This topic describes how to configure SNAT on an Internet NAT gateway. SNAT allows Elastic Compute Service (ECS) instances that do not have public IP addresses to access the Internet. The term "NAT gateway" in this topic refers to an Internet NAT gateway.

Scenarios

The following scenario is used as an example. An enterprise has created a virtual private cloud (VPC) and a vSwitch on Alibaba Cloud. Multiple ECS instances are created in the vSwitch. The ECS instances are not assigned static public IP addresses, and are not associated with elastic IP addresses (EIPs). To meet business requirements, the ECS instances must access the Internet.

You can configure SNAT on a NAT gateway. SNAT allows ECS instances that do not have public IP addresses in a VPC to access the Internet by using the EIP that is associated with the NAT gateway. Scenarios

Prerequisites

  • An Alibaba Cloud account is created. For more information, see create an Alibaba Cloud account .
  • A VPC and a vSwitch are created. For more information, see Create an IPv4 VPC.
  • The VPC that you created meets the following requirements:
    • The VPC does not have a custom route whose destination CIDR block is 0.0.0.0/0. If the custom route exists, delete it.
    • If you want to configure SNAT as a Resource Access Management (RAM) user, make sure that the RAM user has access and read permissions on the VPC. Otherwise, contact the Alibaba Cloud account owner to acquire the permissions.

Procedure

Procedure

Step 1: Create a NAT gateway

  1. Log on to the NAT Gateway console.
  2. On the Public NAT Gateway page, click Create NAT Gateway.
  3. If this is the first time you purchase a NAT gateway, you must create a service-linked role for NAT Gateway.On the NAT Gateway (Pay-As-You-Go) page, click Create in the Notes on Creating Service-linked Roles section. After a service-linked role is created, you can purchase NAT gateways.
    Create a service-linked role
  4. On the NAT Gateway (Pay-As-You-Go) page, set the following parameters and click Buy Now.
    • Region and Zone: Select the region where you want to deploy the NAT gateway.
    • Zone: Select the zone where you want to deploy the NAT gateway.
    • VPC ID: Select the VPC where you want to deploy the NAT gateway. After the NAT gateway is created, you cannot change the VPC where the NAT gateway is deployed.
    • VSwitch ID: Select the vSwitch to which the NAT gateway is attached.
    • Gateway Type: By default, Enhanced is selected.
    • Billing Method: Select a billing method for the NAT gateway.

      Only Pay by Actual Usage is supported. For more information, see Pay-by-actual-usage.

    • Billing Cycle: By default, By Hour is selected. Bills are generated on an hourly basis. If you use a NAT gateway for less than one hour, the usage duration is rounded up to one hour.
  5. On the Confirm Order page, confirm the configuration of the NAT gateway, select the check box for Terms of Service, and then click Activate Now.
    When the message Order complete. appears, the purchase is completed.
After you create a NAT gateway, you can find the NAT gateway on the NAT Gateway page. Create a NAT gateway

Step 2: Associate the NAT gateway with an EIP

A NAT gateway works as expected only after you associate an EIP with the NAT gateway. After you create a NAT gateway, you can associate an EIP with the NAT gateway.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where you want to deploy the NAT gateway.
  3. On the Public NAT Gateway page, find the NAT gateway that you want to manage and click Associate Now in the Elastic IP Address column.
  4. In the Associate EIP dialog box, set the following parameters and click OK.
    Parameter Description
    Resource Group Select the resource group of the EIP.
    EIPs Select the EIP that you want to associate with the NAT gateway.

    Purchase EIPs is selected in this example. The system automatically creates a pay-by-data-transfer EIP and associates the EIP with the NAT gateway.

    After you associate an EIP with the NAT gateway, the EIP is displayed in the Elastic IP Address column.

Step 3: Create an SNAT entry

You can create an SNAT entry on a NAT gateway. This way, the ECS instances that do not have public IP addresses in the VPC can access the Internet by using the EIP that is associated with the NAT gateway.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where you want to deploy the NAT gateway.
  3. On the Public NAT Gateway page, find the NAT gateway that you want to manage and click Configure SNAT in the Actions column.
  4. On the SNAT Management tab, click Create SNAT Entry.
  5. On the Create SNAT Entry page, set the following parameters and click Confirm.
    Parameter Description
    SNAT Entry Specify whether you want to create an SNAT entry for a VPC, a vSwitch, an ECS instance, or a custom CIDR block. Specify vSwitch is selected in this example. The ECS instances that are attached to the specified vSwitch use the EIP to access the Internet.
    • Select VSwitch: Select a vSwitch from the drop-down list.
      Note If you select multiple vSwitches, the system creates multiple SNAT entries that use the same EIP.
    • VSwitch CIDR Block: displays the CIDR block of the vSwitch.
    Select Public IP Address Select an EIP to access the Internet. You can select an EIP from the drop-down list. Use One IP Address is specified in this example.
    Entry Name Enter a name for the SNAT entry.

    The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

Step 4: Test the network connectivity

After you create an SNAT entry, you can test the network connectivity of the ECS instances. In this example, an ECS instance that runs Linux is used to test the network connectivity.
Note Make sure that the security group rules of the ECS instance allow the ECS instance to access the Internet. For more information, see Overview.
  1. Log on to an ECS instance that is attached to the vSwitch. For more information, see Connection methods.
  2. To test the network connectivity, run the ping command to ping www.aliyun.com, which is the domain name of Alibaba Cloud. If you can receive echo reply packets, it indicates that the connection is established.
    The result shows that the ECS instance passes the connectivity test and can access the Internet. Test the network connectivity

FAQ

How many SNAT entries can I add to a NAT gateway?

By default, you can add up to 40 SNAT entries to a NAT gateway.

How many EIPs can I specify in an SNAT entry?

You can specify up to 64 elastic IP addresses (EIPs) in an SNAT entry. The quota cannot be increased.

For more information about SNAT, see FAQ about SNAT.