This topic describes how to use enhanced Internet NAT gateways, Classic Load Balancer (Classic Load Balancer (CLB)), and elastic IP addresses (EIPs) that are associated with enhanced Internet NAT gateways to allow Elastic Compute Service (ECS) instances to communicate with the Internet over the same EIP. This allows you to manage your services in an efficient way.

Scenarios

The following scenario is used as an example in this topic. Scenarios
A company has two ECS instances deployed in the China (Shanghai) region and workloads are deployed on both ECS instances. Due to business requirements, the following requirements must be met:
  • High availability is required to prevent service interruption caused by the failure of one ECS instance.
  • Both ECS instances can access the Internet.
  • When the ECS instances access the Internet or receive requests from the Internet, the same EIP is used.
You can use enhanced Internet NAT gateways, CLB, and EIPs to meet the preceding requirements.
  • You can use the DNAT feature of Internet NAT gateways and CLB to implement high availability. When one ECS instance is down, CLB automatically blocks the ECS instance and distributes workloads to other ECS instances that are working as expected.
  • The SNAT feature of Internet NAT gateways allows ECS instances to access the Internet.
  • The DNAT feature and SNAT feature of an Internet NAT gateway can use the same EIP. This way, backend ECS instances of CLB can use the same EIP to communicate with the Internet. This allows you to manage your services in an efficient way.

Prerequisites

Before you start, make sure that the following requirements are met:
  • A virtual private cloud (VPC) and a vSwitch are created in the China (Shanghai) region. For more information, see Create an IPv4 VPC.
  • ECS 1 and ECS 2 are deployed in the vSwitch and workloads are deployed on both ECS instances. For more information, see Create an instance by using the wizard.
  • Make sure that the security group rules of the ECS instances allow the ECS instances to access the Internet and receive requests from the Internet. For more information, see Add security group rules.

Procedure

Procedure

Step 1: Create a CLB instance

CLB forwards requests to backend ECS instances based on forwarding policies. You can use CLB to improve the responsiveness and availability of your applications.

  1. Log on to the CLB console.
  2. On the Instances page, click Create CLB.
  3. On the buy page, set the following parameters, click Buy Now, and then complete the payment.
    • Region: CLB does not support cross-region deployment by default. Make sure that the CLB instance and the ECS instances that are specified as backend servers are deployed in the same region. In this topic, China (Shanghai) is selected.
    • Zone Type: Multi-zone is selected by default.
    • Primary Zone: In this topic, China East 2 Zone D is selected.
    • Backup Zone: In this topic, China East 2 Zone B is selected.
    • Instance Name: Enter a name for the instance or use the instance name that is automatically created by the system.
    • Instance Type: In this topic, Intranet is selected.
    • Instance Spec: In this topic, Small Ⅰ (slb. s1.small) is selected.
    • Network type: Select a network type for the CLB instance. In this topic, VPC is selected.
    • Feature: Standard is selected by default.
    • IP Version: IPv4 is selected by default.
    • VPC: In this topic, the VPC that you created is selected.
    • Virtual switch: In this topic, the vSwitch that you created is selected.
    • Internet Charge Type: displays the metering method of the CLB instance. By default, By traffic is displayed.
    • Resource Group: Select the resource group to which the CLB instance belongs.
    • Quantity: In this topic, one CLB instance is purchased.
After you create the CLB instance, the system allocates a private IP address to the CLB instance. The private IP address is used to establish connections over private networks.

Step 2: Configure the CLB instance

After you create the CLB instance, you must configure the CLB instance. The CLB instance can forward requests only after you configure it. When you configure the CLB instance, you must add at least one listener and one group of backend servers.

  1. Log on to the CLB console.
  2. On the Instances page, find the CLB instance that you create in Step 1 and click Configure Listener in the Actions column.
  3. On the Protocol and Listener wizard page, set the following parameters and click Next.
    • Select Listener Protocol: TCP is selected in this topic.
    • Listening Port: Specify the port that the CLB instance uses to receive and forward requests to backend servers.

      In this topic, 80 is used.

    • Listener Name: The listener name is not specified in this example. The default name uses the following format: protocol_port.

