You can create multiple Internet NAT gateways in one virtual private cloud (VPC) to forward traffic to different IP addresses. This way, you can better manage traffic that is destined for the Internet. You can also use different services to protect each Internet NAT gateway based on your requirements.

Scenarios

The following scenario is used as an example to show how to deploy multiple Internet NAT gateways in one VPC.

Architecture

The following content describes the vSwitches used in this example:

  • Create a VPC, and then create three vSwitches in the VPC. Deploy an Internet NAT gateway (NATGW-1) in Security Domain 1 and another Internet NAT gateway (NATGW-2) in Security Domain 2. Associate vSwitch1 with NATGW-1. Then, associate vSwitch2 and vSwitch3 with NATGW-2.
    • vSwitch1 belongs to Security Domain 1 and is associated with the system route table. A dedicated public IP address is used to route network traffic. The maximum bandwidth is 50 Mbit/s. The public IP address is not exposed to the Internet. Elastic Compute Service (ECS) instances that are attached to vSwitch1 can send requests to the Internet, but cannot receive requests from the Internet. The ECS instances require a private network environment.
    • vSwitch2 and vSwitch3 belong to Security Domain 2 and are associated with a subnet route table of the VPC. The ECS instances that are attached to vSwitch 2 share the same egress to communicate with the Internet. They can both send requests to the Internet and receive requests from the Internet. The maximum bandwidth is 1 Gbit/s.
  • Create a 50 Mbit/s elastic IP address (EIP) named EIP1 and specify EIP1 in an SNAT entry on NATGW-1.
  • Purchase an EIP bandwidth plan of 1 Gbit/s in size, and associate it with NATGW-2. Create three 5 Mbit/s EIPs (EIP2, EIP3, and EIP4), and associate the EIPs with the EIP bandwidth plan. Specify an EIP in a DNAT entry for vSwitch2, specify another EIP in a DNAT entry for vSwitch3, and then specify the last EIP in SNAT entries for the two vSwitches.
  • Configure monitoring for the vSwitches of NATGW-2.

Flowchart

Deploy multiple Internet NAT gateways in one VPC

Step 1: Create cloud resources

Before you deploy Internet NAT gateways for vSwitches, you must first create the following cloud resources: a VPC, vSwitches, ECS instances, EIPs, and an EIP bandwidth plan.

Cloud resource Specification Quantity References
VPC Region: Select China (Hohhot). 1 Create a VPC and a vSwitch
vSwitch Zone:
  • One vSwitch named vSwitch1 is created in Hohhot Zone A.
  • Two vSwitches named vSwitch2 and vSwitch3 are created in Hohhot Zone B.
3 Create a VPC and a vSwitch
ECS instance
  • Billing method: Select Pay-As-You-Go.
  • Region: Select China (Hohhot).
  • Instance: ecs.g6e.large is selected in this example.
  • Image: Alibaba Cloud Linux 3.2104 64-bit is selected in this example.
  • Network Type: Select the VPC and vSwitches that you created.
    • One ECS instance named ECS1 is created in Hohhot Zone A where vSwitch1 is deployed.
    • Two ECS instances named ECS2 and ECS3 are created in Hohhot Zone B where vSwitch2 and vSwitch3 are deployed.
  • Public IP Address: Clear the check box.
  • Security Group: Use the default security group.
3 Create ECS instances
EIP
  • Billing method: Select Pay-As-You-Go.
  • Region: Select China (Hohhot).
  • Max bandwidth: Specify 50 Mbit/s for one EIP and specify 5 Mbit/s for three EIPs.
4 Apply for an EIP
EIP bandwidth plan
  • Billing Mode: Select Pay-As-You-Go.
  • Region: Select China (Hohhot).
  • Bandwidth: Specify 1,000 Mbit/s.
1 Create an EIP bandwidth plan

Step 2: Create two Internet NAT gateways

Create two Internet NAT gateways named NATGW-1 and NATGW-2 that are billed on a pay-as-you-go basis in the VPC. Associate NATGW-1 with vSwitch1, and associate NATGW-2 with vSwitch2 and vSwitch3.

  1. Log on to the NAT Gateway console.
  2. On the Internet NAT Gateway page, click Create NAT Gateway.
  3. When you create an Internet NAT gateway for the first time, click Create in the Notes on Creating Service-linked Roles section of the buy page to create a service-linked role. After the service-linked role is created, you can create NAT gateways.
    Create the service-linked role For more information, see Service-linked roles for NAT Gateway.
  4. On the buy page, set the following parameters and click Buy Now.
    Parameter Description
    Billing Method

    By default, Pay-As-You-Go is selected. You can pay for resources after you use them. For more information, see Billing of Internet NAT gateways.

    Region

    Select the region where you want to create the Internet NAT gateway.

    VPC

    Select the VPC for which you want to create the Internet NAT gateway. After the Internet NAT gateway is created, you cannot change the VPC to which the Internet NAT gateway belongs.

