This topic describes how to configure DNAT on an Internet NAT gateway. DNAT allows Elastic Compute Service (ECS) instances to provide Internet-facing services. The term "NAT gateway" in this topic refers to an Internet NAT gateway.

Scenarios

The following scenario is used as an example. A company has created an ECS instance on Alibaba Cloud and deployed applications on the ECS instance. The ECS instance is not assigned a static public IP address. In addition, no elastic IP address (EIP) is associated with the ECS instance. To meet business requirements, the company wants the applications to be accessible over the Internet.

You can use DNAT to map an EIP that is associated with the NAT gateway to the private IP address of the ECS instance. This way, the ECS instance can provide Internet-facing services. Scenarios

Prerequisites

Make sure that the following requirements are met:
  • An Alibaba Cloud account is created. If you do not have an Alibaba Cloud account, create one.
  • A virtual private cloud (VPC) and a vSwitch are created. For more information, see Create an IPv4 VPC.
  • An ECS instance is created in the vSwitch. Applications are deployed on the ECS instance. For more information, see Create an instance by using the wizard.

Procedure

Procedure

Step 1: Create a NAT gateway

  1. Log on to the NAT Gateway console.
  2. On the Public NAT Gateway page, click Create NAT Gateway.
  3. If this is the first time you purchase a NAT gateway, you must create a service-linked role for NAT Gateway.On the NAT Gateway (Pay-As-You-Go) page, click Create in the Notes on Creating Service-linked Roles section. After a service-linked role is created, you can purchase NAT gateways.
    Create a service-linked role
  4. On the NAT Gateway (Pay-As-You-Go) page, set the following parameters and click Buy Now.
    • Region and Zone: Select the region where you want to deploy the NAT gateway.
    • Zone: Select the zone where you want to deploy the NAT gateway.
    • VPC ID: Select the VPC where you want to deploy the NAT gateway. After the NAT gateway is created, you cannot change the VPC where the NAT gateway is deployed.
    • VSwitch ID: Select the vSwitch to which the NAT gateway is attached.
    • Gateway Type: By default, Enhanced is selected.
    • Billing Method: Select a billing method for the NAT gateway.

      Only Pay by Actual Usage is supported. For more information, see Pay-by-actual-usage.

    • Billing Cycle: By default, By Hour is selected. Bills are generated on an hourly basis. If you use a NAT gateway for less than one hour, the usage duration is rounded up to one hour.
  5. On the Confirm Order page, confirm the configuration of the NAT gateway, select the check box for Terms of Service, and then click Activate Now.
    When the message Order complete. appears, the purchase is completed.
After you create a NAT gateway, you can find the NAT gateway on the NAT Gateway page. Create a NAT gateway

Step 2: Associate the NAT gateway with an EIP

A NAT gateway works as expected only after you associate an EIP with the NAT gateway. After you create a NAT gateway, you can associate an EIP with the NAT gateway.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where you want to deploy the NAT gateway.
  3. On the Public NAT Gateway page, find the NAT gateway that you want to manage and click Associate Now in the Elastic IP Address column.
  4. In the Associate EIP dialog box, set the following parameters and click OK.
    Parameter Description
    Resource Group Select the resource group of the EIP.
    EIPs Select the EIP that you want to associate with the NAT gateway.

    Purchase EIPs is selected in this example. The system automatically creates a pay-by-data-transfer EIP and associates the EIP with the NAT gateway.

    After you associate an EIP with the NAT gateway, the EIP is displayed in the Elastic IP Address column.

Step 3: Create a DNAT entry

A DNAT entry maps an EIP of a NAT gateway to the private IP address of an ECS instance. Then, the ECS instance can provide Internet-facing services.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where you want to deploy the NAT gateway.
  3. On the Public NAT Gateway page, find the NAT gateway that you want to manage and click Configure DNAT in the Actions column.
  4. On the DNAT Management tab, click Create DNAT Entry.
  5. On the Create DNAT Entry page, set the parameters that are described in the following table and click Confirm.
    Parameter Description
    Select Public IP Address Select an EIP from the drop-down list. The EIP is used to communicate with the Internet.
    Note
    • For standard NAT gateways, you cannot specify an EIP in both an SNAT entry and a DNAT entry.
    • For enhanced NAT gateways, you can specify an EIP in both an SNAT entry and a DNAT entry.
    Select Private IP Address Select the ECS instance that uses the DNAT entry to communicate with the Internet. You can use one of the following methods to specify the private IP address of the ECS instance:
    • Select by ECS or ENI: Select the ECS instance or the elastic network interface (ENI) associated with the ECS instance from the drop-down list.
    • Manual Input: Enter the private IP address of the ECS instance.
    Port Settings Select a DNAT mapping method:
    • Any Port: specifies IP mapping. All requests destined for the EIP are forwarded to the specified ECS instance. The specified ECS instance can use the EIP to access the Internet.
      Note
      • If IP mapping is configured for an EIP in a DNAT entry, the EIP cannot be used in another DNAT entry or SNAT entry.
      • If a NAT gateway is configured with an SNAT entry and a DNAT entry that uses IP mapping, the ECS instance preferably uses IP mapping instead of SNAT to communicate with the Internet.
    • Specific Port: specifies port mapping. The NAT gateway forwards requests to the specified ECS instance based on the specified protocol and ports.
      After you specify a port, set the following parameters based on your business requirements:
      • Public Port: the external port that is used in port forwarding.

        If SNAT entries are created for the EIP that you selected, and you want to specify a public port whose number is lager than 1024, click Remove Limits on Port Range. In the message that appears, click OK. This operation may close some SNAT connections. You can solve this problem by reestablishing the connections. Proceed with caution.

      • Private Port: the internal port that is used in port forwarding.
      • Protocol Type: the protocol used by the ports.
    Entry Name Enter a name for the DNAT entry.

    The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

Step 4: Test the network connectivity

After you create a DNAT entry, you can verify the network connectivity by using a computer to access an application that runs on the ECS instance.
Note Make sure that the security group rules of the ECS instance allow the ECS instance to receive requests from the Internet. For more information, see Overview.
  1. Open a browser on a computer.
  2. Enter the EIP that is associated with the NAT gateway into the address bar of the browser and access an application that runs on the ECS instance.
    The test result shows that the ECS instance can receive requests from the Internet. Test result 1