Internet NAT gateways provide public NAT services, and allow Elastic Compute Service (ECS) instances in a virtual private cloud (VPC) to access the Internet and receive requests from the Internet. This topic describes how to create and manage an Internet NAT gateway.
Background information
- You can purchase an Internet NAT gateway in one of the following modes.
Mode Description Procedure Standard mode When you create an Internet gateway, only an Internet gateway is purchased. After you create an Internet NAT gateway, you must manually associate an elastic IP address (EIP) with the Internet NAT gateway and configure an SNAT entry. - Create an Internet NAT gateway.
- Create an EIP.
- Associate the EIP with the Internet NAT gateway.
- Create an SNAT entry.
Unified access mode When you create an Internet NAT gateway, you can associate an EIP with the Internet NAT gateway. Then, the system automatically creates an SNAT entry by using the EIP. The unified access mode supports the following configuration methods: - You can purchase an Internet NAT gateway and an EIP on the buy page. After the Internet NAT gateway is created, the EIP is automatically associated with the Internet NAT gateway. The system uses the EIP to create an SNAT entry for the VPC to which the Internet NAT gateway belongs.
- You can purchase an Internet NAT gateway and select an existing EIP that you want to associate with the Internet NAT gateway on the buy page. The system uses the EIP to create an SNAT entry for the VPC to which the Internet NAT gateway belongs.
-
After you create the first Internet NAT gateway in a VPC, a route is automatically added to the route table of the VPC. The destination CIDR block of the route is 0.0.0.0/0 and the next hop is the Internet NAT gateway. This ensures that traffic is routed to the Internet NAT gateway. Traffic destined for the Internet can reach the Internet NAT gateway only after the preceding route is added to the route table of the VPC. After you create an Internet NAT gateway, make sure that the VPC route table contains a 0.0.0.0/0 route whose next hop is the Internet NAT gateway. If the route does not exist, add the route. For more information, see Add and delete route entries.
If the VPC route table already contains a 0.0.0.0/0 route before you create the Internet NAT gateway, the system does not add another 0.0.0.0/0 route whose next hop is the Internet NAT gateway to the VPC route table. In this case, you must change the next hop of the existing 0.0.0.0/0 route to the Internet NAT gateway after the Internet NAT gateway is created.
Prerequisites
A VPC and a vSwitch are created. For more information, see Create an IPv4 VPC.
Create an Internet NAT gateway
Associate an EIP with an Internet NAT gateway
An Internet NAT gateway works as expected only after you associate an EIP with the Internet NAT gateway. You can associate up to 20 EIPs with an Internet NAT gateway. You can submit a ticket to request a quota increase. For more information, see Manage quotas. Before you associate an EIP with an Internet NAT gateway, make sure that an Internet NAT gateway is created.
Disassociate an EIP from an Internet NAT gateway
Make sure that the EIP to be disassociated is not used in an SNAT entry or a DNAT entry. If the EIP is used in an SNAT or a DNAT entry, delete the SNAT or DNAT entry first. For more information, see Delete an SNAT entry and Delete a DNAT entry.
Delete an Internet NAT gateway
You can delete pay-as-you-go Internet NAT gateways, but you cannot delete existing subscription Internet NAT gateways. Before you delete an Internet NAT gateway, make sure that the following requirements are met:
- No EIP is associated with the Internet NAT gateway. If an EIP is associated with the Internet NAT gateway, disassociate the EIP from the Internet NAT gateway. For more information, see Disassociate an EIP from an Internet NAT gateway.
- The DNAT table does not contain DNAT entries. If the DNAT table contains DNAT entries, delete the DNAT entries. For more information, see Delete a DNAT entry.
- The SNAT table does not contain SNAT entries. If the SNAT table contains SNAT entries, delete the SNAT entries. For more information, see Delete an SNAT entry.
- Deletion Protection is in the Disabled state on the Basic Information tab of the Internet NAT gateway. If Deletion Protection is in the Enabled state, disable deletion protection.
More
Add a tag to an Internet NAT gateway
It is difficult to manage a large number of Internet NAT gateways. To manage your Internet NAT gateways by group, you can add tags to the Internet NAT gateways. After you add tags, you can search and filter Internet NAT gateways by tag.
- The key of each tag that is added to an Internet NAT gateway must be unique.
- You cannot create tags without adding them to Internet NAT gateways. All tags must be added to Internet NAT gateways.
- Tag information is not shared across regions.
For example, tags created in the China (Hangzhou) region are not displayed in the China (Shanghai) region.
- You can modify the key and value of a tag or remove a tag from an Internet NAT gateway. If you delete an Internet NAT gateway, the tags that are added to the Internet NAT gateway are deleted.
- You can add up to 20 tags to each Internet NAT gateway. You cannot increase the quota.
Modify an Internet NAT gateway
You can modify the name and description of an Internet NAT gateway.
References
- Create and manage SNAT entries
- Create and manage DNAT entries
- CreateNatGateway: creates an Internet NAT gateway.
- AssociateEipAddress: associates an EIP with an Internet NAT gateway.
- UnassociateEipAddress: disassociates an EIP from an Internet NAT gateway.
- TagResources: adds tags to specified Internet NAT gateways.
- ModifyNatGatewayAttribute: modifies the basic information about an Internet NAT gateway.
- DeleteNatGateway: deletes an Internet NAT gateway.