NAT Gateway is a fully managed Alibaba Cloud service for network address translation. It hides private IP addresses to prevent direct exposure and enhance security.
Product types
An Internet NAT Gateway can be associated with an elastic IP address (EIP) to enable Internet access, while a VPC NAT Gateway cannot. A NAT Gateway only performs address translation — the VPC route table controls whether packets reach the gateway and where they go after translation.
Internet NAT gateway - Internet access
An Internet NAT Gateway translates private IPv4 addresses within a VPC to EIPs, enabling multiple instances to share EIPs for Internet access.
|
Enable servers to access the Internet Use SNAT to let multiple ECS instances share EIPs for Internet access, reducing costs and improving security.  |
Share a NAT gateway for Internet access across multiple VPCs Interconnect VPCs through VPC peering or Cloud Enterprise Network (CEN) to share a single Internet NAT Gateway for Internet access.  |
VPC NAT gateway - Private network access
A VPC NAT Gateway translates private IPv4 addresses within a VPC to a NAT IP, enabling communication between networks with overlapping addresses or access from a specified address.
|
Resolve private network conflicts VPCs with overlapping CIDR blocks cannot connect directly. Use a VPC NAT Gateway to translate the conflicting private IP addresses.  |
|
Access from a specific address In regulated industries such as finance and securities, use a VPC NAT Gateway to ensure cloud workloads access on-premises data centers from a fixed private IP address.  |
Performance and high availability
High availability
NAT Gateway offers two deployment modes: cross-zone and single-zone disaster recovery. Set Disaster Recovery when creating the gateway.
Single-zone disaster recovery is available in all regions that support NAT Gateway. To enable it, contact your account manager.
|
Cross-zone disaster recovery NAT Gateway is deployed redundantly across zones and fails over automatically if a zone becomes unavailable. Best for instances distributed across multiple zones sharing a single NAT Gateway.  |
Single-zone disaster recovery NAT Gateway is deployed within a single zone with high availability guaranteed within that zone. Best for workloads concentrated in one zone with a dedicated NAT Gateway.  |
|
Cross-zone disaster recovery (default) |
Single-zone disaster recovery |
|
|
Deployment method |
Deployed across a primary and secondary zone. Alibaba Cloud automatically selects the secondary zone. |
Deployed within a single, user-specified zone with device-level redundancy. |
|
Disaster recovery capability |
Automatic failover if a zone fails. |
High availability within the specified zone. |
|
Costs |
Baseline price |
Instance fee is approximately 50% and capacity unit (CU) fee is approximately 80% of the cross-zone mode. |
|
Use cases |
Instances distributed across multiple zones sharing a single NAT Gateway for Internet access. |
Workloads concentrated in one zone with a dedicated NAT Gateway. |
Automatic scaling
NAT Gateway performance scales automatically and varies by deployment mode. Key metrics:
|
Deployment mode |
Metric |
Connection rate (CPS) |
Throughput |
Concurrent connections |
Packet rate (PPS) |
|
Cross-zone disaster recovery |
Initial value |
20,000 |
5 Gbps |
500,000 |
800,000 |
|
Upper limit |
100,000 |
15 Gbps |
2,000,000 |
2,500,000 |
|
|
Single-zone disaster recovery |
Initial value |
20,000 |
10 Gbps |
500,000 |
800,000 |
|
Upper limit |
100,000 |
20 Gbps |
2,000,000 |
2,500,000 |
Exceeding these limits may cause packet loss. To request higher limits, contact your account manager.
Factors such as packet size, connection type (persistent or short-lived), and network architecture affect actual performance. Run stress tests based on your workload characteristics and configure monitoring to ensure stable operations.