    Associate vSwitch

    Select the vSwitch to which the Internet NAT gateway belongs.

    Billing Method

    By default, Pay-By-CU is selected. You are charged based on the resources that you use. For more information, see Billing of Internet NAT gateways.

    Billing Cycle

    By default, By Hour is selected. Fees are calculated on an hourly basis. If you use an Internet NAT gateway for less than 1 hour, the usage duration is rounded up to 1 hour.

    Instance Name

    Enter a name for the Internet NAT gateway.

    The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.

    Access Mode

    Select whether to enable SNAT for the resources in the specified VPC. Supported options:

    • SNAT for All VPC Resources: After the Internet NAT gateway is created, all resources in the VPC can access the Internet by using the SNAT feature of the NAT gateway.

      If you select SNAT for All VPC Resources, you must also specify an EIP.

    • Configure Later: If you select this option, SNAT is disabled. You can configure SNAT on the Internet NAT gateway in the console after you complete the payment.

      If you select Configure Later, only the Internet NAT gateway is created. No SNAT entry is created.

    In this example, Configure Later is selected.
  5. On the Confirm page, confirm the information, select the Terms of Service check box, and then click Confirm.
    When the message Order complete. appears, the Internet NAT gateway is created.

Step 3: Create a custom route table for vSwitch2 and vSwitch3

A route table consists of one or more route entries. Each route entry specifies the destination to which network traffic is routed. You can use the default route table or create a custom route table to manage network traffic.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Route Tables.
  3. Select the region where you want to create a route table.
    In this example, China (Hohhot) is selected.

    For more information about the regions that support custom route tables, see Route table overview.

  4. On the Route Tables page, click Create Route Table.
  5. In the Create Route Table dialog box, set the following parameters and click OK.
    Parameter Description
    Resource Group Select the resource group to which the route table belongs.
    VPC Select the VPC to which the route table belongs.
    Name Enter a name for the route table.

    The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.

    Description Enter a description for the route table.

    The description must be 2 to 256 characters in length. It cannot start with http:// or https://.

  6. On the Route Tables page, find the route table that you want to manage and click its ID.
  7. In the Route Table Details section, click the Associated vSwitch tab and click Associate vSwitch.
  8. In the Associate vSwitch dialog box, select vSwitch2 and click OK. Repeat this step to associate the route table with vSwitch3.
  9. Click the Route Entry List > Custom Route tab and click Add Route Entry. In the Add Route Entry panel, set the following parameters.
    Parameter Description
    Name Enter a name for the route entry.

    The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

    Destination CIDR Block Enter the destination CIDR block to which you want to route traffic. In this example, the destination CIDR block is set to 0.0.0.0/0.
    Next Hop Type NAT Gateway is selected in this example. Traffic destined for the specified CIDR block is routed to the specified NAT gateway.
    NAT Gateway Select NATGW-2 that is created in Step 2: Create two Internet NAT gateways.
    After you complete the preceding operations, a custom route entry that points to NATGW-2 is added to the newly created custom route table.

Step 4: Associate the three 5 Mbit/s EIPs with an EIP bandwidth plan

  1. Log on to the EIP bandwidth plan console.
  2. In the top navigation bar, select the region where the EIP bandwidth plan is created.
    In this example, China (Hohhot) is selected.
  3. On the Internet Shared Bandwidth page, find the EIP bandwidth plan that you want to manage and click AddIP in the Actions column.
  4. In the Add IP panel, click Select from EIP List.Then, select an EIP and click OK.
    After you associate the three 5 Mbit/s EIPs with the 1,000 Mbit/s EIP bandwidth plan, the EIPs share the 1,000 Mbit/s bandwidth.

Step 5: Associate the four EIPs with the Internet NAT gateways separately

Associate the EIPs with the Internet gateways created in Step 2: Create two Internet NAT gateways. Associate EIP1 with NATGW-1, and associate EIP2, EIP3, and EIP4 with NATGW-2.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where the Internet NAT gateway is deployed.
    In this example, China (Hohhot) is selected.
  3. On the Internet NAT Gateway page, find the Internet NAT gateway that you want to manage and click Associate Now in the Elastic IP Address column.
  4. In the Associate EIP dialog box, set the following parameters and click OK.
    Parameter Description
    Resource Group Select the resource group of the EIP.
    EIPs Select Select Existing EIPs and select an EIP from the drop-down list.
    • Associate the 50 Mbit/s EIP with NATGW-1.
    • Associate the other three EIPs with NATGW-2.
    After you complete the preceding operations, the EIPs are displayed in the Elastic IP Address column.

