This topic describes how to configure DNAT on an Internet NAT gateway. DNAT allows Elastic Compute Service (ECS) instances to provide Internet-facing services.

Scenarios

The following scenario is used as an example. A company created an ECS instance on Alibaba Cloud and deployed applications on the ECS instance. The ECS instance is not assigned a static public IP address or associated with an elastic IP address (EIP). Due to business development, the company wants the ECS instance to provide Internet-facing services by using the DNAT feature of an Internet NAT gateway. Internet NAT gateways support IP mapping and port mapping. Scenario

Prerequisites

  • An Alibaba Cloud account is created. If you do not have an Alibaba Cloud account,create an Alibaba Cloud account.
  • A virtual private cloud (VPC) and a vSwitch are created. For more information, see Create an IPv4 VPC.
  • An ECS instance is created in the vSwitch. Applications are deployed on the ECS instance. For more information, see Create an instance by using the wizard.

    In this example, an application that uses Apache is deployed on the ECS instance.

  • Make sure that the security group rules of the ECS instance allow the ECS instance to receive requests from the Internet. In this example, make sure that the inbound rules of the security group of the ECS instance allow TCP access to port 80. For more information, see Add a security group rule.

Procedure

Procedure

Step 1: Create an Internet NAT gateway

  1. Log on to the NAT Gateway console.
  2. On the Internet NAT Gateway page, click Create NAT Gateway.
  3. When you create an Internet NAT gateway for the first time, click Create in the Notes on Creating Service-linked Roles section of the buy page to create a service-linked role. After the service-linked role is created, you can create NAT gateways.
    Create the service-linked role For more information, see Service-linked roles for NAT Gateway.
  4. On the buy page, set the following parameters and click Buy Now.
    Parameter Description
    Billing Method

    By default, Pay-As-You-Go is selected. You can pay for resources after you use them. For more information, see Billing of Internet NAT gateways.

    Region

    Select the region where you want to create the Internet NAT gateway.

    VPC

    Select the VPC for which you want to create the Internet NAT gateway. After the Internet NAT gateway is created, you cannot change the VPC to which the Internet NAT gateway belongs.

    Associate vSwitch

    Select the vSwitch to which the Internet NAT gateway belongs.

    Billing Method

    By default, Pay-By-CU is selected. You are charged based on the resources that you use. For more information, see Billing of Internet NAT gateways.

    Billing Cycle

    By default, By Hour is selected. Fees are calculated on an hourly basis. If you use an Internet NAT gateway for less than 1 hour, the usage duration is rounded up to 1 hour.

    Instance Name

    Enter a name for the Internet NAT gateway.

    The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.

    Access Mode

    Select whether to enable SNAT for the resources in the specified VPC. Supported options:

    • SNAT for All VPC Resources: After the Internet NAT gateway is created, all resources in the VPC can access the Internet by using the SNAT feature of the NAT gateway.

      If you select SNAT for All VPC Resources, you must also specify an EIP.

    • Configure Later: If you select this option, SNAT is disabled. You can configure SNAT on the Internet NAT gateway in the console after you complete the payment.

      If you select Configure Later, only the Internet NAT gateway is created. No SNAT entry is created.

    In this example, Configure Later is selected.
  5. On the Confirm page, confirm the information, select the Terms of Service check box, and then click Confirm.
    When the message Order complete. appears, the Internet NAT gateway is created.
After you create an Internet NAT gateway, you can find the Internet NAT gateway on the Internet NAT Gateway page. Create an Internet NAT gateway

Step 2: Associate an EIP with the Internet NAT gateway

An Internet NAT gateway can run as expected only when it is associated with an EIP. After you create an Internet NAT gateway, you can associate EIPs with the Internet NAT gateway to meet your business requirements.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where you want to create the NAT gateway.
  3. On the Internet NAT Gateway page, find the Internet NAT gateway that you want to manage and click Associate Now in the Elastic IP Address column.
  4. In the Associate EIP dialog box, set the following parameters and click OK.
    Parameter Description
    Resource Group Select the resource group of the EIP.
    EIPs Select the EIP that you want to associate with the Internet NAT gateway.

    In this example, Purchase and Associate EIP is selected. The system automatically creates a pay-by-data-transfer EIP and associates the EIP with the Internet NAT gateway.

After you associate an EIP with the Internet NAT gateway, the EIP is displayed in the Elastic IP Address column. Associate an EIP

Step 3: Create a DNAT entry

You can create a DNAT entry that uses IP mapping or port mapping to enable an ECS instance to provide Internet-facing services.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where you want to create the NAT gateway.
  3. On the Internet NAT Gateway page, find the NAT gateway that you want to manage and click Configure DNAT in the Actions column.
  4. On the DNAT Management tab, click Create DNAT Entry.
  5. On the Create DNAT Entry page, set the parameters that are described in the following table and click Confirm.
    Parameter Description
    Select Public IP Address Select an EIP. The EIP is used to communicate with the Internet.
    Note

    For Internet NAT gateways, you can specify an EIP in both an SNAT entry and a DNAT entry.

    In this example, the EIP that is associated with the Internet NAT gateway is selected.
    Select Private IP Address Specify the IP address of the ECS instance that uses the DNAT entry to communicate with the Internet. In this example, Select by ECS or ENI is selected and the private IP address of the ECS instance is selected.
    Port Settings Select a DNAT mapping method. In this example, Specific Port is selected, which specifies port mapping. Set Public Port to 80, Private Port to 80, and Protocol Type to TCP.
    Entry Name Enter a name for the DNAT entry.

    The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.

Step 4: Test network connectivity

After you create a DNAT entry, you can test the network connectivity by using a computer to access the application that is deployed on the ECS instance.

  1. Open a browser on a computer.
  2. Enter http://IP address of the EIP:80 into the address bar of your browser and access the application that is deployed on the ECS instance.
    The test result shows that the ECS instance can access the application that is deployed on the ECS instance. Test result 1