Virtual Private Cloud (VPC) NAT gateways provide network address translation (NAT) services for private networks. You can create a VPC NAT gateway for a VPC to allow Elastic Compute Service (ECS) instances in the VPC to access other private networks or provide services to other private networks. This topic describes how to create and manage a VPC NAT gateway.

Prerequisites

Create a VPC NAT gateway

  1. Log on to the NAT Gateway console.
  2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
  3. On the VPC NAT Gateway page, click Create VPC NAT Gateway.
  4. On the VPC NAT Gateway (Pay-As-You-Go) page, set the following parameters and click Buy Now.
    Parameter Description
    Region Select the region where you want to create the VPC NAT gateway.
    VPC ID Select the VPC to which the VPC NAT gateway belongs. After you create a VPC NAT gateway, you cannot change the VPC to which it belongs.
    Zone Select the zone to which the VPC NAT gateway belongs.
    vSwitch ID Select the vSwitch to which the VPC NAT gateway belongs. We recommend that you select an independent vSwitch.
    Name Enter a name for the VPC NAT gateway.

    The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.

    Service-linked Role Displays whether a service-linked role is created for the VPC NAT gateway.

    If this is your first time using a NAT gateway, including an Internet NAT gateway and a VPC NAT gateway, you must click Create Service-linked Role to create a service-linked role.

  5. On the Confirm Order page, confirm the information, select the Terms of Service check box, and then click Activate Now.
    When the message Order complete. appears, it indicates that the VPC NAT gateway is created.
  6. Return to the VPC NAT Gateway page and view the VPC NAT gateway that you created.
    • Click the ID of the VPC NAT gateway. On the Basic Information tab, view the VPC and vSwitch to which the VPC NAT gateway belongs.
    • Click the NAT IP Address tab to view the default NAT IP address and the default NAT CIDR block.
      Note The default NAT CIDR block is the CIDR block of the vSwitch to which the VPC NAT gateway is attached. The default NAT IP address is an IP address that is randomly allocated from the CIDR block of the vSwitch. You cannot delete the default NAT CIDR block or the default NAT IP address.

Create a NAT CIDR block

After you create a VPC NAT gateway, the system uses the CIDR block of the vSwitch to which the VPC NAT gateway is attached as the default NAT CIDR block. You can also create a NAT CIDR block for the VPC NAT gateway to meet your business requirements.

  1. Log on to the NAT Gateway console.
  2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
  3. In the top navigation bar, select the region where the VPC NAT gateway is created.
  4. On the VPC NAT Gateway page, find the VPC NAT gateway that you want to manage and click its ID.
  5. Click the NAT IP Address tab and click Create CIDR Block.
  6. In the Create CIDR Block dialog box, configure CIDR Block Name and CIDR Block, and then click OK.
    The new CIDR block must meet the following conditions:
    • The NAT CIDR block must fall within 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or their subnets.
    • The subnet mask must be 16 to 32 bits in length.
    • The NAT CIDR block cannot overlap with the private CIDR block of the VPC to which the NAT gateway belongs. If you want to use other IP addresses from the private CIDR block of the VPC to provide NAT services, create a vSwitch and attach the vSwitch to another VPC NAT gateway.
    • If you want to use public IP addresses to provide NAT services, make sure that the public IP addresses fall within a customer CIDR block of the VPC to which the VPC NAT gateway belongs. For more information about customer CIDR blocks, see What is a user CIDR block?.
    If the The CIDR block is added. message appears, the CIDR block is created.

Add a NAT IP address

A NAT IP address is used to create an SNAT entry or a DNAT entry. You can add NAT IP addresses to a NAT CIDR block as needed. This way, the VPC NAT gateway can use the NAT IP addresses to provide NAT services.

  1. Log on to the NAT Gateway console.
  2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
  3. In the top navigation bar, select the region where the VPC NAT gateway is created.
  4. On the VPC NAT Gateway page, find the VPC NAT gateway that you want to manage and click its ID.
  5. On the NAT IP Address tab, click Add NAT IP Address.
  6. In the Add NAT IP Address dialog box, set the following parameters and click OK.
    Parameter Description
    Select CIDR Block Select the CIDR block to which you want to add a NAT IP address.

    You can select an existing NAT CIDR block of the VPC NAT gateway or create a NAT CIDR block.

    Allocation Method Select a method to allocate the NAT IP address.
    • Randomly Allocate: randomly allocates an IP address from the selected CIDR block.
    • Manually Allocate: allocates a specified IP address from the selected CIDR block.
    IP Address Enter an IP address from the selected CIDR block. This parameter is required if Allocation Method is set to Manually Allocate.
    NAT IP Address Name Enter a name for the NAT IP address.

    The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.

