Alibaba Cloud provides enhanced Internet NAT gateways. Enhanced Internet NAT gateways are upgraded from standard Internet NAT gateways and use a more advanced architecture. Compared with standard NAT gateways, enhanced Internet NAT gateways provide higher elasticity and stability. This helps you manage data transfer in a more efficient manner. The term "enhanced NAT gateway" in this topic refers to an enhanced Internet NAT gateway.
Overview
- More metrics for monitoring
Enhanced NAT gateways support 22 metrics. You can monitor NAT gateways in real time, which improves the stability of your system. For more information, see Monitor and maintain Internet NAT gateways.
- Multiple NAT gateways in one virtual private cloud (VPC)
You can create multiple enhanced NAT gateways in one VPC to forward traffic to different destinations. This way, you can better manage traffic that is destined for the Internet. You can also use security services to protect each NAT gateway based on your business requirements.
You can add the same SNAT entry to multiple NAT gateways to access the Internet, or add the same DNAT entry to multiple NAT gateways to provide Internet-facing services. You can also configure routes to forward network traffic to a specified egress.
Notice- To replace a standard NAT gateway with an enhanced NAT gateway, you must reconfigure the routes. This may cause transient connections. To minimize the impact of transient connections on your business, we recommend that you reconfigure the routes during off-peak hours.
- If you create both SNAT and DNAT entries on an enhanced NAT gateway, an Elastic Compute Service (ECS) instance configured with an SNAT entry cannot access another ECS instance configured with a DNAT entry of the same NAT gateway. To allow an ECS instance to access another ECS instance configured with a DNAT entry in the same VPC, we recommend that you create another enhanced NAT gateway and create DNAT and SNAT entries on different NAT gateways.
- High and guaranteed performance to withstand traffic spikes (pay-as-you-go NAT gateways)
Specification Number of maximum connections Maximum number of new connections Throughput Default 2,000,000 100,000 5 Gbps Maximum quota that you can apply for by submitting a ticket 10,000,000 1,000,000 100 Gbps
Comparison between enhanced NAT gateways and standard NAT gateways
The following tables describe the differences and similarities in features and limits between enhanced NAT gateways and standard NAT gateways.
| Item | Enhanced Internet NAT gateway | Standard Internet NAT gateway | References |
|---|---|---|---|
| Deploying multiple Internet NAT gateways in the same virtual private cloud (VPC) | Supported | Not supported | Deploy multiple NAT gateways in one VPC |
| Associating a vSwitch with an Internet NAT gateway | Supported | Not supported | N/A |
| Billed on an hourly basis | Supported | Not supported | Pay-by-CU |
| Processing TCP, UDP, and ICMP fragments | Supported | Not supported | N/A |
| Metrics | 22 | 4 | Monitor and maintain Internet NAT gateways |
| Associating multiple elastic IP addresses (EIPs) with an Internet NAT gateway | Supported | Supported | Associate an EIP with a NAT gateway |
| SNAT | Supported | Supported | Configure SNAT entries on an Internet NAT gateway to access the Internet |
| Creating multiple SNAT entries in an SNAT table | Supported | Supported | |
| Associating multiple EIPs with an SNAT table | Supported | Supported | |
| DNAT | Supported | Supported | Create a DNAT entry on an Internet NAT gateway |
| DNAT port mapping | Supported | Supported | |
| DNAT IP mapping | Supported | Supported | |
| Elastic Compute Service (ECS) instances use SNAT to access DNAT services that belong to the same Internet NAT gateway | Not supported | Supported | N/A |
| Using an EIP for both SNAT and DNAT tables | Supported | Not supported |
| Limit | Enhanced Internet NAT gateway | Standard Internet NAT gateway |
|---|---|---|
| The maximum number of Internet NAT gateways that can be created in a VPC | 5. To increase the quota, submit a ticket. | 1. You cannot adjust the quota. |
