This topic describes how to configure SNAT on an Internet NAT gateway. SNAT allows Elastic Compute Service (ECS) instances that do not have public IP addresses to access the Internet.

Scenarios

The following scenario is used as an example. An enterprise created a virtual private cloud (VPC) and a vSwitch on Alibaba Cloud. Multiple ECS instances are created in the vSwitch. The ECS instances are not assigned static public IP addresses or associated with elastic IP addresses (EIPs). To meet business requirements, the ECS instances must access the Internet. Scenario

You can configure SNAT on an Internet NAT gateway. SNAT allows ECS instances that do not have public IP addresses in a VPC to access the Internet by using the EIP that is associated with the Internet NAT gateway.

Prerequisites

  • An Alibaba Cloud account is created. For more information, see create an Alibaba Cloud account.
  • A VPC and a vSwitch are created. ECS instances are deployed in the vSwitch. For more information, see Create an IPv4 VPC.
  • The VPC that you created meets the following requirements:
    • The VPC does not have a custom route whose destination CIDR block is 0.0.0.0/0. If the custom route exists, delete it.
    • If you want to configure SNAT as a Resource Access Management (RAM) user, make sure that the RAM user has access permissions on the VPC. Otherwise, contact the Alibaba Cloud account owner to acquire the permissions.

Procedure

Procedure

Step 1: Create an Internet NAT gateway

  1. Log on to the NAT Gateway console.
  2. On the Internet NAT Gateway page, click Create NAT Gateway.
  3. When you create a NAT gateway for the first time, you must create the required service-linked role for NAT Gateway. On the buy page, click Create in the Notes on Creating Service-linked Roles section. After the service-linked role is created, you can create Internet NAT gateways.
    Create the service-linked role
  4. On the buy page, set the following parameters and click Buy Now.
    Parameter Description
    Region and Zone

    Select the region where you want to create the Internet NAT gateway.

    Zone

    Select the zone where you want to create the Internet NAT gateway.

    VPC ID

    Select the VPC where you want to create the Internet NAT gateway. After you create the Internet NAT gateway, you cannot change the VPC to which the Internet NAT gateway belongs.

    VSwitch ID

    Select the vSwitch to which the Internet NAT gateway belongs.

    Gateway Type (Instance Fee)

    By default, Enhanced is selected.

    Billing Method

    By default, this parameter is set to Pay by Actual Usage. You are charged based on the resources that you use. For more information, see Billing of Internet NAT gateways.

    Unified Access Select whether to enable the unified access mode. You can select whether to enable the unified access mode.
    • If you select SNAT for All VPC Resources, the unified access mode is enabled. In this case, all instances in the VPC can access the Internet by using the SNAT feature of the NAT gateway.

      If you select SNAT for All VPC Resources, you must also configure EIPs.

    • If you do not select SNAT for All VPC Resources, the Internet gateway is created with the unified access mode disabled.
    In this example, SNAT for All VPC Resources is not selected.
  5. On the Confirm Order page, confirm the information, select the Terms of Service check box, and then click Confirm Order.
    When the message Order complete. appears, it indicates that the Internet NAT gateway is created.
After you create an Internet NAT gateway, you can find the Internet NAT gateway on the Internet NAT Gateway page. Create an Internet NAT gateway

Step 2: Associate an EIP with the Internet NAT gateway

An Internet NAT gateway can run as expected only when it is associated with an EIP. After you create an Internet NAT gateway, you can associate EIPs with the Internet NAT gateway to meet your business requirements.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where you want to create the NAT gateway.
  3. On the Internet NAT Gateway page, find the Internet NAT gateway that you want to manage and click Associate Now in the Elastic IP Address column.
  4. In the Associate EIP dialog box, set the following parameters and click OK.
    Parameter Description
    Resource Group Select the resource group of the EIP.
    EIPs Select the EIP that you want to associate with the Internet NAT gateway.

    In this example, Purchase and Associate EIP is selected. The system automatically creates a pay-by-data-transfer EIP and associates the EIP with the Internet NAT gateway.

After you associate an EIP with the Internet NAT gateway, the EIP is displayed in the Elastic IP Address column. Associate an EIP

Step 3: Create an SNAT entry

You can create an SNAT entry on an Internet NAT gateway. This way, the ECS instances that do not have public IP addresses in the VPC can access the Internet by using the EIP that is associated with the Internet NAT gateway.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where you want to create the NAT gateway.
  3. On the Internet NAT Gateway page, find the NAT gateway that you want to manage and click Configure SNAT in the Actions column.
  4. On the SNAT Management tab, click Create SNAT Entry.
  5. On the Create SNAT Entry page, set the parameters and click Confirm.
    Parameter Description
    SNAT Entry Specify whether to create an SNAT entry for a VPC, a vSwitch, an ECS instance, or a custom CIDR block. Specify vSwitch is selected in this example. The ECS instances that are attached to the specified vSwitch use the EIP to access the Internet.
    • Select VSwitch: Select a vSwitch from the drop-down list.
      Note If you select multiple vSwitches, the system creates multiple SNAT entries that use the same EIP.
    • VSwitch CIDR Block: displays the CIDR block of the vSwitch.
    Select Public IP Address Select one or more EIPs that are used to access the Internet. Use One IP Address is specified in this example. You can select an EIP from the drop-down list.
    Entry Name Enter a name for the SNAT entry.

    The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.

After the SNAT entry is created, you can view the SNAT entry on the Used in SNAT Entry tab. snat

Step 4: Test network connectivity

After you create an SNAT entry, you can test the network connectivity of the ECS instances. In this example, an ECS instance that runs Linux is used to test the network connectivity.
Note Make sure that the security group rules of the ECS instance allow the ECS instance to access the Internet. For more information, see Overview.
  1. Log on to an ECS instance that is attached to the vSwitch. For more information, see Connection methods.
  2. Run the ping command to ping www.aliyun.com.
    If you can receive echo reply packets, it indicates that the connection is established.

    The result shows that the ECS instance can access the Internet.

    Test the connectivity

FAQ

How many SNAT entries can I add to an Internet NAT gateway?

By default, you can add up to 40 SNAT entries to an Internet NAT gateway.

How many EIPs can I specify in an SNAT entry?

You can specify up to 64 EIPs in an SNAT entry. The quota cannot be increased.

For more information about SNAT, see FAQ about SNAT.

References

Configure DNAT on an Internet NAT gateway for an ECS instance