This topic describes how to enable a virtual private cloud (VPC) to communicate with a data center through a static private IP address by using the DNAT and SNAT features of a VPC NAT gateway.

Scenarios

The following scenario is used as an example. An enterprise has created a VPC and vSwitches in the China (Beijing) region. Elastic Compute Service (ECS) instances are deployed in the vSwitches. The data center of the enterprise is connected to Alibaba Cloud through virtual border routers (VBRs) and Express Connect circuits. The VPC of the enterprise is attached to a Cloud Enterprise Network (CEN) instance. The enterprise requires the ECS instances in the VPC to communicate with the data center by using a static private IP address.

Scenario
The preceding requirement can be met by using the DNAT and SNAT features of a VPC NAT gateway. The following table describes the subnetting details in this example. You can also plan the CIDR blocks based on your business requirements. Make sure that the CIDR blocks do not overlap with each other.
Parameter IP address/CIDR block
VPC1 CIDR block 192.168.0.0/16
vSwitch CIDR blocks
  • VSW1: 192.168.10.0/24
  • VSW2: 192.168.20.0/24
  • NATVSW: 192.168.3.0/24
ECS IP addresses
  • ECS1: 192.168.10.55
  • ECS2: 192.168.20.30
CIDR block of the data center 172.16.0.0/12
IP address of the server in the data center 172.16.10.137
Peer IP addresses
  • Alibaba Cloud peer IP addresses: 10.0.0.2/30
  • Data center peer IP addresses: 10.0.0.1/30

Prerequisites

Procedure

Steps

Step 1: Create a CEN instance and attach the VPC and VBR to it

Before you can connect network instances, you must create a CEN instance. CEN allows you to manage network instances in a centralized manner. You can use a CEN instance to establish and manage a network.

  1. Log on to the CEN console.
  2. Perform the following operations to create a CEN instance:
    1. On the Instances page, click Create CEN Instance.
    2. In the Create CEN Instance dialog box, set the following parameters and click OK.
      Parameter Description
      Name Enter a name for the CEN instance.

      The name must be 2 to 128 characters in length and can contain digits, hyphens (-), and underscores (_). It must start with a letter.

      Description Enter a description for the CEN instance.

      The description must be 2 to 256 characters in length and cannot start with http:// or https://. You can leave this parameter empty.

  3. Perform the following operations to attach the VPC to the CEN instance:
    1. On the Instances page of the CEN console, click the ID of the CEN instance that you want to manage.
    2. On the details page of the CEN instance, click the Add icon next to VPC.
    3. On the Connection with Peer Network Instance page, set the following parameters and click OK.
      Parameter Description
      Network Type By default, VPC is selected.
      Region Select the region where the network instance is created. In this example, China (Beijing) is selected.
      Transit Router The system automatically creates a transit router in the specified region. An Enterprise Edition transit router is created in this example. For more information about transit routers, see How transit routers work.
      Select the primary and secondary zones for the transit router Select the primary and secondary zones for the transit router.
      Note When you perform this operation, the system automatically creates the service-linked role AliyunServiceRoleForCEN. The service-linked role allows the transit router to create elastic network interfaces (ENIs) in the vSwitches of the VPC. ENIs are used to direct network traffic from the VPC to the transit router. For more information, see AliyunServiceRoleForCEN.
      In this example, Primary Zone is set to Beijing Zone H and Secondary Zone is set to Beijing Zone G.
      Resource Owner ID

      Select whether the network instance and CEN instance belong to the same Alibaba Cloud account. The default value Your Account is selected in this example.

      Billing method The default value Pay-As-You-Go is selected in this example.
      Attachment Name Enter a name for the connection.

      The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

      Networks Select the ID of the VPC that you want to attach to the CEN instance. In this example, VPC1 is selected.
      VSwitch Select a vSwitch from the primary zone and secondary zone. In this example, VSW1 is selected from the primary zone and VSW2 is selected from the secondary zone.
      Advanced Settings

      By default, advanced settings are enabled. In this example, advanced settings are enabled.

  4. Perform the following operations to attach the VBR to the CEN instance:
    1. After you attach VPC1 to the CEN instance, click Create More Connections.
    2. On the Connection with Peer Network Instance page, set the following parameters and click OK.
      Parameter Description
      Instance Type Select Virtual Border Router (VBR).
      Region Select the region where the network instance is created. In this example, China (Beijing) is selected.
      Transit Router The system automatically selects the transit router that is created in the current region. In this example, the transit router created in the China (Beijing) region is selected.
      Resource Owner ID

      Select whether the network instance and CEN instance belong to the same Alibaba Cloud account. The default value Your Account is selected in this example.

