NAT Gateway is a fully managed network address translation gateway from Alibaba Cloud. It enhances network security by translating and hiding cloud service addresses to prevent them from being directly exposed.
Product types
Unlike a VPC NAT Gateway, an Internet NAT Gateway can be associated with an EIP to enable internet access. However, a NAT gateway only performs address translation and does not control traffic flow. The VPC's route table controls whether a data packet is sent to the NAT gateway and where it is routed after translation.
Internet NAT Gateway - Internet access
An Internet NAT Gateway translates the private IPv4 addresses of instances within a VPC into an EIP, allowing multiple servers to share the EIP for internet access.
Enable servers to access the internet Use the SNAT feature of an Internet NAT Gateway to allow multiple ECS instances to share an EIP for internet access. This approach saves costs and enhances security. | Share a NAT gateway across multiple VPCs for internet access You can use a VPC peering connection or Cloud Enterprise Network (CEN) to interconnect VPCs, allowing them to share a single Internet NAT Gateway for internet access. |
VPC NAT Gateway - private network access
A VPC NAT Gateway can translate the private IPv4 addresses of instances in a VPC to other private NAT IP addresses. This feature resolves connectivity issues between networks with overlapping IP addresses or meets requirements for accessing services from a specific source IP address.
Resolve private network conflicts VPCs with overlapping CIDR blocks cannot be interconnected directly. You can use a VPC NAT Gateway to translate the conflicting private IP addresses to enable communication. |
Access from a specific address In regulated industries such as finance and securities, cloud-based services can use a VPC NAT Gateway to ensure that traffic accessing on-premises data centers originates from a fixed, specified private IP address. |
Performance and high availability
High availability
NAT Gateway supports two deployment modes for high availability: cross-zone and single-zone disaster recovery. You can select the Disaster Recovery when you create a gateway.
The single-zone disaster recovery mode is available in all regions that support NAT Gateway. To use this mode, contact your account manager to request access.
Cross-zone disaster recovery The NAT gateway is deployed redundantly across two zones. If one zone fails, traffic automatically fails over to the other. This mode is suitable for scenarios where instances, such as ECS, are distributed across multiple zones and need to share a single NAT gateway for internet access. | Single-zone disaster recovery The NAT gateway is deployed within a single zone and provides high availability only within that zone. This mode is suitable for scenarios where services are concentrated in a single zone and use a dedicated NAT gateway for internet access. |
Cross-zone recovery (default) | Single-zone recovery | |
Deployment method | Instances are deployed in both a primary and a backup zone. Alibaba Cloud selects the backup zone. | The gateway is deployed in a single, user-specified zone and includes device-level redundancy within that zone. |
Disaster recovery capability | Automatic failover in the event of a zone failure. | Alibaba Cloud ensures high availability within the specified zone. |
Cost | Baseline price | The instance fee is approximately 50%, and the CU fee approximately 80%, of the fees for the cross-zone mode. |
Use cases | Instances, such as ECS, are distributed across multiple zones and need to share a single NAT gateway for internet access. | Services are concentrated in a single zone and use a dedicated NAT gateway for internet access. |
Automatic scaling
The performance metrics for each deployment mode are as follows.
Deployment mode | Metric | Connection rate (CPS) | Throughput | Concurrent connections | Packet rate (PPS) |
Cross-zone disaster recovery | Initial metric | 20,000 | 5 Gbps | 500,000 | 800,000 |
Scaling limit | 100,000 | 15 Gbps | 2,000,000 | 2,500,000 | |
Single-zone disaster recovery | Initial metric | 20,000 | 10 Gbps | 500,000 | 800,000 |
Scaling limit | 100,000 | 20 Gbps | 2,000,000 | 2,500,000 |
To ensure performance and stability, NAT Gateway uses a distributed, highly reliable cluster architecture. The cluster evenly distributes all traffic across multiple system servers for forwarding. Therefore, the maximum throughput and packets per second (PPS) can be achieved only with multiple sessions. A single system server's performance limits the throughput and PPS of a single session. We recommend that you perform stress tests to understand the performance of your instance and configure monitoring accordingly.
Single-session throughput limit = Total throughput scaling limit / Number of servers in the cluster
Single-session PPS limit = Total PPS scaling limit / Number of servers in the cluster
If a NAT gateway's traffic exceeds its performance limits, your workloads may experience packet loss. If you require higher performance, contact your account manager to submit a request.
In real-world scenarios, multiple factors affect the performance of a NAT gateway, such as the average packet size, connection type (long-lived or short-lived), and network architecture. As a result, the actual performance may vary. We recommend that you perform stress tests based on your specific business requirements to evaluate the instance performance and configure monitoring to ensure smooth operations.