Step 6: Create SNAT entries

ECS instances in VPCs can access the Internet by using SNAT if the ECS instances are not assigned public IP addresses. Create one SNAT entry on NATGW-1, and create two SNAT entries on NATGW-2.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where the Internet NAT gateway is deployed.
    In this example, China (Hohhot) is selected.
  3. On the Internet NAT Gateway page, find the NAT gateway that you want to manage and click Configure SNAT in the Actions column.
  4. On the SNAT Management tab, click Create SNAT Entry.
  5. On the Create SNAT Entry page, set the parameters and click Confirm.
    • Configure an SNAT entry on NATGW-1 for vSwitch1.
    • When you configure SNAT entries on NATGW-2, specify the same EIP in the SNAT entries for vSwitch2 and vSwitch3.
    Parameter Description
    SNAT Entry Specify whether to create an SNAT entry for a VPC, a vSwitch, an ECS instance, or a custom CIDR block. Specify vSwitch is selected in this example. The ECS instances that are attached to the specified vSwitch use the EIP to access the Internet.
    • Select VSwitch: Select a vSwitch from the drop-down list.
      Note If you select multiple vSwitches, the system creates multiple SNAT entries that use the same EIP.
    • VSwitch CIDR Block: displays the CIDR block of the vSwitch.
    Select Public IP Address Select one or more EIPs that are used to access the Internet. Use One IP Address is selected and an EIP is selected from the drop-down list.
    Entry Name Enter a name for the SNAT entry.

    The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.

Step 7: Create DNAT entries

DNAT allows ECS instances to use EIPs on NAT gateways to provide services over the Internet. Create two DNAT entries on NATGW-2.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where the Internet NAT gateway is deployed.
    In this example, China (Hohhot) is selected.
  3. On the Internet NAT Gateway page, find the NAT gateway that you want to manage and click Configure DNAT in the Actions column.
  4. On the DNAT Management tab, click Create DNAT Entry.
  5. On the Create DNAT Entry page, set the parameters that are described in the following table and click Confirm.
    Set the following parameters to create DNAT entries for vSwitch2 and vSwitch3.
    Parameter Description
    Select Public IP Address Select an EIP from the drop-down list. The EIP is used to communicate with the Internet.
    Select Private IP Address Select the ECS instance that uses the DNAT entry to communicate with the Internet. Select Select by ECS or ENI, and then select the ECS instance or the elastic network interface (ENI) associated with the ECS instance from the drop-down list.
    Port Settings Select a DNAT mapping method. Specific Port is selected in this example.
    Use the following settings for vSwitch2 and vSwitch3:
    • vSwitch2:
      • Public Port: the external port that is used in port forwarding. Port 22 is specified in this example.
      • Private Port: the internal port that is used in port forwarding. Port 22 is specified in this example.
      • Protocol Type: the protocol that is used by the ports. TCP is selected in this example.
    • vSwitch3:
      • Public Port: the external port that is used in port forwarding. Port 22 is specified in this example.
      • Private Port: the internal port that is used in port forwarding. Port 22 is specified in this example.
      • Protocol Type: the protocol that is used by the ports. TCP is selected in this example.
    Make sure that the security group rules of ECS2 and ECS3 allow inbound TCP requests from port 22.
    Entry Name Enter a name for the DNAT entry.

    The name must be 2 to 128 characters in length, and can contain digits, periods (.), underscores (_), and hyphens (-). It must start with a letter.

Step 8: Test network connectivity and check monitoring metrics

Check whether the ECS instance can access the Internet

Log on to ECS1 in vSwitch1 and perform the following operations to check whether ECS1 can access the Internet. You can also query the EIP specified in the SNAT entry that is associated with ECS1.

  1. Log on to ECS1 in vSwitch1. For more information, see Connection methods.
  2. Run the ping command to ping ping www.aliyun.com.
    If you can receive echo reply packets, it indicates that ECS1 can access the Internet.
    The result shows that ECS1 can access the Internet. ping
  3. Run the curl myip.ipip.net command to query the EIP that ECS1 uses to access the Internet. Then, run the ifconfig command to query the private IP address of ECS1.
    The result shows that the EIP that the ECS1 uses to access the Internet is the EIP specified in the SNAT entry configured on NATGW-1. Query the EIP specified in the SNAT entry

Check whether ECS2 can provide services over the Internet

  1. Log on to an on-premises Linux machine.
  2. Run the ssh root@public IP address command. Set the public IP address to the EIP specified in the DNAT entry configured on NATGW-2. Then, enter the password of ECS2 and check if you can access ECS2.
    If Welcome to Alibaba Cloud Elastic Compute Service! is returned, it indicates that ECS2 can use the DNAT feature of NATGW-2 to provide services over the Internet. test
  3. Run the ifconfig command. If the IP address returned is the same as the private IP address of ECS2, it indicates that the ECS2 can provide services over the Internet.
    Access records

View metrics

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where the Internet NAT gateway is deployed.
  3. On the Internet NAT Gateway page, find the Internet NAT gateway that you want to manage and click Monitoring in the Monitoring column.
    For more information about the monitoring metrics of Internet NAT gateways, see View monitoring data.