Virtual Private Cloud (VPC) NAT gateways provide network address translation (NAT) services for private networks. You can create a VPC NAT gateway for a VPC to allow Elastic Compute Service (ECS) instances in the VPC to access other private networks or provide services to other private networks. This topic describes how to create and manage a VPC NAT gateway.
Prerequisites
- A VPC is created. For more information, see Create and manage a VPC.
- A vSwitch is created. For more information, see Create and manage a vSwitch.
Create a VPC NAT gateway
Create a NAT CIDR block
After you create a VPC NAT gateway, the system uses the CIDR block of the vSwitch to which the VPC NAT gateway is attached as the default NAT CIDR block. You can also create a NAT CIDR block for the VPC NAT gateway to meet your business requirements.
Add a NAT IP address
A NAT IP address is used to create an SNAT entry or a DNAT entry. You can add NAT IP addresses to a NAT CIDR block as needed. This way, the VPC NAT gateway can use the NAT IP addresses to provide NAT services.
Configure routes
Perform the following operations to configure routes based on your network configuration:
- If the default NAT CIDR block is used to provide NAT services:
- Add the following route entry to the system route table of the VPC to which the VPC NAT gateway belongs: Set the destination CIDR block to the peer CIDR block. Set the next hop to the VPC NAT gateway. For more information, see Add and delete routes.
- Associate a custom route table with the vSwitch to which the VPC NAT gateway belongs.
Check whether the route table learns dynamic route entries from the peer CIDR block,
for example, dynamic route entries from the CIDR block of a Cloud Enterprise Network
(CEN) instance.
- If the route table learns dynamic route entries from the peer CIDR block, you do not need to add a custom route entry to the custom table. The custom route entry points to the peer network.
- If the route table does not learn dynamic route entries from the peer CIDR block, you must add a custom route entry to the custom table. Set the destination CIDR block of the route entry to the peer CIDR block. Set the next hop to the peer device, such as a virtual border router (VBR) or a CEN instance. For more information, see Subnet routing.
- If a custom NAT CIDR block is used to provide NAT services:
- Add the following route entry to the system route table of the VPC to which the VPC NAT gateway belongs: Set the destination CIDR block to the custom NAT CIDR block. Set the next hop to the VPC NAT gateway.
- Add the following route entry to the system route table of the VPC to which the VPC NAT gateway belongs: Set the destination CIDR block to the peer CIDR block. Set the next hop to the VPC NAT gateway.
- Associate a custom route table with the vSwitch to which the VPC NAT gateway belongs and add the following route entry to the route table: Set the destination CIDR block to the peer CIDR block. Set the next hop to the peer network device, such as a router interface or a transit router.
- If you want a VPC to communicate with an on-premises network or another VPC by using a custom NAT CIDR block of a VPC NAT gateway, you must create Enterprise Edition transit routers. For more information about Enterprise Edition transit routers, see How transit routers work and Create an Enterprise Edition transit router.
Modify a VPC NAT gateway
You can modify the name and description of a VPC NAT gateway.
- Log on to the NAT Gateway console.
- In the left-side navigation pane, choose .
- In the top navigation bar, select the region where the VPC NAT gateway is created.
- On the VPC NAT Gateway page, find the VPC NAT gateway that you want to manage and click its ID.
- On the Basic Information tab, click Edit next to Instance Name. In the dialog box that appears, enter a new name and click OK.
- Click Edit next to Description. In the dialog box that appears, enter a new description and click OK.
Delete NAT IP addresses and NAT CIDR blocks
You can delete the NAT IP addresses of a custom NAT CIDR block and then delete the NAT CIDR block. Before you can delete a custom NAT CIDR block, you must delete the NAT IP addresses of the CIDR block. You can delete the custom NAT IP addresses of the default NAT CIDR block. However, you cannot delete the default NAT IP address or the default NAT CIDR block.
Delete a VPC NAT gateway
You can delete a VPC NAT gateway if the following conditions are met:
- The VPC NAT gateway is not associated with custom NAT CIDR blocks. If the VPC NAT gateway is associated with custom NAT CIDR blocks, delete the NAT IP addresses in the NAT CIDR blocks, and then delete the custom CIDR blocks.
- The default NAT CIDR block of the VPC NAT gateway does not contain custom NAT IP addresses. If the default NAT CIDR block contains custom NAT IP addresses, delete them.
- The DNAT table does not contain DNAT entries. If the DNAT table contains DNAT entries, delete them. For more information, see Delete a DNAT entry.
- The SNAT table does not contain SNAT entries. If the SNAT table contains SNAT entries, delete the SNAT entries. For more information, see Delete an SNAT entry.
- The Deletion Protection feature on the Basic Information page of the VPC NAT gateway is disabled.
References
- CreateNatGateway: creates a VPC NAT gateway.
- CreateNatIpCidr: creates a NAT CIDR block.
- CreateNatIp: adds a NAT IP address.
- ModifyNatGatewayAttribute: modifies a VPC NAT gateway.
- DeleteNatIp: deletes a NAT IP address.
- DeleteNatIpCidr: deletes a NAT CIDR block.
- DeleteNatGateway: deletes a VPC NAT gateway.