      Attachment Name Enter a name for the connection.

      The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

      Networks Select the ID of the VBR that you want to attach to the CEN instance. In this example, the VBR that you created is selected.
      Advanced Settings

      By default, advanced settings are enabled. In this example, advanced settings are enabled.

Step 2: Configure VBR routes

Add a route to the VBR. The route must point to the data center.

  1. Log on to the Express Connect console.
  2. In the top navigation bar, select the region and click Virtual Border Routers (VBRs) in the left-side navigation pane.
  3. On the Virtual Border Routers (VBRs) page, find the VBR that you want to manage and click its ID.
  4. On the details page of the VBR, click the Routes tab and click Add Route.
  5. In the Add Route Entry panel, set the following parameters and click OK.
    Parameter Description
    Next Hop Type Select the type of next hop. In this example, Physical Connection Interface is selected.
    Destination Subnet In this example, 172.16.10.137 is used, which is the IP address of the server in the data center.
    Next Hop Select the Express Connect circuit.

Step 3: Create a VPC NAT gateway

  1. Log on to the NAT Gateway console.
  2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
  3. On the VPC NAT Gateway page, click Create VPC NAT Gateway.
  4. On the VPC NAT Gateway (Pay-As-You-Go) page, set the following parameters and click Buy Now.
    Parameter Description
    Region Select the region where you want to create the VPC NAT gateway. In this example, China (Beijing) is selected.
    VPC ID Select the VPC to which the VPC NAT gateway belongs. After you create a VPC NAT gateway, you cannot change the VPC to which it belongs. In this example, VPC1 is selected.
    Zone Select the zone to which the VPC NAT gateway belongs. In this example, Zone H where NATVSW is deployed is selected.
    vSwitch ID Select the vSwitch to which the VPC NAT gateway belongs. In this example, NATVSW is selected.
    Name Enter a name for the VPC NAT gateway.

    The name must be 1 to 128 characters in length. In this example, VPC_NATGW is used.

    Service-linked Role Displays whether a service-linked role is created for the VPC NAT gateway.

    If this is your first time using a NAT gateway, including an Internet NAT gateway and a VPC NAT gateway, you must click Create Service-linked Role to create a service-linked role.

  5. On the Confirm Order page, confirm the information, select the Terms of Service check box, and then click Activate Now.
    When the message Order complete. appears, the VPC NAT gateway is created.

Step 4: Add a route entry to the system route table of VPC1.

Add a route entry to the system route table of VPC1. The route entry must point to the VPC NAT gateway.

  1. Log on to the VPC console.
  2. On the VPCs page, find VPC1 and click its ID.
  3. On the details page, click the Resources tab and click the number below Route Table.
  4. On the Route Tables page, find the route table whose Route Table Type is System and click its ID.
  5. On the details page, choose the Route Entry List > Custom tab, and then click Add Route Entry.
  6. In the Add Route Entry panel, set the following parameters and click OK.
    Parameter Description
    Name Enter a name for the route entry. In this example, VPCENTRY is used.
    Destination CIDR Block Enter the CIDR block of the destination. In this example, 172.16.10.137 is used, which is the IP address of the server in the data center.
    Next Hop Type Select the next hop type. In this example, NAT Gateway is selected.
    NAT Gateway Select a NAT gateway. In this example, the VPC NAT gateway is selected.

Step 5: Create a custom route table and add a route entry

Create a custom route table for NATSW and add a route entry that points to the transit router.

