Alibaba Cloud has released virtual private cloud (VPC) NAT gateways. VPC NAT gateways allow you to create custom SNAT and DNAT entries to translate private IP addresses. This way, multiple networks in a hybrid cloud can access each other by using static IP addresses. VPCs that have conflicting CIDR blocks can also access each other by using VPC NAT gateways.

Introduction

VPC NAT gateways provide NAT services to Elastic Compute Service (ECS) instances in a VPC. The ECS instances can use the NAT IP addresses to access your data center or other VPCs, or provide services to external networks.

To purchase a VPC NAT gateway, submit a ticket.

Scenarios

  • Allow multiple networks in a hybrid cloud to access each other by using static IP addresses
    As finance and securities industries expand their business on the cloud, these industries often create multiple private networks that can communicate with each other. In some cases, regulators may demand that the networks access each other by using static private IP addresses. You can use the SNAT and DNAT features of VPC NAT gateways to allow multiple private networks to access each other by using static private IP addresses. Mutual access between multiple network in a hybrid cloud
  • Allow VPCs that have conflicting CIDR blocks to access each other
    Due to early network planning or business consolidation, you may need two VPCs that have conflicting CIDR blocks to communicate with each other. You can create a VPC NAT gateway and configure a NAT IP address for each VPC. The two NAT IP addresses cannot conflict with each other. One VPC uses SNAT to translate source IP addresses to the configured NAT IP address, which allows the VPC to access the other VPC. The other VPC uses the NAT IP address configured in the DNAT entry to provide external services. This way, the two VPCs can access each other. Mutual access between VPCs

Billing method

VPC NAT gateways support the pay-as-you-go billing method. For more information, see VPC NAT gateway billing

Pay-as-you-go VPC NAT gateways provide high and stable performance that can withstand traffic spikes.
Specification Maximum number of connections Maximum number of new connections Throughput
Default 2,000,000 100,000 5 Gbps
Maximum quota that you can apply for by submitting a ticket 10,000,000 1,000,000 100 Gbps

Limits

Limits on instances

Item Limit Quota increase
Number of VPC NAT gateways that you can create for a VPC 5 Submit a ticket.
Number of NAT CIDR blocks that you can create for a VPC NAT gateway 50 (default NAT CIDR block included) N/A
Number of IP addresses that can be included in a NAT CIDR block 50 N/A

Limits on SNAT

Item Limit Quota increase
Number of SNAT entries that you can add to a VPC NAT gateway 40

You can go to the Quota Management page to request a quota increase. For more information, see Manage quotas.

Number of IP addresses that you can specify in an SNAT entry 1 N/A

Limits on DNAT

Item Limit Quota increase
Number of DNAT entries that you can add to a VPC NAT gateway 100

You can go to the Quota Management page to request a quota increase. For more information, see Manage quotas.

Procedure

To use a VPC NAT gateway, perform the following steps:
  1. Create a VPC NAT gateway:
    1. Select the region and the VPC that requires private address translation.
    2. Select the vSwitch that requires private address translation. The vSwitch must be different from the vSwitch where the ECS instance that uses the VPC NAT gateway is created. To facilitate route configuration, we recommend that you use an independent vSwitch for the VPC NAT gateway.
  2. Configure routes:
    1. Create a custom route table and associate it with the vSwitch to which the VPC NAT gateway belongs. Then, add a custom route entry that points to the destination IP address in the custom route table.
    2. Add a custom route entry that points to the VPC NAT gateway in the system route table.
  3. Configure SNAT entries or DNAT entries:
    1. Create a new NAT IP address or use the default NAT IP address based on your business requirements.
    2. When you create an SNAT entry, you can specify a VPC, a vSwitch, an ECS instance, or a custom CIDR block. When you create a DNAT entry, you can specify a private IP address to receive external requests.
    For more information, see Create SNAT entries to translate source private IP addresses or Create DNAT entries to translate destination private IP addresses.