A VPC NAT gateway translates private IP addresses to resolve IP address conflicts and enable access from specified IP addresses.
Create and delete a VPC NAT gateway
Console
Create a VPC NAT gateway
Go to the NAT Gateway purchase page.
Billing Method: Pay-as-you-go.
Region: Select the region where you want to create the VPC NAT gateway.
Network and Zone: Select the VPC and vSwitch for the VPC NAT gateway.
On the Confirm Order page, confirm the configurations, agree to the terms of service, and then click Activate Now.
After the instance is created, you can view it on the VPC NAT Gateway page.
On the Basic Information tab, you can view information about the VPC NAT gateway, such as its associated VPC and vSwitch.
On the NAT IP Address tab, you can view the default NAT CIDR block and the default NAT IP address.
The default NAT CIDR block is the CIDR block of the vSwitch to which the VPC NAT gateway belongs. The default NAT IP address is an IP address that is randomly allocated by the system from the vSwitch CIDR block. You cannot delete the default NAT CIDR block or the default NAT IP address.
Delete a VPC NAT gateway
In the Actions column of the target VPC NAT gateway, click Delete.
Before you delete a VPC NAT gateway, you must delete its SNAT entries, DNAT entries, custom NAT IP addresses, and custom NAT CIDR blocks. Alternatively, you can force delete the instance. If you force delete the instance, the system deletes the VPC NAT gateway and all its related resources. Proceed with caution.
API
Call the CreateNatGateway operation to create a VPC NAT gateway.
Call the DeleteNatGateway operation to delete a VPC NAT gateway.
Configure NAT IPs and CIDR blocks
After you create a VPC NAT gateway, the system uses the CIDR block of the associated vSwitch as the default NAT CIDR block. You can create additional NAT CIDR blocks for the VPC NAT gateway to meet other requirements.
You can use NAT IP addresses to create SNAT or DNAT entries. The default NAT IP address is randomly allocated by the system from the vSwitch CIDR block. You can add more NAT IP addresses to a NAT CIDR block to increase the number of private IP addresses available for address translation.
Console
Create a NAT CIDR block
Go to the VPC NAT Gateway page. In the top menu bar, select the region of the VPC NAT gateway.
Click the ID of the target VPC NAT gateway to go to its details page. Click the NAT IP Address tab, and then click Create CIDR Block. The CIDR block must meet the following conditions:
We recommend that you use RFC private CIDR blocks, such as 10.0.0.0/16, 172.16.0.0/16, and 192.168.0.0/16, or their subnets. The supported subnet mask length is 16 to 32 bits. If you want to use a public CIDR block, you must use a user-defined CIDR block to ensure that the CIDR block is within the address range of the VPC. You can then use it as a NAT CIDR block.
The CIDR block cannot overlap with the private CIDR block of the VPC to which the VPC NAT gateway belongs. To translate a private IP address to another address within the VPC's private CIDR block, you must create a vSwitch in that private CIDR block. Then, create a new VPC NAT gateway in that vSwitch to provide the private address translation service.
Add a NAT IP address
Go to the VPC NAT Gateway page. In the top menu bar, select the region of the VPC NAT gateway.
Click the ID of the target VPC NAT gateway to go to its details page. Click the NAT IP Address tab, and then click Add NAT IP Address.
Select CIDR Block: Select an existing NAT CIDR block that belongs to the VPC NAT gateway, or create a new one.
Allocation Method: Select Randomly Allocate, or select Manually Allocate and specify an IP Address from the selected CIDR block.
Delete a NAT IP address
You cannot delete the default NAT IP address.
In the Actions column of the target NAT IP address, click Delete. Alternatively, select multiple NAT IP addresses and click Delete at the bottom of the page.
Delete a NAT CIDR block
You cannot delete the default NAT CIDR block.
Click the 
icon to the right of the target NAT CIDR block. Before you can delete a NAT CIDR block, you must first delete all NAT IP addresses in it.
API
Call the CreateNatIpCidr operation to create a NAT CIDR block.
Call the CreateNatIp operation to add a NAT IP address.
Call the DeleteNatIp operation to delete a NAT IP address.
Call the DeleteNatIpCidr operation to delete a NAT CIDR block.
Configure SNAT entries
You can create SNAT entries to allow resources in a VPC to access other VPCs or data centers using NAT IP addresses.
Console
Create an SNAT entry
Go to the VPC NAT Gateway page. In the top menu bar, select the region of the VPC NAT gateway.
In the Actions column of the target VPC NAT gateway, click SNAT, and then click Create SNAT Entry.
SNAT Entry: Select the granularity of the SNAT entry.
Specify VPC: All CIDR blocks in the VPC to which the VPC NAT gateway belongs can access external private networks using the configured SNAT rule.
Specify vSwitch: ECS instances in the specified vSwitch can access external private networks using the configured SNAT rule.
Select vSwitch: You can select an existing vSwitch from the drop-down list, or click Create vSwitch to go to the VPC console to create a vSwitch and then select it.
vSwitch CIDR Block: The CIDR block of the vSwitch is displayed.
Specify ECS Instance: The specified ECS instances can access external private networks using the configured SNAT rule.
