Alibaba Cloud provides enhanced Internet NAT gateways. Enhanced Internet NAT gateways are upgraded from standard Internet NAT gateways and use a more advanced architecture. Compared with standard Internet NAT gateways, enhanced Internet NAT gateways provide higher elasticity and stability. This helps you manage data transfer in a more efficient manner. The term "enhanced NAT gateway" in this topic refers to an enhanced Internet NAT gateway.

Overview

Both enhanced NAT gateways and standard NAT gateways support basic features such as DNAT and SNAT. You can use DNAT to provide Internet-facing services and use SNAT to access the Internet. Enhanced NAT gateways provide more features than standard NAT gateways.
  • More metrics for monitoring

    Enhanced NAT gateways support 22 metrics. You can monitor NAT gateways in real time, which improves the stability of your system. For more information, see Monitor and maintain Internet NAT gateways.

  • Multiple NAT gateways in one virtual private cloud (VPC)

    You can create multiple enhanced NAT gateways in one VPC to forward traffic to different destinations. This way, you can better manage traffic that is destined for the Internet. You can also use security services to protect each NAT gateway based on your business requirements.

    You can add the same SNAT entry to multiple NAT gateways to access the Internet, or add the same DNAT entry to multiple NAT gateways to provide Internet-facing services. You can also configure routes to forward network traffic to a specified egress.

    Notice
    • To replace a standard NAT gateway with an enhanced NAT gateway, you must reconfigure the routes. This may cause transient connections. To minimize the impact of transient connections on your business, we recommend that you reconfigure the routes during off-peak hours.
    • If you create both SNAT and DNAT entries on an enhanced NAT gateway, an Elastic Compute Service (ECS) instance configured with an SNAT entry cannot access another ECS instance configured with a DNAT entry of the same NAT gateway. To allow an ECS instance to access another ECS instance configured with a DNAT entry in the same VPC, we recommend that you create another enhanced NAT gateway and create DNAT and SNAT entries on different NAT gateways.
  • High performance to withstand traffic spikes (pay-as-you-go NAT gateways)
    Specification Maximum number of concurrent connections Maximum number of new connections Throughput
    Default 2,000,000 100,000 5 Gbit/s to 15 Gbit/s (automatic scaling)
    Maximum quota that you can apply for by submitting a ticket 10,000,000 1,000,000 100 Gbps

Comparison between enhanced NAT gateways and standard NAT gateways

The following tables describe the differences and similarities in features and limits between enhanced NAT gateways and standard NAT gateways.

Table 1. Comparison of features
Feature Enhanced Internet NAT gateway Standard Internet NAT gateway References
Deploying multiple Internet NAT gateways in the same virtual private cloud (VPC) Supported Not supported Deploy multiple Internet NAT gateways in one VPC
Associating a vSwitch with an Internet NAT gateway Supported Not supported N/A
Billed on an hourly basis Supported Not supported
Processing TCP, UDP, and ICMP fragments Supported Not supported N/A
Monitoring metrics 22 4 Monitor and maintain Internet NAT gateways
Associating multiple elastic IP addresses (EIPs) with an Internet NAT gateway Supported Supported Associate an EIP with an Internet NAT gateway
SNAT Supported Supported Create and manage SNAT entries
Creating multiple SNAT entries in an SNAT table Supported Supported
Associating multiple EIPs with an SNAT table Supported Supported
DNAT Supported Supported Create and manage DNAT entries
DNAT port mapping Supported Supported
DNAT IP mapping Supported Supported
Elastic Compute Service (ECS) instances using SNAT to access services that use DNAT to provide Internet-facing services when the same Internet NAT gateway is used for SNAT and DNAT Not supported Supported N/A
Specifying an EIP in both SNAT and DNAT tables Supported Not supported
Table 2. Comparison of limits
Item Enhanced Internet NAT gateway Standard Internet NAT gateway
The maximum number of Internet NAT gateways that can be created in a VPC 5. To increase the quota, submit a ticket. 1. You cannot adjust the quota.
The maximum number of DNAT entries that can be added to an Internet NAT gateway 100. You can increase the quota. For more information, see Manage quotas. 100. You can increase the quota. For more information, see Manage quotas.
The maximum number of SNAT entries that can be added to an Internet NAT gateway 40. You can increase the quota. For more information, see Manage quotas. 40. You can increase the quota. For more information, see Manage quotas.
The maximum number of EIPs that you can specify in an SNAT entry 64. You cannot adjust the quota. 64. You cannot adjust the quota.
Creating an Internet NAT gateway for a VPC that contains a custom route whose destination CIDR block is 0.0.0.0/0 Supported. Not supported. You must delete the custom route whose destination CIDR block is 0.0.0.0/0 before you can create an Internet NAT gateway for the VPC.
Whether the bandwidth of a vSwitch is limited by the maximum bandwidth of the EIPs in the SNAT entry that is created for the vSwitch Yes. If the EIPs are associated with an EIP bandwidth plan, the bandwidth of the vSwitch is limited by the maximum bandwidth of the EIP bandwidth plan. Yes. If the EIPs are associated with an EIP bandwidth plan, the bandwidth of the vSwitch is limited by the maximum bandwidth of the EIP bandwidth plan.
The maximum number of EIPs that can be associated with an Internet NAT gateway 20. You can increase the quota. For more information, see Manage quotas. 20. You can increase the quota. For more information, see Manage quotas.
The maximum bandwidth of an Internet NAT gateway 5 Gbit/s. If the total bandwidth of the EIPs or EIP bandwidth plans is greater than 5 Gbit/s, submit a ticket. An Internet NAT gateway does not have a bandwidth limit itself. However, the bandwidth of an Internet NAT gateway is limited by the bandwidth of the EIPs that are specified in SNAT or DNAT entries. The bandwidth is also limited by the maximum bandwidth of the EIP bandwidth plan with which the EIPs are associated.

