Use a transit router to enable VPCs to share an Internet NAT gateway - NAT Gateway

Transit routers can enable multiple virtual private clouds (VPCs) to share an Internet NAT gateway. This enables the VPCs to access the Internet.

Background information

Cloud Enterprise Network (CEN) is a highly available network built on the global private network of Alibaba Cloud. CEN uses transit routers to enable network communication between VPCs in different regions and between VPCs and data centers.

Transit routers are the core network element that forwards network traffic across regions. Transit routers are region-specific and support custom routing policies. For a CEN instance, you can create only one transit router in each region. You can attach network instances to Enterprise Edition transit routers. After network instances are attached to an Enterprise Edition transit router, routes of the network instances are stored in the route tables of the transit router. The Enterprise Edition transit router forwards traffic of the network instances based on the routes in the route tables.

For more information about transit routers, see How transfer routers work.

Sample scenario

A company deployed two VPCs (VPC1 and VPC2) in the China (Hangzhou) region, as shown in the following figure. vSwitch 1 is deployed in VPC1. An Elastic Compute Service (ECS) instance (ECS1) is deployed in vSwitch1. vSwitch 2 is deployed in VPC2. An ECS instance (ECS2) is deployed in vSwitch 2. Due to business requirements, both VPC1 and VPC2 require Internet access.

In this case, the company can deploy an Internet NAT gateway in VPC1 and configure Source Network Address Translation (SNAT) rules for the NAT gateway. Then, the company can attach the VPCs to a transit router and create a route table on the transit router to enable the VPCs to access the Internet through the Internet NAT gateway.

Prerequisites

VPCs and vSwitches are created as described in the following table. For more information, see Create and manage a VPC.

VPC name	Region	CIDR block	vSwitch name	Zone and CIDR block
VPC1	China (Hangzhou)	192.168.0.0/16	vSwitch1	Hangzhou Zone H, 192.168.0.0/24
VPC2	China (Hangzhou)	172.16.0.0/12	vSwitch 2	Hangzhou Zone H, 172.28.48.0/20

Note

Before you connect a VPC to an Enterprise Edition transit router, make sure that the VPC has at least one vSwitch in a zone that supports Enterprise Edition transit routers. The vSwitch must have at least one idle IP address. For example, the zones used by the Enterprise Edition transit router in this example are Hangzhou Zone H and Hangzhou Zone I. For more information about zones, see Transit router editions.

An ECS instance (ECS1) is deployed in vSwitch 1, and an ECS instance (ECS2) is deployed in vSwitch 2. For more information, see Create an instance by using the wizard.
A Cloud Enterprise Network (CEN) instance is created. For more information, see Create a CEN instance.
An Enterprise Edition transit router is created in the region where the VPC resides. For more information, see Create a transit router.

Procedure

Step 1: Create an Internet NAT gateway

Create an SNAT-enabled Internet NAT gateway in VPC1.

Log on to the NAT Gateway console.
On the Internet NAT Gateway page, click Create NAT Gateway.
When you create an Internet NAT gateway for the first time, click Create in the Notes on Creating Service-linked Roles section of the buy page to create a service-linked role. After the service-linked role is created, you can create Internet NAT gateways.
For more information, see Service-linked roles.

On the Internet NAT Gateway page, set the following parameters and click Buy Now.

