You can configure SNAT entries on an Internet NAT gateway to allow Elastic Compute Service (ECS) instances in a virtual private cloud (VPC) to access the Internet when the ECS instances are not assigned public IP addresses. This topic describes how to create and manage SNAT entries.
Background information
- SNAT entries do not take effect on ECS instances that are assigned public IP addresses. For example, an ECS instance may be assigned a static public IP address, associated with an elastic IP address (EIP), or configured with DNAT IP mapping. In this case, the ECS instance uses the public IP address instead of an SNAT entry of an Internet NAT gateway to access the Internet. If you want ECS instances in a VPC to use the same EIP to access the Internet, see Configure ECS instances that are assigned static public IP addresses to use the same EIP to access the Internet and Configure ECS instances that configured with DNAT IP mapping to use the same NAT IP address to access the Internet.
- For Internet NAT gateways, you can specify an EIP in both an SNAT entry and a DNAT entry.
- If the source CIDR blocks of multiple SNAT entries overlap with each other, the CIDR block with the longest subnet mask is used.
- For example, if you create an SNAT entry for an ECS instance, the subnet mask of the source CIDR block is
/32, which is the longest subnet mask. Therefore, the SNAT entry has the highest priority. - For SNAT entries that you create for other resources, such as vSwitches, VPCs, and custom CIDR blocks, the system determines the priorities of the SNAT entries based on the subnet mask length of the source CIDR block. The longer the subnet mask, the higher the priority.
- For example, if you create an SNAT entry for an ECS instance, the subnet mask of the source CIDR block is
Prerequisites
Before you create an SNAT entry, make sure that the following requirements are met:- An Internet NAT gateway is created and an EIP is associated with the Internet NAT gateway. For more information, see Create a NAT gateway and Associate an EIP with an Internet NAT gateway.
- To create SNAT entries for a vSwitch, make sure that the vSwitch and the Internet NAT gateway are deployed in the same VPC. For more information, see Create and manage a vSwitch.
- To create SNAT entries for an ECS instance, make sure that the ECS instance and the Internet NAT gateway are deployed in the same VPC. For more information, see Create an instance by using the wizard.
Create an SNAT entry
- Log on to the NAT Gateway console.
- In the top navigation bar, select the region where you want to create the NAT gateway.
- On the Internet NAT Gateway page, find the NAT gateway that you want to manage and click Configure SNAT in the Actions column.
- On the SNAT Management tab, click Create SNAT Entry.
- On the Create SNAT Entry page, set the parameters and click Confirm.
Parameter Description SNAT Entry Specify whether to create an SNAT entry for a VPC, a vSwitch, an ECS instance, or a custom CIDR block. - Specify VPC: All ECS instances in the VPC to which the Internet NAT gateway belongs use the EIP in the SNAT entry to access the Internet.
- Select vSwitch: The ECS instances that are attached to the specified vSwitch use the EIP in the SNAT entry to access the Internet.
- Select vSwitch: Select a vSwitch from the drop-down list. You can select a vSwitch from the drop-down list or click Create VSwitch to create a vSwitch in the VPC console.
If you select multiple vSwitches, the system creates multiple SNAT entries that use the same EIP.
- VSwitch CIDR Block: displays the CIDR block of the vSwitch.
- Select vSwitch: Select a vSwitch from the drop-down list. You can select a vSwitch from the drop-down list or click Create VSwitch to create a vSwitch in the VPC console.
- ECS Granularity: The specified ECS instance uses the EIP in the SNAT entry to access the Internet.
- Select ECS Instance: Select an ECS instance from the drop-down list. The selected ECS instance uses the EIP in the SNAT entry to access the Internet. You can select an ECS instance from the drop-down list or click Create ECS Instance to create an ECS instance in the ECS console. If you select multiple ECS instances, the system creates multiple SNAT entries that use the same EIP. Make sure that the ECS instance meets the following requirements:
- The ECS instance is in the Running state.
- No EIP is associated with the ECS instance and the ECS instance is not assigned a static public IP address.
- ECS CIDR Block: displays the CIDR block of the ECS instance.
- Select ECS Instance: Select an ECS instance from the drop-down list. The selected ECS instance uses the EIP in the SNAT entry to access the Internet. You can select an ECS instance from the drop-down list or click Create ECS Instance to create an ECS instance in the ECS console. If you select multiple ECS instances, the system creates multiple SNAT entries that use the same EIP.
- Specify Custom CIDR Block: After you enter a CIDR block, all ECS instances that belong to the specified CIDR block use the SNAT entry to access the Internet.
Select Public IP Address Select one or more EIPs to access the Internet. - Use One IP Address: Select an EIP from the drop-down list. If no EIPs are available in the drop-down list, click Purchase and Associate EIP from the drop-down list. Then, you can purchase an EIP in the dialog box that appears.
- Use Multiple IP Addresses: Select multiple EIPs from the Public IP Address list.
If you add multiple EIPs to an SNAT IP address pool, network traffic is distributed based on a hashing algorithm instead of being evenly distributed to each EIP. To prevent individual EIPs from being overloaded, we recommend that you associate the EIPs with the same EIP bandwidth plan.
Entry Name Enter a name for the SNAT entry.
Modify an SNAT entry
After you create an SNAT entry, you can change the name and the EIP of the SNAT entry. However, you cannot change the VPC, vSwitch, or ECS instance that you specified in the SNAT entry.
- Log on to the NAT Gateway console.
- In the top navigation bar, select the region where you want to create the NAT gateway.
- On the Internet NAT Gateway page, find the NAT gateway that you want to manage and click Configure SNAT in the Actions column.
- In the Used in SNAT Entry section, find the SNAT entry that you want to manage and click Edit in the Actions column.
- On the Edit SNAT Entry page, change the EIP or name of the SNAT entry, and then click Confirm. Warning Your service may be temporarily interrupted when you associate EIPs with or disassociate EIPs from an SNAT entry. Proceed with caution.
Delete an SNAT entry
You can delete an SNAT entry if the ECS instances that do not have public IP addresses in a VPC no longer need SNAT to access the Internet.
- Log on to the NAT Gateway console.
- In the top navigation bar, select the region where you want to create the NAT gateway.
- On the Internet NAT Gateway page, find the NAT gateway that you want to manage and click Configure SNAT in the Actions column.
- In the Used in SNAT Entry section, find the SNAT entry that you want to delete and click Delete in the Actions column.
- In the message that appears, click OK.
References
- CreateSnatEntry: creates an SNAT entry.
- ModifySnatEntry: modifies an SNAT entry.
- DeleteSnatEntry: deletes an SNAT entry.