All Products
Search

This Product

    NAT Gateway:Create and manage a VPC NAT gateway

    Document Center

    NAT Gateway:Create and manage a VPC NAT gateway

    Last Updated:Mar 21, 2024

    You can use a Virtual Private Cloud (VPC) NAT gateway to translate private IP addresses. This topic describes how to use a VPC NAT gateway to enable Elastic Compute Service (ECS) instances in a VPC to access external private networks or provide services to external private networks.

    Prerequisites

    Create a VPC NAT gateway

    1. Log on to the NAT Gateway console.
    2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
    3. On the VPC NAT Gateway page, click Create VPC NAT Gateway.

    4. On the VPC NAT Gateway (Pay-As-You-Go) page, set the following parameters and click Buy Now.

      Parameter

      Description

      Region

      Select the region where you want to create the VPC NAT gateway.

      VPC ID

      Select the VPC to which the VPC NAT gateway belongs. After you create a VPC NAT gateway, you cannot change the VPC to which it belongs.

      Zones

      Select the zone to which the VPC NAT gateway belongs.

      vSwitch ID

      Select the vSwitch to which the VPC NAT gateway belongs. We recommend that you select an independent vSwitch.

      Name

      Enter a name for the VPC NAT gateway.

      Service-linked Role

      Displays whether a service-linked role is created for the VPC NAT gateway.

      If this is your first time using a NAT gateway, including an Internet NAT gateway and a VPC NAT gateway, you must click Create Service-linked Role to create a service-linked role.

    5. On the Confirm Order page, confirm the information, select the Terms of Service check box, and then click Activate Now.

      When the message Order complete. appears, it indicates that the VPC NAT gateway is created.

    6. Return to the VPC NAT Gateway page to view the created VPC NAT gateway.

      • Click the ID of the VPC NAT gateway. On the Basic Information tab, view the VPC and vSwitch of the VPC NAT gateway.

      • Click the NAT IP Address tab to view the default NAT IP address and the default NAT CIDR block.

        Note

        The default NAT CIDR block is the CIDR block of the vSwitch to which the VPC NAT gateway is attached. The default NAT IP address is an IP address that is randomly allocated from the CIDR block of the vSwitch. You cannot delete the default NAT CIDR block or the default NAT IP address.

    Create a NAT CIDR block

    After you create a VPC NAT gateway, the system uses the CIDR block of the vSwitch to which the VPC NAT gateway is attached as the default NAT CIDR block. You can also create a NAT CIDR block for the VPC NAT gateway to meet your business requirements.

    1. Log on to the NAT Gateway console.
    2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
    3. In the top navigation bar, select the region where the VPC NAT gateway is created.
    4. On the VPC NAT Gateway page, find the VPC NAT gateway that you want to manage and click its ID.

    5. Click the NAT IP Address tab, and click Create CIDR Block.

    6. In the Create CIDR Block dialog box, specify CIDR Block Name and CIDR Block, and then click OK.

      The NAT CIDR block must meet the following conditions:

      • The NAT CIDR block must fall within 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or their subnets.

      • The subnet mask must be 16 to 32 bits in length.

      • The NAT CIDR block cannot overlap with the private CIDR block of the VPC to which the NAT gateway belongs. If you want to use other IP addresses from the VPC to provide NAT services, create a vSwitch and attach it to another VPC NAT gateway.

      • If you want to use public IP address to provide NAT services, make sure that the public IP addresses fall within a customer CIDR block of the VPC to which the VPC NAT gateway belongs. For more information, see What is a user CIDR block?

      If the The CIDR block is added. message appears, the CIDR block is created.

    Add a NAT IP address

    A NAT IP address is used to create an SNAT entry or a DNAT entry. You can add NAT IP addresses to a NAT CIDR block as needed. This way, the VPC NAT gateway can use the NAT IP addresses to provide NAT services.

    1. Log on to the NAT Gateway console.
    2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
    3. In the top navigation bar, select the region where the VPC NAT gateway is created.
    4. On the VPC NAT Gateway page, find the VPC NAT gateway that you want to manage and click its ID.

    5. Click the NAT IP Address tab and click Add NAT IP Address.

    6. In the Add NAT IP Address dialog box, set the following parameters and click OK.

      Parameter

      Description

      Select CIDR Block

      Select the CIDR block to which you want to add a NAT IP address.

      You can select an existing NAT CIDR block of the VPC NAT gateway or create a NAT CIDR block.

      Allocation Method

      Select a method to allocate the NAT IP address.

      • Randomly Allocate: The system randomly assigns an IP address from the CIDR block.

      • Manually Allocate: You can specify an IP address from the CIDR block.

      IP Address

      Enter an IP address from the selected CIDR block. This parameter is required if you set Allocation Method to Manually Allocate.

      NAT IP Address Name

      Enter a name for the NAT IP address.

    Configure routes

    Perform the following operations to configure routes based on your network configuration:

    • If the default NAT CIDR block is used to provide NAT services:

      • Add the following route entry to the system route table of the VPC to which the VPC NAT gateway belongs: Set the destination CIDR block to the peer CIDR block. Set the next hop to the VPC NAT gateway. For more information, see Add and delete routes.

