Use a VPC NAT gateway and a VPN gateway to connect a data center and a VPC - NAT Gateway

This topic describes how to use a Virtual Private Cloud (VPC) NAT gateway and a VPN gateway to connect a data center and a VPC. You can specify private IP addresses for the data center and the VPC to communicate with each other.

Scenario

The following scenario is used in this topic. You have a VPC named VPC1 in the China (Qingdao) region and a data center in Beijing. You want VPC1 to communicate with the data center through specified private IP addresses.

You can use a VPC NAT gateway and a VPN gateway to achieve this goal.

You can use a VPN gateway to establish an IPsec-VPN connection between the data center and the VPC, and enable the data center to communicate with the VPC through specified private IP addresses. The following table describes how networks are planned in this example. You can plan CIDR blocks based on your business requirements. Make sure that the CIDR blocks do not overlap with each other.

Parameter	IP address/CIDR block
VPC1	10.0.0.0/16
vSwitches	VSW1: 10.0.0.0/24 VSW2: 10.0.1.0/24
Elastic Compute Service (ECS) instance	ECS1: 10.0.0.81
Data center	172.16.0.0/12
On-premises server	172.16.0.124
Gateway device in the data center	211.68.XX.XX

Prerequisites

A VPC named VPC1 is created in the China (Qingdao) region and two vSwitches (VSW1 and VSW2) are created in VPC1. For more information, see Create and manage a VPC.
An ECS instance named ECS1 is created in VSW1 and applications are deployed on ECS1. For more information, see Create an instance by using the wizard.

Procedure

Step 1: Configure IPsec-VPN

You can create a IPsec-VPN connection between the VPC and the data center. To create an IPsec-VPN connection, you must first create a VPN gateway and a customer gateway. For more information about the IPsec-VPN feature, see Overview of IPsec-VPN connections.

Log on to the VPN Gateway console.

Perform the following operations to create a VPN gateway:

On the VPN Gateways page, click Create VPN Gateway.

On the buy page, set the following parameters, click Buy Now, and then complete the payment.

Parameter	Description
Name	Enter a name for the VPN gateway.
Region	Select the region where you want to deploy the VPN gateway. In this example, China (Qingdao) is selected.
Gateway Type	Standard is selected by default.
VPC	Select the VPC that you want to connect. In this example, VPC1 is selected.
Specify VSwitch	Specify whether to deploy the VPN gateway in a vSwitch of the VPC. If you select Yes, you must also specify a vSwitch. In this example, No is selected.
Bandwidth	Specify the maximum bandwidth of the VPN gateway. Unit: Mbit/s. 5 Mbit/s is selected in this example.
Traffic	By default, the VPN gateway uses the pay-by-data-transfer metering method. For more information, see Billing.
IPsec-VPN	Specify whether to enable the IPsec-VPN feature. In this example, Enable is selected.
SSL-VPN	Specify whether to enable the SSL-VPN feature. In this example, Disable is selected.
Subscription Duration	By default, the VPN gateway is billed on an hourly basis.

Return to the VPN Gateways page to view the VPN gateway.
A newly created VPN gateway is in the Preparing state. After 1 to 5 minutes, the state changes to Normal, which indicates that the VPN gateway is initialized and available.

Perform the following operations to create a customer gateway:

In the left-side navigation pane, choose Interconnections > VPN > Customer Gateways.
In the top navigation bar, select the region where you want to create the customer gateway. In this example, China (Qingdao) is selected.
On the Customer Gateway page, click Create Customer Gateway.

In the Create Customer Gateway panel, set the following parameters and click OK.

Parameter	Description
Name	Enter a name for the customer gateway.
IP Address	Enter the public IP address of the gateway device in the data center that you want to connect to VPC1. In this example, `211.68.XX.XX` is used.
ASN	The Autonomous System Number (ASN) of the gateway device in the data center.
Description	Enter a description for the customer gateway.

For more information, see Create a customer gateway.

Perform the following operations to create an IPsec-VPN connection:

In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
In the top navigation bar, select the region where you want to create the IPsec-VPN connection. In this example, China (Qingdao) is selected.
On the IPsec-VPN connection page, click Create IPsec-VPN Connection.

On the Create IPsec-VPN Connection page, set the following parameters and click OK.

