This topic describes how to purchase a service bundle that consists of an SNAT-enabled Internet NAT gateway and an elastic IP address (EIP) for a virtual private cloud (VPC). After you purchase the service bundle, the EIP is automatically associated with the Internet NAT gateway. The system uses the EIP to create an SNAT entry for the VPC where the Internet NAT gateway is deployed. This way, Elastic Compute Service (ECS) instances in the VPC can use the SNAT entry to access the Internet.

Prerequisites

  • A VPC and a vSwitch are created. For more information, see Create an IPv4 VPC.
  • Make sure that the VPC that you create meets the following requirements:
    • A custom route whose destination CIDR block is 0.0.0.0/0 does not exist in the VPC. If the custom route exists, delete it.
    • If you want to configure SNAT as a Resource Access Management (RAM) user, make sure that the RAM user is authorized to access the VPC. Otherwise, contact the Alibaba Cloud account owner to acquire the permissions.
  • An ECS instance is created in the VPC and the ECS instance is not assigned a static public IP address. For more information, see Create an instance by using the wizard.

Purchase an Internet NAT gateway and an EIP at the same time

  1. Log on to the NAT Gateway console.
  2. On the Internet NAT Gateway page, click Create NAT Gateway.
  3. When you create an Internet NAT gateway for the first time, click Create in the Notes on Creating Service-linked Roles section of the buy page to create a service-linked role. After the service-linked role is created, you can create NAT gateways.
    Create the service-linked role For more information, see Service-linked roles for NAT Gateway.
  4. On the buy page, set the following parameters and click Buy Now.
    Parameter Description
    Billing Method

    By default, Pay-As-You-Go is selected. You can pay for resources after you use them. For more information, see Billing of Internet NAT gateways.

    Region

    Select the region where you want to create the Internet NAT gateway.

    VPC

    Select the VPC for which you want to create the Internet NAT gateway. After the Internet NAT gateway is created, you cannot change the VPC to which the Internet NAT gateway belongs.

    Associate vSwitch

    Select the vSwitch to which the Internet NAT gateway belongs.

    Metering Method

    By default, Pay-By-CU is selected. You are charged based on the resources that you use. For more information, see Billing of Internet NAT gateways.

    Billing Cycle

    By default, By Hour is selected. Fees are calculated on an hourly basis. If you use an Internet NAT gateway for less than 1 hour, the usage duration is rounded up to 1 hour.

    Instance Name

    Enter a name for the Internet NAT gateway.

    The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.

    Access Mode

    Select whether to enable SNAT for the resources in the specified VPC. Supported options:

    • SNAT for All VPC Resources: After the Internet NAT gateway is created, all resources in the VPC can access the Internet by using the SNAT feature of the NAT gateway.

      If you select SNAT for All VPC Resources, you must also specify an EIP.

    • Configure Later: If you select this option, SNAT is disabled. You can configure SNAT on the Internet NAT gateway in the console after you complete the payment.

      If you select Configure Later, only the Internet NAT gateway is created. No SNAT entry is created.

    In this example, SNAT for All VPC Resources is selected.
    EIP

    Select an EIP to associate with the Internet NAT gateway. You can specify an EIP in one of the following ways:

    • Select EIP: Select an existing EIP from the EIP drop-down list.
    • Purchase EIP: Purchase a pay-as-you-go EIP in the region where the Internet NAT gateway is deployed.
      • Line Type: BGP(Multi-ISP) is selected by default.
      • Security Protection: By default, Default is selected, which specifies Anti-DDoS Origin Basic. Anti-DDoS Origin Basic can mitigate DDoS attacks at up to 5 Gbit/s.
      • Maximum Bandwidth: Specify the maximum bandwidth of the EIP.
      • Metering Method: Select a metering method for the EIP.
        • Pay-By-Data-Transfer: You are charged based on the amount of data transfer over the Internet per hour. For more information, see Pay-by-data-transfer.
        • Pay-By-Bandwidth: You are charged based on the specified maximum bandwidth per day, regardless of the actual usage. For more information, see Pay-by-bandwidth.
  5. Confirm the information and complete the payment.
    • To associate the Internet NAT gateway with an existing EIP, confirm the information on the Confirm page, select Terms of Service, and then click Activate Now.
    • To associate the Internet NAT gateway with a new EIP, confirm the information on the Confirm page, select Terms of Service, and then click Confirm to complete the payment.
    When the message Order complete. appears, the purchase is completed.

Verify the result

Check whether the Internet NAT gateway is created and associated with the EIP

  1. Log on to the NAT Gateway console.
  2. On the Internet NAT Gateway page, you can view the Internet NAT gateway that you purchased.
  3. The Elastic IP Address column displays the EIP that is associated with the Internet NAT gateway.
  4. Click the ID of the Internet NAT gateway on the Internet NAT Gateway page. On the Basic Information tab, you can view the route of the Internet NAT gateway in the VPC Routes that Point to the NAT Gateway section.
    The destination CIDR block of the route is 0.0.0.0/0, and the next hop of the route is the Internet NAT gateway.
  5. On the Basic Information tab, click the SNAT Management tab to view the SNAT entry that is created by the system.
    This SNAT entry is created by using the EIP that is associated with the Internet NAT gateway and is created for the VPC to which the Internet NAT gateway belongs. All ECS instances in the VPC can use the SNAT entry to access the Internet.

Check whether ECS instances in the VPC can use the SNAT entry to access the Internet

  1. Log on to an ECS instance in the VPC. For more information, see Connection methods.
  2. To test the network connectivity, run the ping command to ping a public IP address or a publicly accessible domain name.
    In this example, aliyun.com is used. The result indicates that the ECS instance can access the Internet. ping
  3. Run the curl myip.ipip.net command to query the public IP address that the ECS instance uses to access the Internet.
    The result shows that the public IP address that the ECS instance uses to access the Internet is the EIP specified in the SNAT entry. This indicates that the ECS instances in the VPC can use the SNAT entry created by the system to access the Internet. Internet