NAT Gateway:Switch to another Internet NAT gateway in the same VPC

Procedure

Prerequisites

Step 1: Check whether NAT Gateway A works as expected

1. Log on to ECS1 in VSW1. For more information, see Connection methods.

2. Run the ping command to test the network connectivity.

3. Run the curl myip.ipip.net command to query the public IP address that ECS1 uses to access the Internet.

   The query result shows the public IP address that ECS1 uses to access the Internet is the same as the elastic IP address (EIP) configured in the SNAT entry of NAT Gateway A. This indicates that ECS1 accesses the Internet by using the SNAT feature of NAT Gateway A.

4. Log on to an on-premises Linux machine.

5. Run the ssh root@public IP address command. In this command, the public IP address is the EIP configured in the DNAT entry of NAT Gateway A. Then, enter the password of ECS1 and check if you can connect to ECS1.

   If Welcome to Alibaba Cloud Elastic Compute Service! is returned, it indicates that ECS1 uses the DNAT feature of NAT Gateway A to provide services over the Internet.

Step 2: Create NAT Gateway B and associate an EIP with NAT Gateway B

In this example, NAT Gateway B is attached to VSW2.

1. Log on to the NAT Gateway console.

2. On the Internet NAT Gateway page, click Create Internet NAT Gateway.

3. On the NAT Gateway page, configure the following settings and click Buy Now.

   Parameter	Description
   Region	Select the region where you want to create the Internet NAT gateway.
   Network and Zone	Select the VPC and vSwitch to which the NAT gateway belongs. After the NAT gateway is created, you cannot change the VPC or vSwitch.
   Network Type	In this example, Internet NAT Gateway is selected. Internet NAT Gateway: provides Network Address Translation capabilities and can be associated with EIPs to allow ECS instances to access the Internet, enabling communication between private and public networks. VPC NAT Gateway: also provides Network Address Translation capabilities but cannot be associated with EIPs. It can only provide address translation within private networks for ECS instances, suitable for scenarios such as hiding internal addresses and avoiding address conflicts.
   EIP	In this example, Purchase EIP is selected. Select EIP: Select an EIP that is not associated with an instance. Purchase EIP: By default, a pay-by-traffic BGP (Multi-ISP) EIP is created. You can select a Maximum Bandwidth based on your business requirements. Note If you want to associate an EIP with a different line type or billing method, first apply for an EIP, and then Select EIP to associate. Each EIP that you associate with a NAT gateway occupies a private IP address of the vSwitch to which the NAT gateway belongs. Make sure that the vSwitch has sufficient available private IP addresses. Otherwise, you cannot associate new EIPs with the NAT gateway. Configure Later: The created NAT gateway will not have Internet access capabilities. You need to manually associate an EIP with the NAT gateway.

Step 3: Create an SNAT entry and a DNAT entry on NAT Gateway B

Create an SNAT entry and a DNAT entry on NAT Gateway B. Configure the SNAT entry and DNAT entry in the same manner in which you configure the SNAT entry and DNAT entry for NAT Gateway A. However, the EIP that you specify for NAT Gateway B must be different from the EIP that you specify for NAT Gateway A.

1. Log on to the NAT Gateway console.
2. In the top navigation bar, select the region where you want to create the NAT gateway.
3. On the Internet NAT Gateway page, find the NAT gateway that you want to manage and click Configure SNAT in the Actions column.

4. On the SNAT tab, click Create SNAT Entry.

5. On the Create SNAT Entry page, set the following parameters and click OK.

   Parameter	Description
   SNAT Entry	In this example, Specify VPC is selected. You can select an SNAT entry type based on your business requirements. Specify VPC: Suitable for scenarios where all ECS instances in the VPC, along with ECS instances in other VPCs or data centers that are connected through CEN or dedicated lines and have 0.0.0.0/0 routes pointing to this VPC, need to access the Internet through the same EIP. Specify vSwitch: Suitable for scenarios where fine-grained control over Internet access is required, allowing only specified vSwitches to have Internet access capabilities. Specify ECS Instance/ENI: Suitable for scenarios where fine-grained control over Internet access is required, allowing only specified ECS instances or elastic network interfaces (ENIs) to have Internet access capabilities. Specify Custom CIDR Block: Suitable for scenarios where you need to flexibly specify any IP CIDR block to configure Internet access capabilities through NAT gateway. This can cover various network environments within a VPC, across VPCs, or across on-premises data centers, meeting the requirements of complex or customized network structures. Note If you select multiple vSwitches or ECS instances/ENIs, multiple SNAT entries will be created using the same public IP address.
   Select EIP	Select the EIP that is used to access the Internet.

