This topic describes how to create a Destination Network Address Translation (DNAT) entry. Network Address Translation (NAT) Gateway supports DNAT. DNAT maps public IP addresses to private IP addresses of Elastic Compute Service (ECS) instances in a Virtual Private Cloud (VPC) network. This way, ECS instances can receive inbound packets sent over the Internet. DNAT supports port mapping and IP mapping.

Background information

You cannot create DNAT entries for ECS instances that are associated with Elastic IP addresses.
To create a DNAT entry for such an ECS instance, you must disassociate the Elastic IP address from the ECS instance first. After you delete the association, you can create a DNAT entry for the ECS instance. For more information, see Unbind an Elastic IP address from a cloud instance and Create a DNAT entry.
Note If an ECS instance is associated with an Elastic IP address, and the private IP address of the ECS instance is used in a DNAT entry of a NAT gateway, the ECS instance preferentially uses the Elastic IP address to access the Internet.


  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where the NAT gateway is deployed.
  3. On the NAT Gateways page, find the target NAT gateway, and click Configure DNAT in the Actions column.
  4. On the DNAT Table page, click Create DNAT Entry.
  5. On the Create DNAT Entry page that appears, set the parameters as required, and click OK.
    Parameter Description
    Public IP Address Select an available public IP address.
    Note If a public IP address is already used in a SNAT entry, it cannot be used in a DNAT entry.
    Private IP Address Specify the private IP address of the ECS instance that uses the DNAT entry to receive inbound packets sent over the Internet. You can specify the private IP address of the ECS instance in the following ways:
    • Auto Fill: select the ECS instance from the ECS instance list or select the Elastic Network Interface (ENI) of the ECS instance from the ENI list.
    • Manually Input: enter the private IP address of the ECS instance.
      Note The CIDR block of the private IP address must be within that of the VPC network. You can also enter the private IP address of your ECS instance.
    Port Settings Select a DNAT mapping method:
    • All: IP mapping. All requests destined for the public IP address are forwarded to the target ECS instance.
    • Specific Port: port mapping. Requests received on a public port over a protocol are all forwarded to the specified internal port of the target ECS instance.

      After you select Specific Port, specify the Public Port (the external port), Private Port (the internal port), and IP Protocol (the protocol over which inbound packets are sent).

    Entry Name Enter a name for the DNAT entry.

    The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). It must start with a letter.