Internet NAT gateways provide public NAT services, and allow Elastic Compute Service (ECS) instances in a virtual private cloud (VPC) to access the Internet and receive requests from the Internet. This topic describes how to create and manage an Internet NAT gateway.

Background information

  • You can purchase an Internet NAT gateway in one of the following modes.
    Mode Description Procedure
    Standard mode When you create an Internet gateway, only an Internet gateway is purchased. After you create an Internet NAT gateway, you must manually associate an elastic IP address (EIP) with the Internet NAT gateway and configure an SNAT entry.
    1. Create an Internet NAT gateway.
    2. Create an EIP.
    3. Associate the EIP with the Internet NAT gateway.
    4. Create an SNAT entry.
    Unified access mode When you create an Internet NAT gateway, you can associate an EIP with the Internet NAT gateway. Then, the system automatically creates an SNAT entry by using the EIP. The unified access mode supports the following configuration methods:
    • You can purchase an Internet NAT gateway and an EIP on the buy page. After the Internet NAT gateway is created, the EIP is automatically associated with the Internet NAT gateway. The system uses the EIP to create an SNAT entry for the VPC to which the Internet NAT gateway belongs.
    • You can purchase an Internet NAT gateway and select an existing EIP that you want to associate with the Internet NAT gateway on the buy page. The system uses the EIP to create an SNAT entry for the VPC to which the Internet NAT gateway belongs.
    For more information, see Purchase a service bundle that consists of an SNAT-enabled Internet NAT gateway and an EIP for a VPC.
    In this topic, the Internet NAT gateway is created in standard mode.
  • After you create the first Internet NAT gateway in a VPC, a route is automatically added to the route table of the VPC. The destination CIDR block of the route is 0.0.0.0/0 and the next hop is the Internet NAT gateway. This ensures that traffic is routed to the Internet NAT gateway. Traffic destined for the Internet can reach the Internet NAT gateway only after the preceding route is added to the route table of the VPC. After you create an Internet NAT gateway, make sure that the VPC route table contains a 0.0.0.0/0 route whose next hop is the Internet NAT gateway. If the route does not exist, add the route. For more information, see Add and delete route entries.

    If the VPC route table already contains a 0.0.0.0/0 route before you create the Internet NAT gateway, the system does not add another 0.0.0.0/0 route whose next hop is the Internet NAT gateway to the VPC route table. In this case, you must change the next hop of the existing 0.0.0.0/0 route to the Internet NAT gateway after the Internet NAT gateway is created.

Prerequisites

A VPC and a vSwitch are created. For more information, see Create an IPv4 VPC.

Create an Internet NAT gateway

  1. Log on to the NAT Gateway console.
  2. On the Internet NAT Gateway page, click Create NAT Gateway.
  3. When you create an Internet NAT gateway for the first time, click Create in the Notes on Creating Service-linked Roles section of the buy page to create a service-linked role. After the service-linked role is created, you can create NAT gateways.
    Create the service-linked role For more information, see Service-linked roles for NAT Gateway.
  4. On the buy page, set the following parameters and click Buy Now.
    Parameter Description
    Billing Method

    By default, Pay-As-You-Go is selected. You can pay for resources after you use them. For more information, see Billing of Internet NAT gateways.

    Region

    Select the region where you want to create the Internet NAT gateway.

    VPC

    Select the VPC for which you want to create the Internet NAT gateway. After the Internet NAT gateway is created, you cannot change the VPC to which the Internet NAT gateway belongs.

    Associate vSwitch

    Select the vSwitch to which the Internet NAT gateway belongs.

    Billing Method

    By default, Pay-By-CU is selected. You are charged based on the resources that you use. For more information, see Billing of Internet NAT gateways.

    Billing Cycle

    By default, By Hour is selected. Fees are calculated on an hourly basis. If you use an Internet NAT gateway for less than 1 hour, the usage duration is rounded up to 1 hour.

    Instance Name

    Enter a name for the Internet NAT gateway.

    The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.

    Access Mode

    Select whether to enable SNAT for the resources in the specified VPC. Supported options:

    • SNAT for All VPC Resources: After the Internet NAT gateway is created, all resources in the VPC can access the Internet by using the SNAT feature of the NAT gateway.

      If you select SNAT for All VPC Resources, you must also specify an EIP.

    • Configure Later: If you select this option, SNAT is disabled. You can configure SNAT on the Internet NAT gateway in the console after you complete the payment.

      If you select Configure Later, only the Internet NAT gateway is created. No SNAT entry is created.

    In this example, Configure Later is selected.
  5. On the Confirm page, confirm the information, select the Terms of Service check box, and then click Confirm.
    When the message Order complete. appears, the Internet NAT gateway is created.

Associate an EIP with an Internet NAT gateway

An Internet NAT gateway works as expected only after you associate an EIP with the Internet NAT gateway. You can associate up to 20 EIPs with an Internet NAT gateway. You can submit a ticket to request a quota increase. For more information, see Manage quotas. Before you associate an EIP with an Internet NAT gateway, make sure that an Internet NAT gateway is created.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where you want to create the NAT gateway.
  3. On the Internet NAT Gateway page, find the Internet NAT gateway that you want to manage and click Associate Now in the Elastic IP Address column.
  4. In the Associate EIP dialog box, set the following parameters and click OK.
    Parameter Description
    Resource Group Select the resource group of the EIP.
    EIPs Select the EIP that you want to associate with the Internet NAT gateway.
    • Select Existing EIPs: Select an existing EIP from the drop-down list.
    • Purchase EIPs: The system automatically creates an EIP that is billed on a pay-by-data-transfer basis and associates the EIP with the Internet NAT gateway.
    After you associate an EIP with the Internet NAT gateway, the EIP is displayed in the Elastic IP Address column.

