Enhanced Internet NAT gateways provide NAT services, and allow Elastic Compute Service (ECS) instances in a virtual private cloud (VPC) to access the Internet and receive requests from the Internet. This topic describes how to create an enhanced Internet NAT gateway, hereafter referred to as "NAT gateway".

Create a NAT gateway

After you create the first NAT gateway in a VPC, the system automatically adds a default route 0.0.0.0/0 to the route table of the VPC. The next hop of the route is the NAT gateway. This route forwards all traffic to the NAT gateway. Traffic destined for the Internet can reach the NAT gateway only after the default route is added to the route table of the VPC. Therefore, after you create a NAT gateway, make sure that the VPC route table contains a 0.0.0.0/0 route and the next hop of the route is the NAT gateway. If the route does not exist, add one. For more information, see Create and delete route entries.

If the VPC route table already contains a 0.0.0.0/0 route before you create the NAT gateway, the system does not add another 0.0.0.0/0 route whose next hop is the NAT gateway to the VPC route table. In this case, you must change the next hop of the existing 0.0.0.0/0 route to the NAT gateway after the NAT gateway is created.

  1. Log on to the NAT Gateway console.
  2. On the Public NAT Gateway page, click Create NAT Gateway.
  3. If this is the first time you purchase a NAT gateway, you must create a service-linked role for NAT Gateway.On the NAT Gateway (Pay-As-You-Go) page, click Create in the Notes on Creating Service-linked Roles section. After a service-linked role is created, you can purchase NAT gateways.
    Create a service-linked role
  4. On the NAT Gateway (Pay-As-You-Go) page, set the following parameters and click Buy Now:
    • Region and Zone: Select the region where you want to deploy the NAT gateway.
    • Zone: Select the zone where you want to deploy the NAT gateway.
    • VPC ID: Select the VPC where you want to deploy the NAT gateway. After the NAT gateway is created, you cannot change the VPC where the NAT gateway is deployed.
      Note If you cannot find the VPC that you want to manage in the list, troubleshoot the issue by using the following methods:
      • Check whether a VPC is created in the region and zone that you selected.
      • If your account is a Resource Access Management (RAM) user, check whether the RAM user has read permissions on the VPC. If not, contact the Alibaba Cloud account owner to acquire the permissions.
    • VSwitch ID: Select the vSwitch to which the NAT gateway is attached.
    • Gateway Type: By default, Enhanced is selected.

      Enhanced NAT gateways are an upgrade from standard NAT gateways and use a more advanced architecture. Compared with standard NAT gateways, enhanced NAT gateways provide higher elasticity and stability. This helps you manage data transfer in a more efficient manner.

    • Billing Method: Select a billing method for the NAT gateway.

      Only Pay by Actual Usage is supported. For more information, see Pay-by-actual-usage.

    • Billing Cycle:displays the billing cycle of the NAT gateway.
  5. On the Confirm Order page, confirm the configuration of the NAT gateway, select the Terms of Service check box, and then click Activate Now.
    When the message Order complete. appears, the purchase is completed.

Associate an EIP with a NAT gateway

A NAT gateway works as expected only after you associate an elastic IP address (EIP) with the NAT gateway. You can associate up to 20 EIPs with a NAT gateway. You can submit a ticket to increase the quota. For more information, see Manage quotas. Before you associate an EIP, make sure that the following requirements are met:

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where you want to deploy the NAT gateway.
  3. On the Public NAT Gateway page, find the NAT gateway that you want to manage and click Associate Now in the Elastic IP Address column.
  4. In the Associate EIP dialog box, set the following parameters and click OK.
    Parameter Description
    Resource Group Select the resource group of the EIP.
    EIPs Select the EIP that you want to associate with the NAT gateway.
    • Select Existing EIPs: Select an existing EIP from the drop-down list.
    • Purchase EIPs: The system automatically creates an EIP that is billed on a pay-by-data-transfer basis and associates the EIP with the NAT gateway.
    After you associate an EIP with the NAT gateway, the EIP appears in the Elastic IP Address column.

Disassociate an EIP from a NAT gateway

Make sure that the EIP to be disassociated is not used in an SNAT entry or a DNAT entry. If the EIP is used in an SNAT or a DNAT entry, delete the SNAT or DNAT entry first. For more information, see Delete an SNAT entry and Delete a DNAT entry.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where you want to deploy the NAT gateway.
  3. On the Public NAT Gateway page, find the NAT gateway that you want to manage and click the EIP in the Elastic IP Address column.
  4. On the Associated EIP tab, select the EIP that you want to disassociate from the NAT gateway and click Disassociate in the Actions column.
  5. In the message that appears, click OK.

Modify a NAT gateway

You can modify the name and description of a NAT gateway.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where the NAT gateway is deployed.
  3. On the Public NAT Gateway page, find the NAT gateway that you want to manage and click Manage in the Actions column.
  4. On the Basic Information tab, click Edit next to Instance Name. In the dialog box that appears, enter a name for the NAT gateway and click OK.
    The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.
  5. Click Edit next to Description. In the dialog box that appears, enter a new description of the NAT gateway, and click OK.
    The description must be 2 to 256 characters in length and cannot start with http:// or https://.

Delete a NAT gateway

You can delete pay-as-you-go NAT gateways, but you cannot delete subscription NAT gateways. Before you delete a NAT gateway, make sure that the following requirements are met:

  • No EIP is associated with the NAT gateway. If an EIP is associated with the NAT gateway, disassociate the EIP from the NAT gateway. For more information, see Disassociate an EIP from a cloud resource.
  • The DNAT table does not contain DNAT entries. If the DNAT table contains DNAT entries, delete them. For more information, see Delete a DNAT entry.
  • The SNAT table does not contain SNAT entries. If the SNAT table contains SNAT entries, delete them. For more information, see Delete an SNAT entry.
  • Deletion Protection is disabled on the Basic Information page of the NAT gateway. If Deletion Protection is enabled, disable it.
  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where the NAT gateway is deployed.
  3. On the Public NAT Gateway page, find the NAT gateway that you want to delete and choose More > Delete in the Actions column.
  4. In the Delete Gateway dialog box that appears, click OK.
    If you want to forcibly delete a NAT gateway and its resources, select Delete (Delete NAT gateway and resources) in the Delete Gateway dialog box. If you forcibly delete a NAT gateway, you do not need to delete the SNAT and DNAT entries of the NAT gateway first. Proceed with caution.

What to do next

References