Select ECS Instance: You can select an existing ECS instance from the drop-down list, or click Create ECS to go to the ECS console to create an ECS instance and then select it. If you select multiple ECS instances, multiple SNAT entries that use the same NAT IP address are created. Make sure that the ECS instances are in the Running state.
ECS CIDR Block: The CIDR block of the ECS instance is displayed.
Specify Custom CIDR Block: Enter a CIDR block. ECS instances in this CIDR block can access external private networks using the configured SNAT rule.
Select NAT IP Address: From the drop-down list, select one or more NAT IP addresses to access external private networks. You can also select Create NAT IP Address from the drop-down list to create a NAT IP address and then select it.
NAT IP Affinity: If you select multiple NAT IP addresses and do not enable affinity, different NAT IP addresses may be used when the same private IP address accesses a single destination IP address. If you enable affinity, the same NAT IP address is always used.
After the entry is created, you can click Edit in the Actions column of the target entry to modify the NAT IP address and NAT IP affinity.
Delete an SNAT entry
On the SNAT tab of the VPC NAT gateway details page, click Delete in the Actions column of the target SNAT entry.
API
Call the CreateSnatEntry operation to create an SNAT entry.
Call the DeleteSnatEntry operation to delete an SNAT entry.
Configure DNAT entries
You can create DNAT entries to map NAT IP addresses on the VPC NAT gateway to ECS instances within the VPC. This allows the ECS instances to provide services to external private networks.
Console
Create a DNAT entry
Go to the VPC NAT Gateway page. In the top menu bar, select the region of the VPC NAT gateway.
In the Actions column of the target VPC NAT gateway, click DNAT, and then click Create DNAT Entry.
Select NAT IP Address: Select the NAT IP address that external private networks will access. You can use the same NAT IP address for both a DNAT entry (port mapping) and an SNAT entry.
Select Private IP Address: Select the private IP address that will communicate using the DNAT rule. You can Select by ECS or ENI or Manually Enter.
Port Settings: Configure the DNAT mapping.
Any Port: This creates an IP mapping. Any request that accesses this NAT IP address is forwarded to the target ECS instance. The target ECS instance can also use this NAT IP address to proactively access external private networks.
A NAT IP address that is configured with IP mapping in a DNAT entry cannot be used by other DNAT or SNAT entries.
If a NAT gateway is configured with both a DNAT IP mapping and an SNAT entry, the ECS instance preferentially uses the NAT IP address from the DNAT IP mapping to access external private networks.
Specific Port: This creates a port mapping. The VPC NAT gateway forwards requests that access the NAT IP address with a specified protocol and port to a specified port of the target ECS instance. You must configure the Frontend Port (the port on the NAT IP address that is accessed by external private networks), the Backend Port (the port of the target ECS instance to be mapped), and the Protocol (the protocol of the forwarded port).
The port number must be between 1 and 65535.
If the selected NAT IP address already has an SNAT entry and you need to set a port number greater than
1024, you must select Remove Port Limits. This is because the default port range for SNAT is 1025 to 65535. Enabling this feature may cause transient connection interruptions for some existing SNAT connections. Service can be restored by reconnecting. Proceed with caution.
After the entry is created, you can click Edit in the Actions column of the target entry to modify the NAT IP address, private IP address, and port.
Delete a DNAT entry
On the DNAT tab of the VPC NAT gateway details page, click Delete in the Actions column of the target DNAT entry.
API
Call the CreateForwardEntry operation to create a DNAT entry.
Call the DeleteForwardEntry operation to delete a DNAT entry.
Configure routes
You can configure routes to manage network traffic as follows.
If the default NAT CIDR block is used to provide NAT services:
In the system route table of the VPC where the VPC NAT gateway resides, you must add a custom route entry. Set the destination CIDR block to the peer CIDR block and the next hop to the VPC NAT gateway.
Create a custom route table for the vSwitch where the VPC NAT gateway resides. In the custom route table, check whether a dynamic route entry to the peer CIDR block is learned, such as a dynamic route from CEN.
If the route table learns dynamic route entries from the peer CIDR block, you do not need to add a custom route entry to the custom table. The custom route entry points to the peer network.
If no dynamic route entry to the peer CIDR block is learned, you must manually add a custom route entry. Set the destination CIDR block to the peer CIDR block and the next hop to the peer device, such as a virtual border router (VBR) or CEN.
If a custom NAT CIDR block is used to provide NAT services:
Add the following route entry to the system route table of the VPC to which the VPC NAT gateway belongs: Set the destination CIDR block to the custom NAT CIDR block. Set the next hop to the VPC NAT gateway.
Add the following route entry to the system route table of the VPC to which the VPC NAT gateway belongs: Set the destination CIDR block to the peer CIDR block. Set the next hop to the VPC NAT gateway.
Create a custom route table for the vSwitch where the VPC NAT gateway resides. Add a custom route entry that sets the destination CIDR block to the peer CIDR block and the next hop to the peer device, such as a router interface or transit router.
When you use a custom NAT CIDR block for communication between on-premises resources and other VPC resources on the cloud, you must use an Enterprise Edition transit router for networking.