Disassociate an EIP from an Internet NAT gateway

Make sure that the EIP to be disassociated is not used in an SNAT entry or a DNAT entry. If the EIP is used in an SNAT or a DNAT entry, delete the SNAT or DNAT entry first. For more information, see Delete an SNAT entry and Delete a DNAT entry.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where you want to create the NAT gateway.
  3. On the Internet NAT Gateway page, find the Internet NAT gateway that you want to manage and click the EIP in the Elastic IP Address column.
  4. On the Associated EIP tab, select the EIP that you want to disassociate from the Internet NAT gateway and click Disassociate in the Actions column.
    Note If you did not delete the SNAT and DNAT entries in which the EIP is specified, click Force Unbind NAT in the Actions column. In the message that appears, click OK. The system deletes the SNAT and DNAT entries in which the EIP is specified and then disassociates the EIP from the Internet NAT gateway.
  5. In the message that appears, click OK.

Delete an Internet NAT gateway

You can delete pay-as-you-go Internet NAT gateways, but you cannot delete existing subscription Internet NAT gateways. Before you delete an Internet NAT gateway, make sure that the following requirements are met:

  • No EIP is associated with the Internet NAT gateway. If an EIP is associated with the Internet NAT gateway, disassociate the EIP from the Internet NAT gateway. For more information, see Disassociate an EIP from an Internet NAT gateway.
  • The DNAT table does not contain DNAT entries. If the DNAT table contains DNAT entries, delete the DNAT entries. For more information, see Delete a DNAT entry.
  • The SNAT table does not contain SNAT entries. If the SNAT table contains SNAT entries, delete the SNAT entries. For more information, see Delete an SNAT entry.
  • Deletion Protection is in the Disabled state on the Basic Information tab of the Internet NAT gateway. If Deletion Protection is in the Enabled state, disable deletion protection.
  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where you want to create the NAT gateway.
  3. On the Internet NAT Gateway page, find the Internet NAT gateway that you want to delete and choose More > Delete in the Actions column.
  4. In the Delete Gateway message, click OK.
    If you want to forcefully delete an Internet NAT gateway and its resources, select Delete (Delete NAT gateway and resources) in the Delete Gateway dialog box. When you forcefully delete an Internet NAT gateway, the system automatically disassociates EIPs from the Internet NAT gateway and deletes SNAT entries and DNAT entries of the Internet NAT gateway.

More

Add a tag to an Internet NAT gateway

It is difficult to manage a large number of Internet NAT gateways. To manage your Internet NAT gateways by group, you can add tags to the Internet NAT gateways. After you add tags, you can search and filter Internet NAT gateways by tag.

Tags are used to classify instances. Each tag consists of a key and a value. Take note of the following limits when you use tags:
  • The key of each tag that is added to an Internet NAT gateway must be unique.
  • You cannot create tags without adding them to Internet NAT gateways. All tags must be added to Internet NAT gateways.
  • Tag information is not shared across regions.

    For example, tags created in the China (Hangzhou) region are not displayed in the China (Shanghai) region.

  • You can modify the key and value of a tag or remove a tag from an Internet NAT gateway. If you delete an Internet NAT gateway, the tags that are added to the Internet NAT gateway are deleted.
  • You can add up to 20 tags to each Internet NAT gateway. You cannot increase the quota.
  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where you want to create the NAT gateway.
  3. On the Internet NAT Gateway page, find the Internet NAT gateway to which you want to add tags, move the pointer over the Tag icon in the Tags column, and then click Add.
  4. In the Configure Tags dialog box, specify the key and value based on the following table and click OK.
    Parameter Description
    Tag Key Specify a tag key. You can select or enter a tag key.

    The tag key cannot exceed 64 characters in length, and cannot start with aliyun or acs:. The tag key cannot contain http:// or https://.

    Tag Value Specify a tag value. You can select or enter a tag value.

    The tag value cannot exceed 128 characters in length, and cannot start with aliyun or acs:. The tag value cannot contain http:// or https://.

  5. Return to the Internet NAT Gateway page and click Filter by Tag. In the Filter by Tag dialog box, you can specify tag keys and tag values to filter Internet NAT gateways.

Modify an Internet NAT gateway

You can modify the name and description of an Internet NAT gateway.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where you want to create the NAT gateway.
  3. On the Internet NAT Gateway page, find the NAT gateway that you want to manage and click Manage in the Actions column.
  4. On the Basic Information tab, modify the name and description of the Internet NAT gateway.
    • Modify the name of the Internet NAT gateway

      Click Edit next to Instance Name. In the dialog box that appears, enter a name and click OK. The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.

    • Modify the description of the Internet NAT gateway

      Click Edit next to Description. In the dialog box that appears, enter a description for the Internet NAT gateway and click OK. The description must be 2 to 256 characters in length. The description cannot start with http:// or https://.

References