Parameter	Description
Billing Method	By default, Pay-As-You-Go is selected. You can pay for resources after you use them. For more information, see Billing of Internet NAT gateways.
Resource Group	Select the resource group to which the VPC belongs. For more information, see Resource Group overview.
Tags	Tag Key: Select or enter a tag key. You can specify at most 20 tag keys. A tag key can be up to 128 characters in length. It cannot start with aliyun or acs:, and cannot contain http:// or https://. Tag Value: Select or enter a tag value. You can specify at most 20 tag values. A tag value can be up to 128 characters in length. It cannot start with aliyun or acs:, and cannot contain http:// or https://.
Region	Select the region where you want to create the Internet NAT gateway. In this example, China (Hangzhou) is selected.
VPC	Select the VPC for which you want to create the Internet NAT gateway. After the Internet NAT gateway is created, you cannot change the VPC to which the Internet NAT gateway belongs. In this example, VPC1 is selected.
Associate vSwitch	Select the vSwitch to which the Internet NAT gateway belongs. In this example, vSwitch1 is selected.
Metering Method	By default, Pay-By-CU is selected. You are charged based on the resources that you use. For more information, see Billing of Internet NAT gateways.
Billing Cycle	By default, By Hour is selected. Fees are calculated on an hourly basis. If you use an Internet NAT gateway for less than 1 hour, the usage duration is rounded up to 1 hour.
Instance Name	Enter a name for the Internet NAT gateway. In this example, Internet NAT Gateway is used.
Access Mode	Select whether to enable SNAT for the resources in the specified VPC. The following modes are supported: SNAT for All VPC Resources: If you select this value, the Internet NAT gateway is created in unified access mode. After the Internet NAT gateway is created, all resources in the VPC can access the Internet by using the SNAT feature of the NAT gateway. If you select SNAT for All VPC Resources, you must also specify an elastic IP address (EIP). Configure Later: If you select this value, you can configure the Internet NAT gateway in the console after you complete the payment. If you select Configure Later, only the Internet NAT gateway is created. No SNAT entry is created. In this example, SNAT for All VPC Resources is selected.
EIP	Select an EIP to associate with the Internet NAT gateway. You can specify the EIP in one of the following ways: Select EIP: Select an existing EIP from the EIP drop-down list. Purchase EIP: Purchase a pay-as-you-go EIP in the region where the Internet NAT gateway is deployed. In this example, Purchase EIP is selected. By default, the Line Type parameter of the EIP is set to BGP(Multi-ISP). The Security Protection parameter is set to Default. You can set the Maximum Bandwidth parameter and set Metering Method to Pay-By-Data-Transfer.

On the Confirm page, confirm the configurations in the order, read and select Terms of Service, and then click Confirm.
Click Return to Console. On the Internet NAT Gateway page, find the Internet NAT gateway that you created and click its ID.
- On the Basic Information tab, view the route information in the VPC Routes that Point to the NAT Gateway section. The route table to which the route belongs is the system route table of VPC1. The destination CIDR block of the route is 0.0.0.0/0, and the next hop is the Internet NAT gateway.
- Click the SNAT Management tab. In the Used in SNAT Entry section, you can view the SNAT entry that is created. VPC1 can access the Internet through this SNAT entry.

Step 2: Attach the VPCs to the transit router and configure routes

Attach VPC1 and VPC2 to the transit router in the China (Hangzhou) region and create a route table on the transit router.

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
On the Basic Settings > Transit Router tab, find the transit router that you want to manage and click Create Connection in the Actions column.

On the Connection with Peer Network Instance page, set the following parameters and click OK.

The following table describes the parameter settings of the connections between the VPCs and the transit router.

Note

The first time that you attach a VPC to a transit router, the system automatically creates the service-linked role AliyunServiceRoleForCEN. This role allows transit routers to create ENIs on vSwitches in VPCs. For more information, see AliyunServiceRoleForCEN.

Parameter	Description	Value
Instance Type	Select the type of network instance that you want to attach.	Select VPC.
Region	Select the region where the network instance is deployed.	Select China (Hangzhou).
Transit Router	The transit router in the selected region is displayed.	In this example, the transit router in the China (Hangzhou) region is selected by default.
Resource Owner ID	Select the Alibaba Cloud account to which the network instance belongs.	Select Your Account.
Billing method	By default, transit routers use the Pay-As-You-Go billing method. For more information, see Billing rules.	Pay-As-You-Go is selected by default.
Attachment Name	Enter a name for the network connection.	VPC1: `VPC 1 Connection` is used. VPC2: `VPC 2 Connection` is used.
Network Instance	Select the ID of the network that you want to attach.	VPC1: VPC1 is selected. VPC2: VPC2 is selected.
vSwitch	Select a vSwitch in a zone that supports transit routers.	VPC1: vSwitch 1 is selected. VPC2: vSwitch 2 is selected.
Advanced Settings	By default, the following advanced features are selected: Associate with Default Route Table of Transit Router, Propagate System Routes to Default Route Table of Transit Router, and Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC.	Use the default settings.

