perform similar steps described in this topic.

  1. Log on to ECS1 in VSW1.
  2. Run the ping command to check the network connectivity.
    The check result shows that ECS1 can access the Internet. ping
  3. Run the curl myip.ipip.net command to check the public IP address that ECS1 uses to access the Internet.
    The query result shows the public IP address that ECS1 uses to access the Internet is the same as the elastic IP address (EIP) configured in the SNAT entry of NAT Gateway B. This indicates that ECS1 accesses the Internet by using the SNAT feature of NAT Gateway B. snat
  4. Log on to an on-premises Linux machine.
  5. Run the ssh root @ public IP address command. In this command, the public IP address is the EIP configured in the DNAT entry of NAT Gateway B. Then, enter the password of ECS1 and check if you can connect to ECS1.
    If the message Welcome to Alibaba Cloud Elastic Compute Service! appears, you are connected to ECS1. This indicates that ECS1 uses the DNAT feature of NAT Gateway B to receive requests from the Internet. test