You can configure SNAT entries on an Internet NAT gateway to allow Elastic Compute Service (ECS) instances in a virtual private cloud (VPC) to access the Internet when the ECS instances are not assigned public IP addresses. This topic describes how to create and manage SNAT entries.
Background information
- SNAT entries do not take effect on ECS instances that are assigned public IP addresses. For example, an ECS instance may be assigned a static public IP address, associated with an elastic IP address (EIP), or configured with DNAT IP mapping. In this case, the ECS instance uses the public IP address instead of an SNAT entry of an Internet NAT gateway to access the Internet. If you want ECS instances in a VPC to use the same EIP to access the Internet, see Configure ECS instances that are assigned static public IP addresses to use the same EIP to access the Internet and Configure ECS instances that configured with DNAT IP mapping to use the same NAT IP address to access the Internet.
- For Internet NAT gateways, you can specify an EIP in both an SNAT entry and a DNAT entry.
- If the source CIDR blocks of multiple SNAT entries overlap with each other, the CIDR
block with the longest subnet mask is used.
- For example, if you create an SNAT entry for an ECS instance, the subnet mask of the
source CIDR block is
/32
, which is the longest subnet mask. Therefore, the SNAT entry has the highest priority. - For SNAT entries that you create for other resources, such as vSwitches, VPCs, and custom CIDR blocks, the system determines the priorities of the SNAT entries based on the subnet mask length of the source CIDR block. The longer the subnet mask, the higher the priority.
- For example, if you create an SNAT entry for an ECS instance, the subnet mask of the
source CIDR block is
Prerequisites
Before you create an SNAT entry, make sure that the following requirements are met:- An Internet NAT gateway is created and an EIP is associated with the Internet NAT gateway. For more information, see Create a NAT gateway and Associate an EIP with a NAT gateway.
- To create SNAT entries for a vSwitch, make sure that the vSwitch and the Internet NAT gateway are deployed in the same VPC. For more information, see Work with vSwitches.
- To create SNAT entries for an ECS instance, make sure that the ECS instance and the Internet NAT gateway are deployed in the same VPC. For more information, see Create an instance by using the wizard.
Create an SNAT entry
Modify an SNAT entry
After you create an SNAT entry, you can change the name and the EIP of the SNAT entry. However, you cannot change the VPC, vSwitch, or ECS instance that you specified in the SNAT entry.
Delete an SNAT entry
You can delete an SNAT entry if the ECS instances that do not have public IP addresses in a VPC no longer need SNAT to access the Internet.
- Log on to the NAT Gateway console.
- In the top navigation bar, select the region where you want to create the NAT gateway.
- On the Internet NAT Gateway page, find the NAT gateway that you want to manage and click Configure SNAT in the Actions column.
- In the Used in SNAT Entry section, find the SNAT entry that you want to delete and click Delete in the Actions column.
- In the message that appears, click OK.
References
- CreateSnatEntry: creates an SNAT entry.
- ModifySnatEntry: modifies an SNAT entry.
- DeleteSnatEntry: deletes an SNAT entry.