| The maximum number of DNAT entries that can be added to an Internet NAT gateway | 100. You can increase the quota. For more information, see Manage quotas. | 100. You can increase the quota. For more information, see Manage quotas. |
| The maximum number of SNAT entries that can be added to an Internet NAT gateway | 40. You can increase the quota. For more information, see Manage quotas. | 40. You can increase the quota. For more information, see Manage quotas. |
| The maximum number of public IP addresses that you can specify in an SNAT entry | 64. You cannot adjust the quota. | 64. You cannot adjust the quota. |
| Creating an Internet NAT gateway for a VPC that contains a custom route whose destination CIDR block is 0.0.0.0/0 | Supported | Not supported. You must delete the custom route entry whose destination CIDR block is 0.0.0.0/0 before you can create an Internet NAT gateway for the VPC. |
| Whether a vSwitch is limited by the bandwidth limit of an EIP after the vSwitch is associated with an SNAT entry | Yes. If the EIP is associated with an EIP bandwidth plan, the vSwitch is limited by the bandwidth limit of the EIP bandwidth plan. | Yes. If the EIP is associated with an EIP bandwidth plan, the vSwitch is limited by the bandwidth limit of the EIP bandwidth plan. |
| The maximum number of EIPs that can be associated with an Internet NAT gateway | 20. You can increase the quota. For more information, see Manage quotas. | 20. You can increase the quota. For more information, see Manage quotas. |
| The bandwidth limit of an Internet NAT gateway | 5 Gbit/s. If the total bandwidth of the EIPs or EIP bandwidth plans is greater than 5 Gbit/s,submit a ticket to increase the quota. | An Internet NAT gateway does not have a bandwidth limit itself. However, the bandwidth
of an Internet NAT gateway is limited by the bandwidth limits of the EIPs that are
associated with SNAT or DNAT entries. The bandwidth is also limited by the bandwidth
limits of the EIP bandwidth plans with which the EIPs are associated.
For example, you create an SNAT entry for an Internet NAT gateway, and specify five pay-by-data-transfer EIPs and two pay-by-bandwidth EIPs whose bandwidth limits are 500 Mbit/s. The bandwidth of the Internet NAT gateway is limited to 2,000 Mbit/s. This value is calculated based on the following formula: 5 × 200 Mbit/s + 2 × 500 Mbit/s = 2,000 Mbit/s. If the seven EIPs are associated with the same EIP bandwidth plan, and the bandwidth limit of the EIP bandwidth plan is 1,000 Mbit/s, the bandwidth limit of the Internet NAT gateway is 1,000 Mbit/s. |
| The maximum number of concurrent connections for an EIP is 55,000. | Yes | Yes |
| The bandwidth limit of an EIP in an EIP bandwidth plan is 200 Mbit/s. | No | Yes |
| Users of NAT service plans cannot associate EIPs with NAT gateways. | Yes | Yes |
| You can change the bandwidth limit of an EIP bandwidth plan that is associated with an Internet NAT gateway. For example, you can increase the bandwidth limit from less than 1 Gbit/s to greater than 1 Gbit/s. You can also decrease the bandwidth limit from greater than 1 Gbit/s to less than 1 Gbit/s. When you change the bandwidth limit of an EIP bandwidth plan, temporary service interruptions may occur. | No | Yes |
| Temporary service interruptions may occur when IP addresses in existing SNAT entries are reduced. | Yes | Yes |
| Temporary service interruptions may occur when IP addresses in the existing SNAT entries are increased. | No | Yes |
| Whether the ECS instance can be accessed from the Internet in the following scenario: Multiple elastic network interfaces (ENIs) are attached to an ECS instance, and an EIP is associated with one of the ENIs. Different ENIs are used to forward the inbound and outbound traffic of the ECS instance. | No. You must modify the route of the ECS instance before you upgrade the standard Internet NAT gateway to an enhanced Internet NAT gateway. Make sure that the inbound and outbound traffic of the ECS instance is forwarded by the same ENI. For more information, see Configure routes for a secondary ENI that is bound to an instance that runs an Alibaba Cloud Linux 2 or CentOS 7 operating system. | Yes |
Procedure
