You can configure SNAT entries on a Virtual Private Cloud (VPC) NAT gateway to allow Elastic Compute Service (ECS) instances in the VPC where the NAT gateway is deployed to access external private networks. This topic describes how to create and manage SNAT entries on a VPC NAT gateway.

Background information

  • If the source CIDR blocks of multiple SNAT entries overlap with each other, the CIDR block with the longest subnet mask is used.
    • For example, if you create an SNAT entry for an ECS instance, the subnet mask of the source CIDR block is /32, which is the longest subnet mask. Therefore, the SNAT entry has the highest priority.
    • For SNAT entries that you create for other resources, such as vSwitches, VPCs, and custom CIDR blocks, the system determines the priorities of the SNAT entries based on the subnet mask length of the source CIDR block. The longer the subnet mask, the higher the priority.
  • You can specify an IP address in both a DNAT entry and an SNAT entry configured on a VPC NAT gateway.

Prerequisites

  • A VPC NAT gateway is created. For more information, see Create a VPC NAT gateway.
  • To create an SNAT entry for a vSwitch, make sure that a vSwitch is created in the VPC that is associated with the VPC NAT gateway. For more information, see Work with vSwitches.
  • To create an SNAT entry for an ECS instance, make sure that an ECS instance is created in the VPC that is associated with the VPC NAT gateway. For more information, see Create an instance by using the wizard.

Create an SNAT entry

  1. Log on to the NAT Gateway console.
  2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
  3. In the top navigation bar, select the region where the VPC NAT gateway is created.
  4. On the VPC NAT Gateway page, find the VPC NAT gateway that you want to manage and click SNAT Management in the Actions column.
  5. On the SNAT Management tab, click Create SNAT Entry.
  6. On the Create SNAT Entry page, set the following parameters and click OK.
    Parameter Description
    SNAT Entry Specify whether you want to create an SNAT entry for a VPC, a vSwitch, an ECS instance, or a custom CIDR block.
    • Specify VPC: All ECS instances in the VPC to which the VPC NAT gateway belongs use the SNAT entry to access external private networks.
    • Specify vSwitch: The ECS instances that belong to the specified vSwitch use the SNAT entry to access external private networks.
      • Select vSwitch: Select a vSwitch from the drop-down list. You can select a vSwitch from the drop-down list or click Create VSwitch to create a vSwitch in the VPC console.

        If you select multiple vSwitches, the system creates multiple SNAT entries that use the same IP address.

      • vSwitch CIDR Block: displays the CIDR block of the vSwitch.
    • Specify ECS Instance: The specified ECS instance uses the SNAT entry to access external private networks.
      • Select ECS Instance: Select an ECS instance from the drop-down list. The ECS instance uses the SNAT entry to access external private networks. Make sure that the ECS instance runs as expected. You can select an ECS instance from the drop-down list or click Create ECS Instance to create an ECS instance in the ECS console. If you select multiple ECS instances, the system creates multiple SNAT entries that use the same IP address.
      • ECS CIDR Block: displays the CIDR block of the ECS instance.
    • Specify Custom CIDR Block: You can specify a custom CIDR block in the Custom CIDR Block parameter. ECS instances that belong to the custom CIDR block use the SNAT entry to access external private networks.
    Select NAT IP Address Select the NAT IP address that is used to access external private networks.
    Note You can also click Create NAT IP Address in the drop-down list to add an IP address in the Add NAT IP Address dialog box.
    Entry Name Enter a name for the SNAT entry.

    The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.

Modify an SNAT entry

You can change the name and IP address of an SNAT entry after you create the SNAT entry. However, you cannot change the VPC, vSwitch, or ECS instance specified in the SNAT entry.

  1. Log on to the NAT Gateway console.
  2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
  3. In the top navigation bar, select the region where the VPC NAT gateway is created.
  4. On the VPC NAT Gateway page, find the VPC NAT gateway that you want to manage and click SNAT Management in the Actions column.
  5. In the Used in SNAT Entry section, find the SNAT entry that you want to manage and click Edit in the Actions column.
  6. On the Edit SNAT Entry page, replace the IP address or change the name of the SNAT entry and click Confirm.

Delete an SNAT entry

You can delete an SNAT entry that is no longer needed.

  1. Log on to the NAT Gateway console.
  2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
  3. In the top navigation bar, select the region where the VPC NAT gateway is created.
  4. In the Used in SNAT Entry section, find the SNAT entry that you want to delete and click Delete in the Actions column.
  5. In the Delete SNAT Entry message, click OK.

References