NAT Gateway:Use a VPC NAT gateway to resolve IP address conflicts

Reasons for IP address conflicts

IP address conflicts occur when ECS instances in VPCs with overlapping CIDR blocks try to communicate with each other:

• If you set the destination CIDR block to the CIDR block of the peer VPC, traffic is first matched with a system route. The traffic is then forwarded within the local VPC and cannot reach the peer VPC.

• If you set the destination CIDR block to the CIDR block of the peer vSwitch, you cannot create a custom route that is the same as or more specific than an existing system route.

NAT solution

1. Add secondary IPv4 CIDR blocks: Add a non-overlapping secondary CIDR block to each of the two VPCs to provide non-conflicting private IP addresses.

2. Translate addresses: Use a VPC NAT Gateway to translate the private IP addresses of ECS instances and resolve the IP address conflicts.

3. Enable VPC-to-VPC communication: Attach the VPCs to a transit router and configure custom route entries to ensure that traffic is correctly forwarded.

Example traffic path

A company plans to connect two existing VPCs in the China (Hangzhou) region, but their CIDR blocks overlap. To resolve this, the company uses a VPC NAT Gateway for address translation and configures routes to forward traffic to the gateway. Then, Cloud Enterprise Network (CEN) or a peering connection can be deployed to enable private network peering.

This example shows how ECS_A (private IP address: 192.168.0.86) accesses VPC_NATGW_B (private IP address: 10.0.0.53).

1. Based on the routes in the custom route table that is attached to the vSwitch of ECS_A, the packet is forwarded to the VPC NAT Gateway.

2. Based on the SNAT rule configured for VPC_NAT_A, the source IP address of the packet is translated to a NAT IP address (172.16.0.89).

3. Based on the routes in the system route table of VPC_A, the packet is forwarded to the transit router (TR). The TR then forwards the packet to VPC_B, where it reaches the VPC NAT Gateway.

4. Based on the DNAT rule configured for VPC_NAT_B, the destination address of the packet is translated to the IP address of ECS_B. The packet is then forwarded to ECS_B, enabling communication between the ECS instances.

When ECS_B sends a response packet, the address translation is reversed based on the session mapping table, and the packet is routed and delivered to ECS_A.

Step 1: Configure secondary CIDR blocks

1. Add secondary CIDR blocks:

   1. Go to the VPC console. In the top menu bar, select the region of the VPC.

   2. Click the ID of the target VPC, click the CIDR block management tab, and then click Add Secondary IPv4 CIDR Block to add a secondary CIDR block to VPC_A and VPC_B.

2. Create vSwitches: Go to the Create vSwitch page.

   • Virtual Private Cloud: Select the VPC. You must create one vSwitch for VPC_A and another for VPC_B.

   • IPv4 CIDR Block: Select the secondary IPv4 CIDR block that you added.

Step 2: Configure the VPC NAT Gateway

Create a VPC NAT Gateway and configure SNAT and DNAT entries. This translates the private IP addresses of the ECS instances in each VPC to NAT IP addresses to resolve the address conflicts.

1. Create a VPC NAT Gateway: Go to the VPC NAT Gateway purchase page.

   • Region: Select the region where the VPC is deployed.

   • Network and Zone: Create one VPC NAT Gateway for VPC_A and another for VPC_B. For each gateway, select the vSwitch that you created from the secondary CIDR block.

2. Configure an SNAT entry: The VPC NAT Gateway translates the source IP address of a packet to a NAT IP address based on the configured SNAT rule.

   1. Go to the VPC NAT Gateway list page. In the top menu bar, select the region of the VPC NAT Gateway.

   2. In the Actions column of the target VPC NAT Gateway instance, click SNAT Management. Click Create SNAT Entry .

      • SNAT Entry Granularity: This topic uses VPC Granularity . You can change this as needed.

      • Select NAT IP Address: Select the private IP address of the VPC NAT Gateway.

