Internet NAT gateways provide the Source Network Address Translation (SNAT) feature. SNAT enables Elastic Compute Service (ECS) instances that reside inside virtual private clouds (VPCs) to access the Internet. This topic describes how to create and manage an Internet NAT gateway.

Background information

  • You can purchase an Internet NAT gateway in one of the following modes.
    Mode Description Procedure
    Standard mode When you create an Internet gateway, only an Internet gateway is purchased. After you create an Internet NAT gateway, you must associate an elastic IP address (EIP) with the gateway and configure an SNAT entry.
    1. Create an Internet NAT gateway. For more information, see the "Step 1: Create an Internet NAT gateway" section in the Use the SNAT feature of an Internet NAT gateway to access the Internet topic.
    2. Create an EIP. For more information, see Apply for an EIP.
    3. Associate the EIP with the Internet NAT gateway. For more information, see the "Step 2: Associate an EIP with the Internet NAT gateway" section in the Use the SNAT feature of an Internet NAT gateway to access the Internet topic.
    4. Create an SNAT entry. For more information, see the "Step 3: Create an SNAT entry" section in the Use the SNAT feature of an Internet NAT gateway to access the Internet topic.
    Unified access mode When you create an Internet NAT gateway, you can associate an EIP with the Internet NAT gateway. Then, the system automatically creates an SNAT entry by using the EIP. The unified access mode supports the following configuration methods:
    • You can purchase an Internet NAT gateway and an EIP on the buy page. After the Internet NAT gateway is created, the EIP is automatically associated with the Internet NAT gateway.
    • You can purchase an Internet NAT gateway and select an existing EIP that you want to associate with the Internet NAT gateway on the buy page.
    For more information, see Purchase a service bundle that consists of an SNAT-enabled Internet NAT gateway and an EIP for a VPC.
    In this topic, the Internet NAT gateway is created in the standard mode.
  • The first time an Internet NAT gateway is created in a VPC, a route is automatically added to the route table of the VPC. The destination CIDR block of the route is 0.0.0.0/0 and the next hop is the Internet NAT gateway. This ensures that all traffic is routed through the Internet NAT gateway. Traffic destined for the Internet can reach the Internet NAT gateway only after the preceding route is added to the route table of the VPC. After you create an Internet NAT gateway, make sure that the VPC route table contains a 0.0.0.0/0 route whose next hop is the Internet NAT gateway. If the route does not exist, add the route. For more information, see Add and delete routes.

    If the VPC route table already contains a 0.0.0.0/0 route before you create the Internet NAT gateway, the system does not add another 0.0.0.0/0 route whose next hop is the Internet NAT gateway to the VPC route table. In this case, you must change the next hop of the existing 0.0.0.0/0 route to the Internet NAT gateway after the Internet NAT gateway is created.

Prerequisites

A VPC and a vSwitch are created. For more information, see Create a VPC with an IPv4 CIDR block.

Create an Internet NAT gateway

  1. Log on to the NAT Gateway console.
  2. On the Internet NAT Gateway page, click Create NAT Gateway.
  3. If this is the first time you create a NAT gateway, you must create a service-linked role. In the Create Service-Linked Role section of the Internet NAT Gateway page, click Create Service-Linked Role. After the service-linked role is created, you can create NAT gateways.
  4. On the Confirm page, confirm the information, select the Terms of Service check box, and then click Confirm.
    When the message Order complete. appears, the Internet NAT gateway is created.

Associate an EIP with an Internet NAT gateway

Note Starting September 19, 2022, if you associate an EIP with a newly created Internet NAT gateway, a random private IP address of the vSwitch where the NAT gateway resides is used. Make sure that the vSwitch has sufficient private IP addresses available for use. Otherwise, you cannot associate an EIP with the NAT gateway. Existing NAT gateways are not affected.

An Internet NAT gateway works as expected only after you associate it with an EIP. You can associate up to 20 EIPs with an Internet NAT gateway. You can go to the Quota Management page to request a quota increase. Before you associate an EIP with an Internet NAT gateway, make sure that an Internet NAT gateway is created.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where you want to create the NAT gateway.
  3. On the Internet NAT Gateway page, find the Internet NAT gateway that you want to manage and click Associate Now in the Elastic IP Address column.
  4. In the Associate EIP dialog box, set the following parameters and click OK.
    Parameter Description
    Resource Group Select the resource group of the EIP.
    Select EIP Select the EIP that you want to associate with the Internet NAT gateway. Valid values:
    • Select Existing EIP: selects an existing EIP from the drop-down list.
    • Purchase and Associate EIP: The system automatically creates an EIP that is billed on a pay-by-data-transfer basis and associates the EIP with the Internet NAT gateway.
    After you associate an EIP with the Internet NAT gateway, the EIP is displayed in the Elastic IP Address column.