For more information about regions that support custom route tables, see Regions that support custom route tables.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Route Tables.
  3. In the top navigation bar, select the region to which the route table belongs.
  4. Perform the following operations to create a custom route table and associate the route table with NATVSW:
    1. On the Route Tables page, click Create Route Table.
    2. On the Create Route Table page, set the following parameters and click OK.
      Parameter Description
      Resource Group Select the resource group to which the route table belongs. In this example, All is selected.
      VPC Select the VPC to which the route table belongs. In this example, VPC1 is selected.
      Name Enter a name for the route table. In this example, NATVTB is used.
      Description Enter a description for the route table. In this example, Custom is used .
    3. Click the Associated vSwitch tab and click Associate vSwitch.
    4. In the Associate vSwitch dialog box, select the vSwitch that you want to associate and click OK.
      In this example, NATVSW is selected.
  5. Perform the following steps to add a route entry to the custom route table:
    1. On the Route Tables page, find the custom route table and click its ID.
    2. Choose Route Entry List > Custom, and click Add Route Entry.
    3. In the Add Route Entry panel, set the following parameters and click OK.
      Parameter Description
      Name Enter a name for the route entry. In this example, VPCNATENTRY is used.
      Destination CIDR Block Enter the CIDR block of the destination. In this example, 172.16.10.137 is used, which is the IP address of the server in the data center.
      Next Hop Type Select the next hop type. Transit Router is selected in this example.
      Transit Router Select the transit router. In this example, the transit router that is connected to VPC1 is selected.

Step 6: Create an SNAT entry and a DNAT entry by using the default NAT IP address

Create an SNAT entry for the ECS instance to enable the ECS instance to access the data center. Create a DNAT entry for the ECS instance to enable the data center to access the ECS instance.

  1. Log on to the NAT Gateway console.
  2. In the left-side navigation pane, choose NAT Gateway > VPC NAT Gateway.
  3. In the top navigation bar, select the region where you want to deploy the NAT gateway.
  4. Perform the following operations to create an SNAT entry:
    1. On the VPC NAT Gateway page, find the VPC NAT gateway that you want to manage and click SNAT Management in the Actions column.
    2. On the SNAT Management tab, click Create SNAT Entry.
    3. On the Create SNAT Entry page, set the following parameters and click OK.
      Parameter Description
      SNAT Entry Specify whether you want to create an SNAT entry for a VPC, a vSwitch, an ECS instance, or a custom CIDR block. In this example, Specify vSwitch is selected. Then, the vSwitch to which the ECS instance belongs is selected from the Select vSwitch drop-down list. In this example, VSW1 is selected. The vSwitch CIDR Block section displays the CIDR block of VSW1.
      Select NAT IP Address Select the NAT IP address that is used to access external private networks. The default NAT IP address is selected in this example.
      Entry Name Enter a name for the SNAT entry.

      The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

  5. Return to the VPC NAT Gateway page and perform the following operations to create a DNAT entry:
    1. On the VPC NAT Gateway page, find the VPC NAT gateway that you want to manage and click DNAT Management in the Actions column.
    2. On the DNAT Management tab, click Create DNAT Entry.
    3. On the Create DNAT Entry page, set the following parameters and click OK.
      Parameter Description
      Select NAT IP Address Select the NAT IP address that is used to receive requests from external private networks. The default NAT IP address is selected in this example.
      Select Private IP Address Specify the private IP address of the ECS instance that uses the DNAT entry to communicate with external networks. In this example, Select by ECS or ENI is selected and the private IP address of ECS1 is selected.
      Port Settings Select a DNAT mapping method. Port mapping is used in this example. Specific Port is selected, 22 is specified for Frontend Port, 22 is specified for Backend Port, and TCP is specified for Protocol Type.
      Entry Name Enter a name for the DNAT entry.

      The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

Step 7: Add a route entry to the on-premises gateway device

After you complete the preceding steps, you must add a route entry that points to the VPC to the on-premises gateway device.

Add the following route entry that points to the VPC to the on-premises gateway device:
Note The route entry is for reference only. The actual route entry may vary based on the manufacturer of the gateway device.
ip route 192.168.0.0 255.255.0.0 10.0.0.1

Step 8: Test the connectivity

Test whether the ECS instance can communicate with the data center.

  1. Log on to ECS1 in VSW1. For more information, see Connection methods.
  2. Ping the IP address of the server in the data center to check whether ECS1 can access the server in the data center.
    The following command is run in this example.
    ping 172.16.10.137
    If you can receive echo reply packets, it indicates that the connection is established.
  3. Log on to the server in the data center and run the ssh root@NAT IP command. Before you run this command, replace NAT IP with the default NAT IP address specified in the VPC NAT gateway. Then, enter the password that is used to log on to ECS1 to check whether the server can access ECS1.
    The following command is run in this example.
    ssh 192.168.3.132
    If you can receive echo reply packets, it indicates that the connection is established.