Adds a Destination Network Address Translation (DNAT) entry to a DNAT table.

Description

Each DNAT entry consists of the following elements: ExternalIp, ExternalPort, Protocol, InternalIp, and InternalPort. After you add a DNAT entry, the NAT gateway forwards packets that are received on [ExternalIp: ExternalPort] to [InternalIp: InternalPort]. The packets are transmitted over the specified protocol. The NAT gateway also returns responses through the same route.

When you call this operation, take note of the following information:

  • CreateForwardEntry is an asynchronous operation. After you make a request, a DNAT entry ID is returned but the specified DNAT entry is not added. The system adds the entry in the background. You can call the DescribeNatGateways operation to query the DNAT entry:
    • Pending: indicates that the system is adding the DNAT entry. You can only query the state of the DNAT entry, but cannot perform other operations.
    • Available: indicates that the DNAT entry is added.
  • All combinations of ExternalIp, ExternalPort, and Protocol used in DNAT entries must be unique. You cannot distribute requests to more than one Elastic Compute Service (ECS) instance if these requests are originated from the same source IP address, received on the same port, and use the same protocol.
  • All combinations of Protocol, InternalIp, and InternalPort used in DNAT entries must be unique.
  • If any DNAT entry in the DNAT table is in the Pending or Modifying state, you cannot add a DNAT entry.
  • You can add up to 100 DNAT entries to a DNAT table.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes CreateForwardEntry

The operation that you want to perform. Set the value to CreateForwardEntry.

ExternalIp String Yes 116.xx.xx.28

The public IP address used by the ECS instance to access the Internet. The public IP address must meet the following requirements:

  • If you have purchased a NAT service plan before November 3, 2017, the ExternalIp must be a public IP address in the NAT service plan.
  • If you did not purchase a NAT service plan before November 3, 2017, the ExternalIp must be an elastic IP address (EIP) associated with the NAT service plan.
ExternalPort String Yes 8080

The external port used for port forwarding. Valid values: 1 to 65535.

ForwardTableId String Yes ftb-bp1mbjubq34hlcqpa****

The ID of the DNAT table.

InternalIp String Yes 192.168.xx.xx

The private IP address that is mapped to the public IP address in the DNAT entry. The private IP address must meet the following requirements:

  • The InternalIp must belong to the Classless Inter-Domain Routing (CIDR) block of the virtual private cloud (VPC) where the NAT gateway is deployed.
  • The DNAT entry takes effect only when the private IP address is assigned to an ECS instance and the ECS instance is not associated with an EIP. If the private IP address is assigned to a resource other than an ECS instance, such as an High-Availability Virtual IP Address (HaVip), Server Load Balancer (SLB) instance, or RDS instance, the DNAT entry does not take effect. Consequently, inbound traffic cannot be forwarded to the private IP address.
InternalPort String Yes 80

The internal port that is mapped to the external port in the DNAT entry. Valid values: 1 to 65535.

IpProtocol String Yes TCP

The forwarding protocol. Valid values:

  • TCP: forwards TCP packets.
  • UDP: forwards UDP packets.
  • Any: forwards packets of all protocols.
RegionId String Yes cn-hangzhou

The ID of the region where the NAT gateway is deployed. You can call the DescribeRegions operation to query region IDs.

ForwardEntryName String No ForwardEntry-1

The name of the SNAT entry.

The description must be 2 to 128 characters in length, and start with a letter. It cannot start with http:// or https://.

ClientToken String No 0c593ea1-3bea-11e9-b96b-88e9fe637760

The client token that is used to ensure the idempotence of the request. You can use the client to generate a value that is unique among different requests. ClientToken can contain only ASCII characters and cannot exceed 64 characters in length.

PortBreak Boolean No false

Specifies whether to remove limits on the port range. Valid values:

  • true: removes limits on the port range.
  • false (default): sets limits on the port range.
Note A SNAT entry and a DNAT entry may use the same public IP address. If you want to specify a port number greater than 1024 in this case, set Portbreak to true.