Configure routes

Perform the following operations to configure routes based on your network configuration:

  • If the default NAT CIDR block is used to provide NAT services:
    • Add the following route entry to the system route table of the VPC to which the VPC NAT gateway belongs: Set the destination CIDR block to the peer CIDR block. Set the next hop to the VPC NAT gateway. For more information, see Add and delete route entries.
    • Associate a custom route table with the vSwitch to which the VPC NAT gateway belongs. Check whether the route table learns dynamic route entries from the peer CIDR block, for example, dynamic route entries from the CIDR block of a Cloud Enterprise Network (CEN) instance.
      • If the route table learns dynamic route entries from the peer CIDR block, you do not need to add a custom route entry to the custom table. The custom route entry points to the peer network.
      • If the route table does not learn dynamic route entries from the peer CIDR block, you must add a custom route entry to the custom table. Set the destination CIDR block of the route entry to the peer CIDR block. Set the next hop to the peer device, such as a virtual border router (VBR) or a CEN instance. For more information, see Subnet routing.
  • If a custom NAT CIDR block is used to provide NAT services:
    • Add the following route entry to the system route table of the VPC to which the VPC NAT gateway belongs: Set the destination CIDR block to the custom NAT CIDR block. Set the next hop to the VPC NAT gateway.
    • Add the following route entry to the system route table of the VPC to which the VPC NAT gateway belongs: Set the destination CIDR block to the peer CIDR block. Set the next hop to the VPC NAT gateway.
    • Associate a custom route table with the vSwitch to which the VPC NAT gateway belongs and add the following route entry to the route table: Set the destination CIDR block to the peer CIDR block. Set the next hop to the peer network device, such a router interface or a transit router.
    • If you want a VPC to communicate with an on-premises network or another VPC by using a custom NAT CIDR block of a VPC NAT gateway, you must create Enterprise Edition transit routers. For more information about Enterprise Edition transit routers, see How transit routers work and Create an Enterprise Edition transit router.

Modify a VPC NAT gateway

You can modify the name and description of a VPC NAT gateway.

  1. Log on to the NAT Gateway console.
  2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
  3. In the top navigation bar, select the region where the VPC NAT gateway is created.
  4. On the VPC NAT Gateway page, find the VPC NAT gateway that you want to manage and click its ID.
  5. On the Basic Information tab, click Edit next to Instance Name. In the dialog box that appears, enter a new name and click OK.
    The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.
  6. Click Edit next to Description. In the dialog box that appears, enter a new description and click OK.
    The description must be 2 to 256 characters in length. The description cannot start with http:// or https://.

Delete NAT IP addresses and NAT CIDR blocks

You can delete the NAT IP addresses of a custom NAT CIDR block and then delete the NAT CIDR block. Before you can delete a custom NAT CIDR block, you must delete the NAT IP addresses of the CIDR block. You can delete the custom NAT IP addresses of the default NAT CIDR block. However, you cannot delete the default NAT IP address or the default NAT CIDR block.

  1. Log on to the NAT Gateway console.
  2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
  3. In the top navigation bar, select the region where the VPC NAT gateway is created.
  4. On the VPC NAT Gateway page, find the VPC NAT gateway that you want to manage and click its ID.
  5. Click the NAT IP Address tab. On the left side of the tab, click the CIDR block from which you want to delete NAT IP addresses, and then delete one or more NAT IP addresses in the NAT IP Address List section.
    • Select a NAT IP address and click Delete in the Actions column.
    • Select multiple NAT IP addresses and click Delete in the lower section of the page.
  6. In the Delete NAT IP Address message, click OK.
  7. Click Delete next to the CIDR block that you want to delete.
  8. In the Delete CIDR Block message, click OK.

Delete a VPC NAT gateway

You can delete a VPC NAT gateway if the following conditions are met:

  • The VPC NAT gateway is not associated with custom NAT CIDR blocks. If the VPC NAT gateway is associated with custom NAT CIDR blocks, delete the NAT IP addresses in the NAT CIDR blocks, and then delete the custom CIDR blocks.
  • The default NAT CIDR block of the VPC NAT gateway does not contain custom NAT IP addresses. If the default NAT CIDR block contains custom NAT IP addresses, delete them.
  • The DNAT table does not contain DNAT entries. If the DNAT table contains DNAT entries, delete them. For more information, see Delete a DNAT entry.
  • The SNAT table does not contain SNAT entries. If the SNAT table contains SNAT entries, delete them. For more information, see Delete an SNAT entry.
  • The Deletion Protection feature on the Basic Information page of the VPC NAT gateway is disabled.
Notice You can forcefully delete a VPC NAT gateway. After you forcefully delete a VPC NAT gateway, the associated resources, including SNAT entries, DNAT entries, custom NAT IP addresses, and custom NAT CIDR blocks, are deleted.
  1. Log on to the NAT Gateway console.
  2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
  3. In the top navigation bar, select the region where the VPC NAT gateway is created.
  4. On the VPC NAT Gateway page, find the VPC NAT gateway that you want to delete and choose More > Delete in the Actions column.
  5. In the Delete Gateway message, click OK.
    If you want to forcefully delete a VPC NAT gateway and the associated resources, select Delete (Delete NAT gateway and resources) in the Delete Gateway dialog box.

References