3. Configure a DNAT entry: The VPC NAT gateway transforms the destination IP address of a data packet into a NAT IP address using the DNAT rule.

   1. Go to the VPC NAT Gateway list page. In the top menu bar, select the region of the VPC NAT Gateway.

   2. In the Actions column of the target VPC NAT Gateway instance, click DNAT Management. Click Create DNAT Entry .

      • Select NAT IP Address: Select the private IP address of the VPC NAT Gateway.

      • Select Private IP Address: Select the ECS instance in the VPC that you want to enable communication for.

      • Port Settings: This topic uses the Secure Shell (SSH) service to verify the service interconnection. The SSH service uses the connection-oriented TCP protocol and port 22. Therefore, set both the frontend port and backend port of Specific Port to 22, and set Protocol Type to TCP.

        Create DNAT entries as needed.

Step 3: Connect the VPCs

1. Create VPC connections:

   Regions and zones that support Transit Router.

   This example shows how to connect VPCs that are in the same region and belong to the same account. For information about other scenarios, see Inter-region VPC-to-VPC connection or Cross-account VPC-to-VPC connection.

   1. Go to the Cloud Enterprise Network console and click Create CEN Instance . Select Create CEN Instance Only and click OK .

   2. After the instance is created, click Create Connection > Create Intra-region Connection .

      In this example, the VPCs with conflicting CIDR blocks are in the same region. Therefore, you must create an intra-region connection. To connect VPCs in different regions, create an inter-region connection.

      You can also click an existing CEN ID and, in the Basic Information tab, click under VPC to create an intra-region connection.

      • Instance Type: Select Virtual Private Cloud (VPC).

      • Region: Select the region where the VPC is deployed.

      • Resource Owner UID: Select the owner of the VPC. This topic uses My Account .

      • Network Instance: Select VPC_A.

      • vSwitch: To implement multi-zone disaster recovery, select at least two zones. You must include the vSwitch where the VPC NAT Gateway is located.

      • Advanced Configuration: Select all options.

   3. After the connection is created, click Continue to Create Connection to create a VPC connection for VPC_B.

2. Configure routes:

   A NAT Gateway only translates IP addresses. It does not determine the traffic path. The route tables of the VPC control whether traffic is sent to the NAT Gateway and where the traffic is forwarded after address translation.

   1. Create a custom route table and attach a vSwitch:

      1. Go to the Route Tables page. In the top menu bar, select the region of the VPC.

      2. Click Create VSwitch.

         • Virtual Private Cloud: Create one route table for VPC_A and another for VPC_B.

         • Bound Object Type: Select vSwitch.

      3. On the Route Tables page, find the custom route table that you created. In the Bind Resource column, click Bind Now to attach the vSwitch where the ECS instance is located.

   2. Configure route entries: Click the ID of the target route table. On the Custom Route Entry tab, click Create Route Entry . Configure the destination CIDR block and the next hop.

      Configure the routes as described in the following table to ensure that traffic is correctly forwarded.

      Virtual Private Cloud	Route Table	Destination CIDR block	Next hop
      VPC_A	System route table	10.0.0.0/24	Transit Router
      	Custom route table	10.0.0.0/24	VPC_NATGW_A
      VPC_B	System route table	172.16.0.0/24	Transit Router
      	Custom route table	172.16.0.0/24	VPC_NATGW_B

Step 4: Verify the result

Log on to the ECS_A instance and run the following command.

# Use the NAT IP address of the VPC_NATGW_B instance (10.0.0.53) to remotely log on to the ECS_B instance.
# Make sure that port 22 is allowed in the security group of the ECS_B instance.
ssh root@10.0.0.53
# View the IP address of the network interface controller (NIC).
ifconfig

You can see that the ECS_A instance uses the NAT IP address of VPC_NATGW_A (172.16.0.89) to access the NAT IP address of VPC_NATGW_B (10.0.0.53) and remotely log on to the ECS_B instance.