    Other parameters use the default settings.

  4. On the Backend Servers wizard page, select Default Server Group and click Add More to add backend servers.
    1. In the My Servers panel, select ECS 1 and ECS 2, and click Next.
    2. Specify the weights of the backend servers. A backend server with a higher weight receives more requests. In this topic, the default value 100 is used.
    3. Click Add.
    4. On the Backend Servers wizard page, configure the backend port. The ECS instance uses the backend port to receive requests. You can specify duplicated backend ports within the same CLB instance. In this topic, 80 is used.
  5. On the Backend Servers wizard page, click Next to configure health checks. In this topic, the default value is used.

    If an ECS instance is declared unhealthy after you enable health checks, CLB diverts requests to healthy ECS instances. After the ECS instance is declared healthy, CLB automatically forwards requests to it.

  6. On the Health Check wizard page, click Next to go to the Confirm wizard page. After you confirm the configurations, click Submit.
  7. In the dialog box that appears, click OK. Return to the Instances page and click Refresh to view the CLB instance.
    If the health check status of an ECS instance is Normal, it indicates that the ECS instance is ready to process requests from the CLB instance. Configure the listener

Step 3: Create an enhanced Internet NAT gateway

  1. Log on to the NAT Gateway console.
  2. On the Public NAT Gateway page, click Create NAT Gateway.
  3. If this is the first time you purchase a NAT gateway, you must create a service-linked role for NAT Gateway.On the NAT Gateway (Pay-As-You-Go) page, click Create in the Notes on Creating Service-linked Roles section. After a service-linked role is created, you can purchase NAT gateways.
    Create a service-linked role
  4. On the NAT Gateway (Pay-As-You-Go) page, set the following parameters and click Buy Now.
    • Region and Zone: Select the region where you want to deploy the NAT gateway.
    • Zone: Select the zone where you want to deploy the NAT gateway.
    • VPC ID: Select the VPC where you want to deploy the NAT gateway. After the NAT gateway is created, you cannot change the VPC where the NAT gateway is deployed.
    • VSwitch ID: Select the vSwitch to which the NAT gateway is attached.
    • Gateway Type: By default, Enhanced is selected.
    • Billing Method: Select a billing method for the NAT gateway.

      Only Pay by Actual Usage is supported. For more information, see Pay-by-actual-usage.

    • Billing Cycle: By default, By Hour is selected. Bills are generated on an hourly basis. If you use a NAT gateway for less than one hour, the usage duration is rounded up to one hour.
  5. On the Confirm Order page, confirm the configuration of the NAT gateway, select the check box for Terms of Service, and then click Activate Now.
    When the message Order complete. appears, the purchase is completed.
After you create an enhanced Internet NAT gateway, you can view it on the Internet NAT Gateway Create an enhanced NAT gateway

Step 4: Associate an EIP with the NAT gateway

You can associate an EIP with the enhanced Internet NAT gateway. After you associate an EIP with the enhanced Internet NAT gateway, the EIP can be used in both SNAT and DNAT entries.

  1. Log on to the NAT Gateway console.
  2. On the Internet NAT Gateway page, find the enhanced Internet NAT gateway that you create in Step 3, and then choose What to do next > Bind Elastic IP Address in the Actions column.
  3. In the Associate EIP dialog box, set the following parameters and click OK:
    • Resource Group: Select the resource group to which the EIP belongs.
    • EIPs: Select the EIP that you want to associate with the enhanced Internet NAT gateway.
      • Select Existing EIPs: Select an existing EIP from the drop-down list.
      • Purchase EIPs: The system automatically creates an EIP that is billed on a pay-by-data-transfer basis and associates the EIP with the enhanced Internet NAT gateway.

      In this topic, Purchase EIPs is selected.

After you associate an EIP with the NAT gateway, you can view the EIP on the Internet NAT Gateway page. Associate an EIP with the NAT gateway

Step 5: Create a DNAT entry

Enhanced Internet NAT gateways support the DNAT feature. The EIP associated with the enhanced Internet NAT gateway can be mapped to the internal-facing CLB instance. This way, the internal-facing CLB instance can provide services over the Internet.