      • Associate a custom route table with the vSwitch to which the VPC NAT gateway belongs. Check whether the route table learns dynamic route entries from the peer CIDR block, for example, dynamic route entries from the CIDR block of a Cloud Enterprise Network (CEN) instance.

        • If the route table learns dynamic route entries from the peer CIDR block, you do not need to add a custom route entry to the custom table. The custom route entry points to the peer network.

        • If the route table does not learn dynamic route entries from the peer CIDR block, you must add a custom route entry to the custom table. Set the destination CIDR block of the route entry to the peer CIDR block. Set the next hop to the peer device, such as a virtual border router (VBR) or a CEN instance. For more information, see Subnet routing.

    • If a custom NAT CIDR block is used to provide NAT services:

      • Add the following route entry to the system route table of the VPC to which the VPC NAT gateway belongs: Set the destination CIDR block to the custom NAT CIDR block. Set the next hop to the VPC NAT gateway.

      • Add the following route entry to the system route table of the VPC to which the VPC NAT gateway belongs: Set the destination CIDR block to the peer CIDR block. Set the next hop to the VPC NAT gateway.

      • Associate a custom route table with the vSwitch to which the VPC NAT gateway belongs and add the following route entry to the route table: Set the destination CIDR block to the peer CIDR block. Set the next hop to the peer network device, such as a router interface or a transit router.

      • If you want a VPC to communicate with an on-premises network or another VPC by using a custom NAT CIDR block of a VPC NAT gateway, you must create Enterprise Edition transit routers. For more information about Enterprise Edition transit routers, see How transit routers work and Create a transit router.

    Modify a VPC NAT gateway

    You can modify the name and description of a VPC NAT gateway.

    1. Log on to the NAT Gateway console.
    2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
    3. In the top navigation bar, select the region where the VPC NAT gateway is created.
    4. On the VPC NAT Gateway page, find the VPC NAT gateway that you want to manage and click its ID.

    5. On the Basic Information tab, click Edit next to Instance Name. In the dialog box that appears, enter a new name and click OK.

    6. Click Edit next to Description. In the dialog box that appears, enter a new description and click OK.

    Delete NAT IP addresses and NAT CIDR blocks

    You can delete the NAT IP addresses of a custom NAT CIDR block and then delete the NAT CIDR block. Before you can delete a custom NAT CIDR block, you must delete the NAT IP addresses of the CIDR block. You can delete the custom NAT IP addresses of the default NAT CIDR block. However, you cannot delete the default NAT IP address or the default NAT CIDR block.

    1. Log on to the NAT Gateway console.
    2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
    3. In the top navigation bar, select the region where the VPC NAT gateway is created.
    4. On the VPC NAT Gateway page, find the VPC NAT gateway that you want to manage and click its ID.

    5. Click the NAT IP Address tab. In the left-side navigation pane, click the CIDR block to which the NAT IP address that you want to delete belongs. In the NAT IP Address List section, click Delete.

      • Select a NAT IP address and click Delete in the Actions column.

      • Select multiple NAT IP addresses and click Delete in the lower section of the page.

    6. In the Delete NAT IP Address message, click OK.

    7. Click 删除 next to the CIDR block that you want to delete.

    8. In the Delete CIDR Block message, click OK.

    Delete a VPC NAT gateway

    You can delete a VPC NAT gateway if the following conditions are met:

    • The VPC NAT gateway is not associated with custom NAT CIDR blocks. If the VPC NAT gateway is associated with custom NAT CIDR blocks, delete the NAT IP addresses in the NAT CIDR blocks, and then delete the custom CIDR blocks.

    • The default NAT CIDR block of the VPC NAT gateway does not contain custom NAT IP addresses. If the default NAT CIDR block contains custom NAT IP addresses, delete them.

    • The DNAT table does not contain DNAT entries. If the DNAT table contains DNAT entries, delete them. For more information, see Delete a DNAT entry.

    • The SNAT table does not contain SNAT entries. If the SNAT table contains SNAT entries, delete them. For more information, see Delete an SNAT entry.

    • The Deletion Protection feature is disabled on the Basic Information tab of the VPC NAT gateway.

    Important

    You can forcefully delete a VPC NAT gateway. After you forcefully delete a VPC NAT gateway, the associated resources, including SNAT entries, DNAT entries, custom NAT IP addresses, and custom NAT CIDR blocks, are deleted.

    1. Log on to the NAT Gateway console.
    2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
    3. In the top navigation bar, select the region where the VPC NAT gateway is created.

    4. On the VPC NAT Gateway page, find the VPC NAT gateway that you want to delete and choose 更多操作 > Delete in the Actions column.

    5. In the Delete Gateway message, click OK.

      To forcefully delete a VPC NAT gateway and its resources, select Force Delete (Delete the NAT gateway and associated SNAT/DNAT entries) in the Delete Gateway dialog box.

    References