After you attach VPC1 and VPC2 to the transit router, you can view the information about the connections on the Intra-region Connections tab. For more information, see View network instance connections.

On the details page of the transit router, click the Route Table tab and click Add Route Table.
In the Add Route Table dialog box, set Name to Trusted, set the Description parameter, and then click OK.
Click the trusted route table. On the Route Table Details page, click the Route Entry tab and click Add Route Entry.

In the Add Route Entry dialog box, set the following parameters and click OK.

Parameter	Description
Name	Enter a name for the route entry. In this example, `To VPC 2 Connection` is used.
Destination CIDR	Enter a destination CIDR block. In this example, 172.16.0.0/12 is used.
Blackhole Route	In this example, No is selected.
Next Hop	Select a next hop. In this example, VPC2 Connection is selected.
Description	Enter a description for the route entry. In this example, `Point the trusted route table to VPC 2 Connection` is used.

Click the Route Table Association tab. On this tab, click Create Association, select VPC1 Connection from the Association drop-down list, and then click OK.
After you connect a network instance to a transit router, you can create an associated forwarding correlation to associate the network instance connection with a route table. After you configure an associated forwarding correlation, the transit router forwards the traffic of the network instance based on the route table. For more information, see Associated forwarding.
Click the system route table. On the Route Table Details page, find the Basic Settings section and click Edit next to Name.
In the dialog box that appears, enter Untrusted and click OK.
Click the Untrusted route table. On the Route Entry tab, click Add Route Entry.

In the Add Route Entry dialog box, set the following parameters and click OK.

Parameter	Description
Name	Enter a name for the route entry. In this example, `To VPC 1 Connection` is used.
Destination CIDR	Enter a destination CIDR block. In this example, 0.0.0.0/0 is used.
Blackhole Route	In this example, No is selected.
Next Hop	Select a next hop. In this example, VPC1 Connection is selected.
Description	Enter a description for the route entry. In this example, `Point the Untrusted route table to VPC 1 Connection` is used.

Click the Route Table Association tab. On this tab, click Create Association, select VPC2 Connection from the Association drop-down list, and then click OK.

Step 3: Configure the VPC route tables

Add a route that points to the transit router to the system route table of VPC2.

Log on to the VPC console.
In the left-side navigation pane, click Route Tables.
On the Route Tables page, click the ID of the system route table of VPC2.
On the details page of the route table, choose Route Entry List > Custom Route, and click Add Route Entry.

In the Add Route Entry panel, set the following parameters and click OK.

Parameter	Description
Name	Enter a name for the route entry.
Destination CIDR Block	In this example, IPv4 CIDR Block is selected and 0.0.0.0/0 is used.
Next Hop Type	Select a type of next hop. Transit Router is selected in this example.
Transit Router	In this example, VPC2 Connection is selected.

You can view the information about the route entry on the Custom Route tab.

Step 4: Test network connectivity

Test the network connectivity between VPC1 and VPC2.

Log on to ECS1 in VPC1. For more information, see Connection methods.
Run the ping command to ping the private IP address of ECS2 in VPC2.
The following echo reply packet indicates that VPC1 can access VPC2.
Log on to ECS2 in VPC2.
Run the ping command toping the private IP address of ECS1 in VPC1.
The following echo reply packet indicates that VPC2 can access VPC1.

Check whether ECS1 and ECS2 can access the Internet.

Log on to ECS1 in VPC1.
Run the ping www.aliyun.com command.
The following echo reply packet indicates that ECS1 can access the Internet.
The test result shows that ECS1 can access the Internet.
Log on to ECS2 in VPC2.
Run the ping www.aliyun.com command.
The following echo reply packet indicates that ECS2 can access the Internet.
The test result shows that ECS2 can access the Internet.