Parameter	Description
Name	Enter a name for the IPsec-VPN connection.
VPN Gateway	Select the VPN gateway that you created.
Customer Gateway	Select the customer gateway that you created.
Routing Mode	Select a routing mode. In this example, Destination Routing Mode is selected.
Effective Immediately	Specify whether to immediately start negotiations. Yes: starts connection negotiations after the configuration is completed. No: starts negotiations when inbound traffic is detected. In this example, No is selected.
Pre-Shared Key	Enter the pre-shared key. The pre-shared key must be the same as the pre-shared key of the gateway device in the data center. If you do not enter a value, the system generates a 16-bit random string by default.

Use the default settings for the other parameters. For more information, see Create and manage IPsec-VPN connections in single-tunnel mode.

Step 2: Load the configurations of the VPN gateway to the gateway device in the data center

To establish an IPsec-VPN connection between the VPC and data center, you must load the configurations of the VPN gateway to the gateway device in the data center.

In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
On the IPsec Connections page, find the IPsec-VPN connection, and choose > Download Configuration in the Actions column.
Load the configuration of the IPsec-VPN connection to the gateway device in the data center. For more information, see Configure an on-premises gateway..

Step 3: Create a VPC NAT gateway

Log on to the NAT Gateway console.
In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
On the VPC NAT Gateway page, click Create VPC NAT Gateway.

On the VPC NAT Gateway (Pay-As-You-Go) page, set the following parameters and click Buy Now.

Parameter	Description
Region	Select the region where you want to create the VPC NAT gateway. In this example, China (Qingdao) is selected.
VPC ID	Select the VPC to which the VPC NAT gateway belongs. After you create a VPC NAT gateway, you cannot change the VPC to which the VPC NAT gateway belongs. In this example, VPC1 is selected.
Zone	Select the zone to which the VPC NAT gateway belongs. In this example, the zone of VSW2 is selected.
vSwitch ID	Select the vSwitch to which the VPC NAT gateway belongs. We recommend that you select an independent vSwitch. In this example. VSW2 is selected.
Name	Enter a name for the VPC NAT gateway.
Service-linked Role	Displays whether a service-linked role is created for the VPC NAT gateway. If this is your first time using a NAT gateway, including an Internet NAT gateway and a VPC NAT gateway, you must click Create Service-linked Role to create a service-linked role.

Return to the VPC NAT Gateway page and view the VPC NAT gateway that you created.
- Click the ID of the VPC NAT gateway. On the Basic Information tab, view the VPC and vSwitch to which the VPC NAT gateway belongs.
- Click the NAT IP Address tab to view the default NAT IP address and the default NAT CIDR block.
  Note The default NAT CIDR block is the CIDR block of the vSwitch to which the VPC NAT gateway is attached. The default NAT IP address is an IP address that is randomly allocated from the CIDR block of the vSwitch. You cannot delete the default NAT CIDR block or the default NAT IP address.

Step 4: Add a route to the system route table of VPC1

Add a route to the system route table of VPC1. The route must point to the VPC NAT gateway.

Log on to the VPC console.
On the VPCs page, find VPC1 and click its ID.
On the details page, click the Resources tab and click the number below Route Table.
On the Route Tables page, find the route table whose Route Table Type is System and click its ID.
On the details page of the route table, choose Route Entry List > Custom Route, and click Add Route Entry.

In the Add Route Entry panel, set the following parameters and click OK.

Parameter	Description
Name	Enter a name for the route. In this example, `VPCENTRY` is used.
Destination CIDR Block	Enter the CIDR block to which network traffic is forwarded. In this example, `172.16.0.124/32` is used, which is the IP address of the server in the data center.
Next Hop Type	Select the next hop type. In this example, NAT Gateway is selected.
NAT Gateway	Select a NAT gateway. In this example, the VPC NAT gateway created in Step 3: Create a VPC NAT gateway is selected.

Step 5: Create a custom route table and add a route

Create a custom route table for VSW2 and add a route that points to the VPN gateway to the custom route table.

For more information about regions that support custom route tables, see Regions that support custom route tables.

Log on to the VPC console.
In the left-side navigation pane, click Route Tables.
In the top navigation bar, select the region to which the route table belongs.
On the Route Tables page, click Create Route Table.

On the Create Route Table page, set the following parameters and click OK.

Parameter	Description
Resource Group	Select the resource group to which the route table belongs. In this example, All is selected.
VPC	Select the VPC to which the route table belongs. In this example, VPC1 is selected.
Name	Enter a name for the route table. In this example, `VPNVTB` is used.
Description	Enter a description for the route table. In this example, `Custom` is used.