Disassociate an EIP from an Internet NAT gateway

Make sure that the EIP to be disassociated is not used in any SNAT entry or DNAT entry. If the EIP is used in an SNAT or DNAT entry, delete the SNAT or DNAT entry first. For more information, see Delete an SNAT entry and Delete a DNAT entry.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where you want to create the NAT gateway.
  3. On the Internet NAT Gateway page, find the Internet NAT gateway that you want to manage and click the EIP in the Elastic IP Address column.
  4. On the Associated EIP tab, select the EIP that you want to disassociate from the Internet NAT gateway and click Disassociate in the Actions column.
    Note If you did not delete the SNAT and DNAT entries in which the EIP is specified, click Force Unbind NAT in the Actions column. In the message that appears, click OK. The system deletes the SNAT and DNAT entries in which the EIP is specified and then disassociates the EIP from the Internet NAT gateway.
  5. In the message that appears, click OK.

Delete an Internet NAT gateway

You can delete pay-as-you-go Internet NAT gateways, but you cannot delete existing subscription Internet NAT gateways. Before you delete an Internet NAT gateway, make sure that the following requirements are met:

  • No EIPs are associated with the Internet NAT gateway. If an EIP is associated with the Internet NAT gateway, disassociate the EIP from the Internet NAT gateway. For more information, see Disassociate an EIP from an Internet NAT gateway.
  • The DNAT table does not contain DNAT entries. If the DNAT table contains DNAT entries, delete the DNAT entries. For more information, see Delete a DNAT entry.
  • The SNAT table does not contain SNAT entries. If the SNAT table contains SNAT entries, delete the SNAT entries. For more information, see Delete an SNAT entry.
  • By default, Deletion Protection is in the Disabled state on the Basic Information tab of the Internet NAT gateway. If Deletion Protection is in the Enabled state, disable deletion protection.
  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where you want to create the NAT gateway.
  3. On the Internet NAT Gateway page, find the Internet NAT gateway that you want to delete and choose Related operations > Delete in the Actions column.
  4. In the Delete Gateway message, click OK.
    If you want to forcefully delete an Internet NAT gateway and its resources, select Delete (Delete NAT gateway and resources) in the Delete Gateway dialog box. When you forcefully delete an Internet NAT gateway, the system automatically disassociates EIPs from the Internet NAT gateway and deletes SNAT entries and DNAT entries of the Internet NAT gateway.

Change the mode of an Internet NAT gateway

If the Internet NAT gateway that you created is not compatible with IPv4 gateways, you can change the mode of the Internet NAT gateway to upgrade it to an Internet NAT gateway that is compatible with IPv4 gateways.

The Internet NAT gateway upgrade feature is not available by default. If you want to use the feature, submit a ticket.

Note
  • During the upgrade process, services may be interrupted for several seconds.
  • Internet NAT gateways that are compatible with IPv4 gateways cannot be changed to Internet NAT gateways that are not compatible with IPv4 gateways.
  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where you want to create the NAT gateway.
  3. On the Internet NAT Gateway page, find the Internet NAT gateway that you want to manage and choose Related operations > Compatible with IPv4 Gateway in the Actions column.
  4. In the Mode Switching Wizard message, click OK.

Add a tag to an Internet NAT gateway

As your business grows, the number of Internet NAT gateways may grow along with it. This results in a large number of gateways that may be hard to manage. We recommend that you add tags to the Internet NAT gateways to manage them by groups. After you add tags, you can search for and filter Internet NAT gateways by tag.

Tags are used to classify instances. Each tag consists of a key-value pair. To use tags, make sure that the following requirements are met:
  • The key of each tag that is added to an Internet NAT gateway must be unique.
  • You cannot create tags without adding them to Internet NAT gateways. All tags must be added to Internet NAT gateways.
  • Tag information is not shared across regions.

    For example, tags created in the China (Hangzhou) region are not displayed in the China (Shanghai) region.

  • You can modify the key and value of a tag or remove a tag from an Internet NAT gateway. If you delete an Internet NAT gateway, the tags that are added to the Internet NAT gateway are deleted.
  • You can add up to 20 tags to each Internet NAT gateway. This limit cannot be increased.
  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where you want to create the NAT gateway.
  3. On the Internet NAT Gateway page, find the Internet NAT gateway to which you want to add tags, move the pointer over the Tag icon icon in the Tags column, and then click Add or Edit.
  4. In the Configure Tags dialog box, specify the key and value based on the following table and click OK.
    Parameter Description
    Tag Key The key of the tag. You can select or enter a key.

    The key cannot exceed 64 characters in length and cannot start with aliyun or acs:. The key cannot contain http:// or https://.

    Tag Value The value of the tag. You can select or enter a value.

    The value cannot exceed 128 characters in length and cannot start with aliyun or acs:. The value cannot contain http:// or https://.

  5. Return to the Internet NAT Gateway page and click Filter by Tag. In the Filter by Tag dialog box, you can specify tag keys and tag values to filter Internet NAT gateways.

Modify an Internet NAT gateway

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where you want to create the NAT gateway.
  3. On the Internet NAT Gateway page, find the NAT gateway that you want to manage and click Manage in the Actions column.
  4. In the Information section of the Basic Information tab, perform the following operations to modify the Internet NAT gateway:
    • Modify the name of the Internet NAT gateway

      Click Edit next to Instance Name. In the dialog box that appears, enter a name and click OK.

    • Modify the description of the Internet NAT gateway

      Click Edit next to Description. In the dialog box that appears, enter a description for the Internet NAT gateway and click OK.

    • Enable or disable deletion protection

      Click Enable Deletion Protection or Disable Deletion Protection next to Deletion Protection.

References