The NAT Gateway and Virtual Private Cloud (VPC) APIs share the same endpoint. To call the NAT Gateway API, you must send HTTP GET requests to the endpoint of the NAT Gateway API. You must add the request parameters that correspond to the API operation being called. After you call the API operation, the system returns a response. The request and response are both encoded in UTF-8.

Request syntax

NAT Gateway API operations use the remote procedure call (RPC) protocol. You can call NAT Gateway API operations by sending HTTP GET requests.

Use the following request syntax:

  • Endpoint: the endpoint of the NAT Gateway API is
  • Action: the name of the operation being performed. For example, to create a NAT gateway, you must set the Action parameter to CreateNatGateway.
  • Version: the version of the API that you want to use. The current NAT Gateway API version is 2016-04-28.
  • Parameters: the request parameters for the operation. Separate multiple parameters with ampersands (&).

    Request parameters include both common parameters and operation-specific parameters. Common parameters include information such as the API version number and authentication information. For more information, see Common parameters.

The following example demonstrates how to call the CreateNatGateway operation to create a NAT gateway:
Note The following code has been edited to improve readability.


To ensure the security of your account, we recommend that you call NAT Gateway API operations as a Resource Access Management (RAM) user. To call NAT Gateway API operations as a RAM user, you must create and attach permission policies to the RAM user.

For more information about the NAT Gateway resources and API operations that can be authorized to RAM users, see RAM authentication.


You must sign all API requests to ensure security. Alibaba Cloud uses the request signature to verify the identity of the API caller.

NAT Gateway implements symmetric encryption with an AccessKey pair to verify the identity of the request sender. An AccessKey pair is an identity credential issued to Alibaba Cloud accounts and RAM users that is similar to a pair of username and password. An AccessKey pair consists of an AccessKey ID and an AccessKey secret. The AccessKey ID is used to verify the identity of the user, while the AccessKey secret is used to encrypt and verify the signature string. You must keep your AccessKey secret confidential.

You must add the signature to the NAT Gateway API request in the following format:


CreateNatGateway is used as an example. Assume that the AccessKey ID is testid and the AccessKey secret is testsecret. The following sample code shows the URL of the request before the request is signed:
Perform the following operations to calculate the signature:
  1. Create a string-to-sign by using the request parameters:
  2. Calculate the HMAC value of the string-to-sign.

    Append an ampersand (&) to the AccessKey secret as the key to calculate the HMAC value. In this example, the key is testsecret&.

  3. Add the signature string to the request as the Signature parameter.