Create and manage DNAT entries - ENS - Alibaba Cloud Documentation Center

Edge NAT gateways support the DNAT feature. DNAT can map an elastic IP address (EIP) to the private IP address of an Edge Node Service (ENS) instance through port mapping. This way, the ENS instance can provide services over the Internet.

Usage notes

If your ENS instance is assigned a public IP address or associated with an EIP, we recommend that you do not create a DNAT entry for the ENS instance. Before you create a DNAT entry for the ENS instance, you must release the assigned public IP address or disassociate the EIP from the ENS instance.

Prerequisites

An edge NAT gateway is created and associated with an EIP. For more information, see Create and manage edge NAT gateways.

Create a DNAT entry

Log on to the ENS console.
In the left-side navigation pane, click NAT Gateway.
On the NAT Gateway page, find the NAT gateway that you want to manage, and click Manage in the Actions column.
On the DNAT tab, click Create DNAT Entry.

In the Configure DNAT page, configure the parameters. The following table describes the parameters.

Parameter	Description
Entry Name	The name of the DNAT entry.
Public IP Address	The public IP address that is used to access the Internet. You cannot use the same public IP address as the SNAT entry.
ENS Instance	Select the ENS instance that uses the DNAT entry to provide Internet-facing services. You can only select an ENS instance from the drop-down list.
Public Port	The external port or port range that is used in port forwarding. Valid values: 1 to 65535. To specify a port range, separate the first port and the last port with a forward slash (/), such as `10/20`.
Private Port	The private port or port range that is used in port forwarding. Note The number of ports in the port ranges that are specified for Public Port and Private Port must be the same.
Protocol	The protocol of the forwarding port. Valid values: TCP, UDP, and Any.

Click Create.

Delete an DNAT entry

If you no longer need to use an ENS instance to provide Internet-facing services, you can delete the DNAT entry that is created for the ENS instance.

Log on to the ENS console.
In the left-side navigation pane, click NAT Gateway.
On the NAT Gateway page, find the NAT gateway that you want to manage, and click Manage in the Actions column.
On the DNAT tab, find the DNAT entry that you want to delete and click Delete in the Actions column.
In the message that appears, click OK.

FAQ

Why am I unable to find an existing EIP from the EIP list when I create a DNAT entry?

Before you create a DNAT entry, make sure that a NAT gateway is created and EIPs are associated with the NAT gateway.

Can I create DNAT entries for ENS instances that are assigned EIPs?

We recommend that you do not create DNAT entries for the ENS instances.

Before you can create DNAT entries for the ENS instances, you must disassociate the EIPs from the ENS instances.

Why cannot an ENS instance specified in a DNAT entry be accessed over the Internet?

The issue may arise due to one of the following causes:

The rules of the security group to which the ENS instance is added do not allow Internet access to the private port specified in the DNAT entry. Check whether the security group rules allow Internet access to the private port specified in the DNAT entry. If the security group rules do not allow Internet access to the private port specified in the DNAT entry, add a rule to allow Internet access to the private port.
The route table does not contain a custom route whose destination CIDR block is 0.0.0.0/0 and whose next hop is the NAT gateway.
The ENS instance specified in the DNAT entry requires a route that points to the NAT gateway to return a response. If such a route does not exist in the system route table or a custom route table, add one.