NAT Gateway is a Network Address Translation (NAT) service. Alibaba Cloud provides two types of NAT gateways: Internet NAT gateways and Virtual Private Cloud (VPC) NAT gateways. Internet NAT gateways provide public IP address translation services. VPC NAT gateways provide private IP address translation services. You can specify a NAT gateway type based on your business requirements.
Internet NAT gateways
Internet NAT gateways are enterprise-class gateways that provide the Source Network Address Translation (SNAT) and Destination Network Address Translation (DNAT) features. A NAT gateway can provide a throughput capacity of up to 100 Gbit/s. NAT gateways also support cross-zone disaster recovery.
- If your workloads in the cloud require Internet access but you do not want to expose the workloads to the Internet, you can use Internet NAT gateways. Internet NAT gateways can protect your workloads against attacks from the Internet.
- If you find a sharp increase in the outbound traffic, you can use Internet NAT gateways. Internet NAT gateways can be scaled up and down as needed. In addition, Internet NAT gateways are cost-effective because Internet NAT gateways are billed on a pay-as-you-go basis.
- If a large number of devices require Internet access, you can create an Internet NAT gateway. This way, the devices can use the elastic IP addresses (EIPs) on the Internet NAT gateway to access the Internet. The Internet NAT gateway also provides fine-grained metrics and precise monitoring to control outbound traffic.
|SNAT||SNAT allows Elastic Compute Service (ECS) instances that are deployed in a virtual private cloud (VPC) to access the Internet when no public IP addresses are associated with the ECS instances.||Use the SNAT feature of an Internet NAT gateway to access the Internet|
|DNAT||DNAT maps the EIPs that are associated with an Internet NAT gateway to ECS instances. This way, the ECS instances can provide Internet-facing services.||Use the DNAT feature of an Internet NAT gateway to provide Internet-facing services|
- When you create an Internet NAT gateway, you must select a VPC to deploy the Internet NAT gateway and then specify a vSwitch from the VPC. We recommend that you specify different vSwitches for your NAT gateway and ECS instances to simplify network management.
- When you create an Internet NAT gateway, an elastic network interface (ENI) from the specified vSwitch is allocated to the Internet NAT gateway. Then, a security group is created for the ENI. You can only view the security group but cannot modify the configuration. For more information, see Overview.
- By default, Internet NAT gateways provide a throughput capacity of 5 Gbit/s. If your workloads require higher throughput,submit a ticket.
- Internet NAT gateways can be deployed across zones for disaster recovery. When you create an Internet NAT gateway deployed across zones, you need only to specify the vSwitch of the primary zone. You do not need to specify the vSwitch of the secondary zone.
- Configure SNAT to enable ECS instances to access the Internet
You can create an Internet NAT gateway for a VPC, associate an elastic IP address (EIP) with the Internet NAT gateway, and then create a SNAT entry on the Internet NAT gateway. This way, the ECS instances in the VPC can use the same EIP to access the Internet. This saves public IP resources. For more information, see Use the SNAT feature of an Internet NAT gateway to access the Internet.You can also associate multiple EIPs with the Internet NAT gateway. When an ECS instance needs to access the Internet, it randomly selects an EIP from the SNAT IP address pool. If one of the EIPs is under attack, the ECS instance can randomly select another EIP from the SNAT IP address pool to access the Internet. This ensures high availability for your workloads and prevents service interruptions caused by EIP failures.Note If multiple EIPs are added to the SNAT IP address pool, network traffic is distributed to the EIPs based on a specific hashing algorithm instead of evenly distributed across the EIPs. This may cause bandwidth overage of individual EIPs and result in service interruptions. To solve this problem, we recommend that you associate the EIPs with an EIP bandwidth plan so that bandwidth can be evenly allocated to each EIP. For more information, see Associate EIPs with and disassociate EIPs from EIP bandwidth plans.