For example, you create an SNAT entry for an Internet NAT gateway, and specify five pay-by-data-transfer EIPs and two pay-by-bandwidth EIPs whose maximum bandwidth is 500 Mbit/s. The maximum bandwidth of the Internet NAT gateway is 2,000 Mbit/s. This value is calculated based on the following formula: 5 × 200 Mbit/s + 2 × 500 Mbit/s = 2,000 Mbit/s. If the seven EIPs are associated with the same EIP bandwidth plan and the maximum bandwidth of the EIP bandwidth plan is 1,000 Mbit/s, the maximum bandwidth of the Internet NAT gateway is 1,000 Mbit/s.

Whether the maximum number of concurrent connections for an EIP is 55,000 Yes Yes
Whether the maximum bandwidth of an EIP in an EIP bandwidth plan is 200 Mbit/s No Yes
Whether users of NAT service plans can associate EIPs with NAT gateways No No
Whether service interruptions occur when you change the maximum bandwidth of an EIP bandwidth plan that is associated with an Internet NAT gateway, such as increasing the maximum bandwidth from less than 1 Gbit/s to greater than 1 Gbit/s, or decreasing the maximum bandwidth from greater than 1 Gbit/s to less than 1 Gbit/s No Yes
Whether service interruptions occur when the number of EIPs in existing SNAT entries is reduced Yes Yes
Whether service interruptions occur when the number of EIPs in existing SNAT entries is increased No Yes
Whether an ECS instance can be accessed from the Internet in the following scenario: Multiple elastic network interfaces (ENIs) are attached to the ECS instance, and EIPs are associated with some of the ENIs. Different ENIs are used to forward the inbound and outbound traffic of the ECS instance. No. You must modify the routes of the ECS instance before you upgrade the standard Internet NAT gateway to an enhanced Internet NAT gateway. Make sure that the inbound traffic and outbound traffic of the ECS instance are forwarded by the same ENI. For more information, see Configure routes for a secondary ENI that is bound to an instance that runs an Alibaba Cloud Linux 2 or CentOS 7 operating system. Yes

Procedure

Enhanced NAT gateways are used in the same way as standard NAT gateways. However, when you create an enhanced NAT gateway, you must specify the gateway type. In addition, you must specify the VPC and vSwitch that you want to associate with the enhanced NAT gateway. After an enhanced NAT gateway is created, the system assigns an idle private IP address from the vSwitch to the enhanced NAT gateway.
Note If your account is a Resource Access Management (RAM) user and you want to create an enhanced NAT gateway, you must acquire the permissions from the Alibaba Cloud account.
The following figure shows how to use an enhanced NAT gateway.NAT 2.0 procedure