6. Go back to the Internet NAT Gateway page, find NAT Gateway B, and click Configure DNAT in the Actions column.

7. On the DNAT tab, click Create DNAT Entry.

8. On the Create DNAT Entry page, set the following parameters and click OK.

   Parameter	Description
   Select EIP	Select an EIP that is used to provide Internet-facing services. In this example, the EIP associated with NAT Gateway B is selected.
   Select Private IP Address	Select the ECS instance that uses the DNAT entry to provide Internet-facing services. In this example, Select by ECS or ENI is selected and ECS1 is selected from the drop-down list.
   Port Settings	Select a DNAT mapping method. In this example, Custom Port is selected. Public Port is set to 22, Private Port is set to 22, and Protocol is set to TCP.
   Entry Name	Enter a name for the DNAT entry. The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.

Step 4: Modify the custom route in the system route table

After you create the first Internet NAT gateway in a VPC, a route is automatically added to the route table of the VPC. The destination CIDR block of the route is 0.0.0.0/0 and the next hop is the Internet NAT gateway. This ensures that network traffic is routed to the Internet NAT gateway. After you create NAT Gateway B, the system does not add a route whose destination CIDR block is 0.0.0.0/0 and whose next hop is NAT Gateway B to the system route table. Therefore, network traffic cannot be routed to NAT Gateway B. You must modify the route whose destination CIDR block is 0.0.0.0/0 by specifying NAT Gateway B as the next hop. This way, network traffic is routed to NAT Gateway B instead of NAT Gateway A.

1. Log on to the VPC console.

2. In the left-side navigation pane, click Route Tables.

3. In the top navigation bar, select the region to which the route table belongs.

4. On the Route Tables page, find the route table of VPC1 and click its ID.

5. Choose Route Entry List > Custom Route, find the custom route whose destination CIDR block is 0.0.0.0/0 and whose next hop is NAT Gateway A, and then click Delete in the Actions column.

6. In the Delete Route Entry dialog box, click OK.

7. Click Add Route Entry. In the Add Route Entry panel, set the following parameters and click OK.

   Parameter	Description
   Name	Enter a name for the route entry. The name must be 2 to 128 characters in length, and can contain digits, hyphens (-), and underscores (_). The name must start with a letter.
   Destination CIDR Block	Enter the destination CIDR block. In this example, IPv4 CIDR Block is selected and 0.0.0.0/0 is entered.
   Next Hop Type	Select a next hop type. In this example, NAT Gateway is selected.
   NAT Gateway	Select a NAT gateway as the next hop. In this example, NAT Gateway B is selected.

   Note

   After the route is created, existing connections can resume only after your workloads are reconnected. We recommend that you create the route during off-peak hours.

Step 5: Test network connectivity

Check whether ECS instances use NAT Gateway B instead of NAT Gateway A to communicate with the Internet. In this example, you switch to an Internet NAT gateway that belongs to a different vSwitch and has a different private IP address. If you want to switch to an Internet NAT gateway that uses a different private IP address in the same vSwitch, you can also refer to the procedure in this topic.

1. Log on to ECS1 in VSW1.

2. Run the ping command to test the network connectivity.

3. Run the curl myip.ipip.net command to query the public IP address that ECS1 uses to access the Internet.

   The query result shows the public IP address that ECS1 uses to access the Internet is the same as the EIP configured in the SNAT entry of NAT Gateway B. This indicates that ECS1 accesses the Internet by using the SNAT feature of NAT Gateway B.

4. Log on to an on-premises Linux machine.

5. Run the ssh root@public IP address command. In this command, the public IP address is the EIP configured in the DNAT entry of NAT Gateway B. Then, enter the password of ECS1 and check if you can connect to ECS1.

   If Welcome to Alibaba Cloud Elastic Compute Service! is returned, it indicates that ECS1 can use the DNAT feature of NAT Gateway B to provide services over the Internet.