- Configure DNAT to provide Internet-facing services
You can create an Internet NAT gateway for a VPC, associate EIPs with the Internet NAT gateway, and then configure DNAT for the NAT gateway. This way, ECS instances in the VPC can receive requests from the Internet through port mapping or IP mapping. For more information, see Use the DNAT feature of an Internet NAT gateway to provide Internet-facing services.Note Port mapping and IP mapping are used for the following purposes:
- Port mapping: An Internet NAT gateway forwards requests destined for an EIP to the specified ECS instance. Requests are forwarded based on the specified source and destination ports and the specified protocols used by both ports.
- IP mapping: An Internet NAT gateway forwards requests destined for an EIP to the specified ECS instance. The ECS instance can also use the EIP to access the Internet. If an Internet NAT gateway is configured with a SNAT entry and a DNAT entry that uses IP mapping, the ECS instance preferentially uses DNAT to access the Internet.
- Public bandwidth sharing through EIP bandwidth plans
To allow an application that is deployed on an ECS instance to provide services over the Internet, you must purchase public bandwidth resources. Make sure that you have sufficient public bandwidth resources to handle traffic fluctuations. When multiple applications need to provide services over the Internet, you may need to purchase public bandwidth resources for each application. However, this increases costs and causes resource wastes.To optimize bandwidth usage and reduce bandwidth costs, you can associate EIPs with your NAT gateway and then associate the EIPs with an EIP bandwidth plan.
VPC NAT gateways
VPC NAT gateways provide NAT services to Elastic Compute Service (ECS) instances in a VPC. The ECS instances can use the NAT IP addresses to access your data center or other VPCs, or provide services to external networks.
|SNAT||ECS instances in VPCs use the IP addresses specified in SNAT entries to access external networks.||Create SNAT entries to translate source private IP addresses|
|DNAT||ECS instances in VPCs use the IP addresses and ports specified in DNAT entries to allow private access from external networks.||Create DNAT entries to translate destination private IP addresses|
- When you create a VPC NAT gateway, you must specify a VPC to deploy the VPC NAT gateway and then specify a vSwitch from the VPC. To simplify routing configuration, we recommend that you specify different vSwitches for your VPC NAT gateway and ECS instances.
- NAT IP addresses are IP addresses specified in SNAT or DNAT entries. After you create a VPC NAT gateway, the CIDR block of the vSwitch that you specify for the VPC NAT gateway is used as the default NAT CIDR block. An IP address from the default NAT CIDR block is used as the default NAT IP address. You can add IP addresses to the default CIDR block or create NAT CIDR blocks.
- Allow multiple networks in a hybrid cloud to access each other by using static IP
As finance and securities industries expand their business on the cloud, these industries often create multiple private networks that can communicate with each other. In some cases, regulators may demand that the networks access each other by using static private IP addresses. You can use the SNAT and DNAT features of VPC NAT gateways to allow multiple private networks to access each other by using static private IP addresses.
- Allow VPCs that have conflicting CIDR blocks to access each other
Due to early network planning or business consolidation, you may need two VPCs that have conflicting CIDR blocks to communicate with each other. You can create a VPC NAT gateway and configure a NAT IP address for each VPC. The two NAT IP addresses cannot conflict with each other. One VPC uses SNAT to translate source IP addresses to the configured NAT IP address, which allows the VPC to access the other VPC. The other VPC uses the NAT IP address configured in the DNAT entry to provide external services. This way, the two VPCs can access each other.
NAT gateway benefits
You can use the SNAT feature of NAT gateways to protect ECS instances. After you configure SNAT, ECS instances in the specified VPC can access external networks. Unsolicited connection requests from external networks are denied. SNAT shields the ports that the ECS instances use to communicate with the Internet. This protects the ECS instances from external attacks.
- High performance
Alibaba Cloud NAT gateways are distributed gateways that use the software-defined networking (SDN) technology. Each NAT gateway provides a throughput capacity of up to 100 Gbit/s, and can serve a large number of Internet applications.
You can change the size of a NAT gateway or the number and bandwidth limits of the EIPs associated with a NAT gateway anytime. In addition, NAT gateways are billed on a pay-as-you-go basis. Therefore, you can use NAT gateways to withstand traffic fluctuations with ease.
- Zone-based high availability
You can deploy a NAT gateway across zones to achieve high availability. When one zone is down, network traffic is distributed to the other zone to prevent service interruptions.