Response parameters

Parameter Type Example Description
ForwardEntryId String fwd-119smw5tkasdf****

The ID of the DNAT entry.

RequestId String A4AEE536-A97A-40EB-9EBE-53A6948A6928

The ID of the request.

Examples

Sample requests

https://vpc.aliyuncs.com/?Action=CreateForwardEntry
&ExternalIp=116.xx.xx.28
&ExternalPort=8080
&ForwardTableId=ftb-bp1mbjubq34hlcqpa****
&InternalIp=192.168.xx.xx
&InternalPort=80
&IpProtocol=TCP
&RegionId=cn-hangzhou
&<Common request parameters>

Sample success responses

XML format

<CreateForwardEntryResponse>
	  <ForwardEntryId>fwd-119smw5tkasdf****</ForwardEntryId>
	  <RequestId>2315DEB7-5E92-423A-91F7-4C1EC9AD97C3</RequestId>
</CreateForwardEntryResponse>

JSON format

{
    "ForwardEntryId": "fwd-119smw5tkasdf****",
    "RequestId": "2315DEB7-5E92-423A-91F7-4C1EC9AD97C3"
}

Error codes

HttpCode Error code Error message Description
404 InvalidRegionId.NotFound The specified RegionId does not exist in our records. The error message returned because the specified region ID does not exist. Check whether the region ID is valid.
400 InvalidExternalIp.Malformed The specified ExternalIp is not a valid IP address. The error message returned because the specified IP address is invalid.
400 InvalidInternalIp.Malformed The specified InternalIp is not a valid IP address. The error message returned because the specified private IP address is invalid.
400 InvalidExternalPort.Malformed The specified ExternalPort is not a valid port. The error message returned because the specified external port is invalid.
400 InvalidInternalPort.Malformed The specified InternalPort is not a valid port. The error message returned because the specified internal port is invalid.
400 Forbidden.DestnationIpOutOfVpcCIDR The specified Internal Ip is Out of VPC CIDR. The error message returned because the private IP address is not within the CIDR block of the VPC. Enter a private IP address that belongs to the CIDR block of the VPC.
400 InvalidProtocal.ValueNotSupported The specified IpProtocol does not support. The error message returned because the specified protocol is not supported.
400 IncorretForwardEntryStatus Some Forward entry status blocked this operation.. The error message returned because you are unauthorized to perform the specified operation. The error message returned because one or more DNAT entries in the DNAT table are in the Pending or Modifying state.
404 InvalidForwardTableId.NotFound Specified forward table does not exist. The error message returned because the specified DNAT entry does not exist. Verify the parameter and try again.
404 InvalidExternalIp.NotFound Specified External Ip address does not found on the VRouter The error message returned because the specified public IP address does not exist.
400 Forbidden.ExternalIp.UsedInSnatTable The specified ExternalIp is already used in SnatTable The error message returned because the specified public IP address is used by a SNAT entry. Select a different IP address or delete the SNAT rule that uses the public IP address.
400 Forbindden The specified Instance already bind eip The error message returned because the ECS instance is assigned an EIP. Disassociate the EIP from the ECS instance, and then create forwarding rules.
400 Forbidden.InternalIpOutOfVpcCIDR The specified Internal Ip is Out of VPC CIDR. The error message returned because the private IP address is not within the CIDR block of the VPC.
400 Invalid.natgwNotExist The specified natgateway not exist. The error message returned because the specified NAT gateway does not exist.
400 InvalidIp.NotInNatgw The specified Ip not belong to natgateway. The error message returned because the specified IP address is not associated with the NAT gateway.
400 MissingParameter Missing mandatory parameter The error message returned because the required parameters are missing. Check whether you have set all the required parameters before you call this operation.
500 InternalError The request processing has failed due to some unknown error. The error message returned because unknown errors have occurred.
400 InvalidParameter.Name.Malformed The specified Name is not valid. The error message returned because the specified name is invalid.

For a list of error codes, visit the API Error Center.