  1. Log on to the NAT Gateway console.
  2. On the Internet NAT Gateway page, find the enhanced Internet NAT gateway that you create in Step 3, and then click Configure DNAT in the Actions column.
  3. In the DNAT Entry List section, click Create DNAT Entry.
  4. On the Create DNAT Entry page, set the following parameters and click OK.
    • Select Public IP Address: Select the EIP that is used to communicate with the Internet. In this topic, the EIP that is associated with the enhanced Internet NAT gateway in Step 4 is selected.
      Note In this topic, the same EIP is used in both the SNAT and DNAT entry.
    • Select Private IP Address: In this topic, Manual Input is selected and the private IP address of the CLB instance 192.168.24.206 is used.
    • Port Settings: Select a DNAT mapping method.
      • Any Port: specifies IP mapping. The requests destined for the EIP are forwarded to the selected ECS instance.
      • Specific Port: specifies port mapping. The enhanced Internet NAT gateway forwards requests to the specified ECS instance based on the specified protocol and ports.

      In this topic, Specific Port is selected, Public Port is set to 80, Private Port is set to 80, and Protocol Type is set to TCP.

    • Entry Name: Enter a name for the DNAT entry.

      The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

After a DNAT entry is created, you can view the DNAT entry whose status is Available in the DNAT Entry List section. Create a DNAT entry

Step 6: Create an SNAT entry

Enhanced Internet NAT gateways support the SNAT feature. This feature allows ECS instances that are not assigned public IP addresses in a VPC to access the Internet.

  1. Log on to the NAT Gateway console.
  2. On the Internet NAT Gateway page, find the enhanced Internet NAT gateway that you create in Step 3, and then click Configure SNAT in the Actions column.
  3. In the SNAT Entry List section, click Create SNAT Entry.
  4. On the Create SNAT Entry page, set the following parameters and click OK.
    • SNAT Entry: In this topic, Specify VPC is selected. In this case, all ECS instances in the VPC to which the enhanced Internet NAT gateway belongs use the SNAT entry to access the Internet.
    • Select Public IP Address: Select the EIP that is used to access the Internet. In this topic, Use One IP Address is selected, and the EIP associated with the enhanced Internet NAT gateway in Step 4 is selected.
      Note In this topic, the same EIP is used in both the SNAT and DNAT entry.
    • Entry Name: Enter a name for the SNAT entry.

      The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

Step 7: Test the connectivity

After you create the SNAT and DNAT entry, you can test the network connectivity between the ECS instances and the Internet.

  1. Test whether the ECS instances can access the Internet.
    1. Log on to ECS 1. For more information, see Connection methods.
    2. Run the ping command to test the connectivity as shown in the following figure.
      The test result shows that ECS 01 can access the Internet. Test the network connectivity
      Note Refer to the preceding steps to test the connectivity between ECS 2 and the Internet.
    3. Run the curl myip.ipip.net command to check the public IP address that ECS 1 uses to access the Internet.
      The test result shows that the public IP address that ECS 1 uses to access the Internet is the same as the EIP specified in the SNAT entry. This means that ECS 1 uses the SNAT feature of the enhanced Internet NAT gateway to access the Internet. IP
  2. Test whether the services deployed on the ECS instances can be accessed over the Internet.
    1. Open a browser on a PC that can access the Internet.
    2. Enter the EIP associated with the enhanced Internet NAT gateway to access the services deployed on the ECS instances.
      The test result shows that services deployed on the ECS instances can be accessed over the Internet. This means that the ECS instances use the DNAT feature of the enhanced Internet NAT gateway to provide services over the Internet. In addition, the ECS instances use the EIP associated with the enhanced Internet NAT gateway to communicate with the Internet. Test the connectivity
  3. Test whether the CLB instance can forward requests.
    1. Stop ECS 1. For more information, see Stop an instance.
    2. Open a browser on a PC that can access the Internet.
    3. Enter the EIP associated with the enhanced Internet NAT gateway to access the services deployed on the ECS instances.
      The test result shows that the services deployed on the ECS instances can be accessed over the Internet and the CLB instance can forward requests to ECS 2 when ECS 1 is down. This implements high availability. ecs2