Click the Associated vSwitch tab and click Associate vSwitch.
In the Associate vSwitch dialog box, select the vSwitch that you want to associate and click OK.
In this example, VSW2 is selected.
On the details page of the route table, choose Route Entry List > Custom Route, and click Add Route Entry.

In the Add Route Entry panel, set the following parameters and click OK.

Parameter	Description
Name	Enter a name for the route. In this example, `VPCNATENTRY` is used.
Destination CIDR Block	Enter the CIDR block to which network traffic is forwarded. In this example, `172.16.0.124/32` is used, which is the IP address of the server in the data center.
Next Hop Type	Select the next hop type. In this example, VPN Gateway is selected.
VPN Gateway	Select a VPN gateway. In this example, the VPN gateway created in Step 1: Configure IPsec-VPN is selected.

Step 6: Create an SNAT entry and a DNAT entry by using the default NAT IP address

Log on to the NAT Gateway console.
In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
In the top navigation bar, select the region where you want to create the NAT gateway.

Perform the following operations to create an SNAT entry:

On the VPC NAT Gateway page, find the VPC NAT gateway that you want to manage and click SNAT Management in the Actions column.
On the SNAT Management tab, click Create SNAT Entry.

On the Create SNAT Entry page, set the following parameters and click OK.

Parameter	Description
SNAT Entry	Specify whether to create an SNAT entry for a VPC, a vSwitch, an ECS instance, or a custom CIDR block. In this example, Specify vSwitch is selected. Then, select the vSwitch to which ECS1 belongs from the Select vSwitch drop-down list. In this example, VSW1 is selected. The vSwitch CIDR Block section displays the CIDR block of VSW1.
Select NAT IP Address	Select the IP address that is used to access external private networks. The default NAT IP address is selected in this example.
Entry Name	Enter a name for the SNAT entry. The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.

Return to the VPC NAT Gateway page and perform the following operations to create a DNAT entry:

On the VPC NAT Gateway page, find the VPC NAT gateway that you want to manage and click DNAT Management in the Actions column.
On the DNAT Management tab, click Create DNAT Entry.

On the Create DNAT Entry page, set the following parameters and click OK.

Parameter	Description
Select NAT IP Address	Select the NAT IP address that is used to receive requests from external private networks. The default NAT IP address is selected in this example.
Select Private IP Address	Specify the private IP address of the ECS instance that uses the DNAT entry to communicate with external networks. In this example, Select by ECS or ENI is selected and the private IP address of ECS1 is selected.
Port Settings	Select a DNAT mapping method. In this example, Specific Port is selected, which specifies the port mapping method. In this example, Frontend Port is set to `22`, Backend Port is set to `22`, and Protocol Type is set to TCP.
Entry Name	Enter a name for the DNAT entry. The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.

Step 7: Configure routes for the VPN gateway

You must add a route to the VPN gateway and advertise the route to the VPC route table. Then, the VPC and the data center can communicate with each other.

Log on to the VPN Gateway console.
In the top navigation bar, select the region of the VPN gateway.
In the left-side navigation pane, choose Interconnections > VPN > VPN Gateways.
On the VPN Gateway page, find the VPN gateway that you want to manage and click its ID.
On the Destination-based Route Table tab, click Add Route Entry.

In the Add Route Entry panel, set the following parameters and click OK.

Parameter	Description
Destination CIDR Block	Enter the private CIDR block of the data center. In this example, `172.16.0.0/12` is used.
Next Hop Type	In this example, IPsec Connection is selected.
Next Hop	Select an IPsec-VPN connection. In this example, the IPsec-VPC connection created in Step 1: Configure IPsec-VPN is selected.
Publish to VPC	Specify whether to advertise the route to the route table of the VPC. In this example, Yes is selected.
Weight	Select the weight of the route. In this example, 100 is selected. 100: specifies a high priority. 0: specifies a low priority.

Step 8: Test the connectivity

Log on to ECS1 in VSW1. For more information, see Connection methods.
Ping the IP address of the server in the data center to check whether ECS1 can access the server in the data center.
In this example, the following command is used:
```
ping 172.16.0.124
```
The test result shows that ECS1 can access the server in the data center.
Log on to the server in the data center and run the ssh root@NAT IP command. Before you run this command, replace NAT IP with the default NAT IP address of the VPC NAT gateway. Then, enter the password that is used to log on to ECS1 to check whether the server can access ECS1.
In this example, the following command is used:
```
ssh 10.0.1.43
```
The test result shows that the server in the data center can access ECS1 by using the DNAT feature of the VPC NAT gateway.