Internet NAT gateways are enterprise-class gateways that provide the SNAT and DNAT features. An Internet NAT gateway provides a forwarding capacity of up to 100 Gbit/s and supports cross-zone disaster recovery. Internet NAT gateways support high performance, automatic elasticity, flexible billing, and fine-grained O&M. Internet NAT gateways allow you to manage data transfer over the Internet in a more efficient manner.
Background information
The following figure describes the network topology of an Internet NAT gateway. You can use an Internet NAT gateway to meet the following requirements:
If your workloads in the cloud require Internet access but you do not want to expose the workloads to the Internet, you can use Internet NAT gateways. Internet NAT gateways can protect your workloads against attacks from the Internet.
If your services are expected to withstand outbound traffic spikes, you can use Internet NAT gateways. Internet NAT gateways can be scaled up and down as needed. In addition, Internet NAT gateways are cost-effective because Internet NAT gateways are billed on a pay-as-you-go basis.
If a large number of devices require Internet access, you can create an Internet NAT gateway. This way, the devices can use the elastic IP addresses (EIPs) on the Internet NAT gateway to access the Internet. The Internet NAT gateway also provides fine-grained metrics and precise monitoring to control outbound traffic.
Feature
- High performanceInternet NAT gateways can handle traffic spikes. You can improve the performance of Internet NAT gateways by submitting a ticket. Internet NAT gateways are suitable for scenarios that require high concurrency.
- High availabilityInternet NAT gateways support cross-zone disaster recovery. If a zone is down, your services are not interrupted. This ensures high availability.
- Fine-grained O&MInternet NAT gateways can detect Elastic Compute Service (ECS) instances with traffic spikes and provide multiple monitoring metrics on data transfer.
- High elasticityInternet NAT gateways adopt an advanced architecture and support high elasticity to meet the requirements of different scenarios.
Features
Feature | Description | References |
SNAT | SNAT allows ECS instances that are deployed in a virtual private cloud (VPC) to access the Internet when no public IP addresses are assigned to the ECS instances. | Use the SNAT feature of an Internet NAT gateway to access the Internet |
DNAT | DNAT maps the EIPs that are associated with an Internet NAT gateway to ECS instances. This way, the ECS instances can provide Internet-facing services. | Configure DNAT on an Internet NAT gateway for an ECS instance |
Various metrics | Internet NAT gateways support 26 metrics. You can monitor Internet NAT gateways in real time, which improves the stability of your system. | |
Multiple Internet NAT gateways in one VPC | You can create multiple Internet NAT gateways in one VPC to forward traffic to different destinations. This way, you can better manage traffic that is destined for the Internet. You can also use security services to protect each Internet NAT gateway based on your business requirements. You can configure the same SNAT entry on multiple Internet NAT gateways to access the Internet, or configure the same DNAT entry on multiple Internet NAT gateways to provide Internet-facing services. You can also configure routes to forward network traffic to a specified egress. Important
|
Scenarios
Configure SNAT to enable ECS instances to access the Internet
You can create an Internet NAT gateway, associate an EIP with the Internet NAT gateway, and then create an SNAT entry on the Internet NAT gateway. This way, the ECS instances in the VPC can use the same EIP to access the Internet. This saves public IP resources. For more information, see Use the SNAT feature of an Internet NAT gateway to access the Internet.
You can also associate multiple EIPs with an Internet NAT gateway. When an ECS instance needs to access the Internet, it randomly selects an EIP from the SNAT IP address pool. If one of the EIPs is under attack, the ECS instance can randomly select another EIP from the SNAT IP address pool to access the Internet. This ensures high availability for your workloads and prevents service interruptions caused by EIP failures.
NoteIf you add multiple EIPs to an SNAT IP address pool, network traffic is distributed based on a hashing algorithm instead of being evenly distributed to each EIP. To prevent individual EIPs from being overloaded, we recommend that you associate the EIPs with the same Internet Shared Bandwidth. For more information, see Associate EIPs with and disassociate EIPs from Internet Shared Bandwidth instances.
Configure DNAT to provide Internet-facing services
You can create an Internet NAT gateway, associate EIPs with the Internet NAT gateway, and then configure DNAT on the Internet NAT gateway. This way, ECS instances in a VPC can receive requests from the Internet through port mapping or IP mapping. For more information, see Configure DNAT on an Internet NAT gateway for an ECS instance.
NoteDescriptions of port mapping and IP mapping:
Port mapping: An Internet NAT gateway forwards requests destined for an EIP to the specified ECS instance. Requests are forwarded based on the specified source and destination ports and the specified protocol used by both ports.
IP mapping: An Internet NAT gateway forwards requests destined for an EIP to the specified ECS instance. The ECS instance can also use the EIP to access the Internet. If an Internet NAT gateway is configured with an SNAT entry and a DNAT entry that uses IP mapping, the ECS instance preferentially uses DNAT to access the Internet.
Share public bandwidth
To allow an application that is deployed on an ECS instance to provide services over the Internet, you must purchase public bandwidth resources. Make sure that you have sufficient public bandwidth resources to handle traffic fluctuations. When multiple applications need to provide services over the Internet, you may need to purchase public bandwidth resources for each application. However, this increases costs and causes a waste of resources.
To manage data transfer over the Internet and reduce bandwidth costs, you can associate EIPs with your Internet NAT gateway and then associate the EIPs with an Internet Shared Bandwidth.
Usage notes
When you create an Internet NAT gateway, you must specify a VPC and a vSwitch that you want to associate with the Internet NAT gateway. After an Internet NAT gateway is created, the system assigns an idle private IP address from the vSwitch to the Internet NAT gateway. We recommend that you create a vSwitch that is exclusive to the Internet NAT gateway. This way, you can plan networks as needed.
Internet NAT gateways can be deployed across zones for disaster recovery. To deploy an Internet NAT gateway across zones, specify the vSwitch of the primary zone. You do not need to specify the vSwitch of the secondary zone.
For more information about how to create an Internet NAT gateway, see Purchase an Internet NAT gateway.
When you create an Internet NAT gateway, an elastic network interface (ENI) from the specified vSwitch is allocated to the Internet NAT gateway. Then, a security group is created for and associated with the ENI. You can only view the security group but cannot modify the configuration. For more information, see Overview.
The default throughput capacity of an Internet NAT gateway is 5 Gbit/s. The throughput capacity can be automatically scaled to 15 Gbit/s based on business requirements. If you need a larger throughput, contact your account manager.
Pay-by-CU Internet NAT gateways can handle traffic spikes. You can contact your account manager to increase the performance.
Metrics SessionNewConnection SessionActiveConnection Data forwarding Default metric 100,000 2,000,000 5 Gbit/s to 15 Gbit/s (automatic scaling) The following content describes the preceding metrics:- SessionNewConnection: the number of new connections per second.
- SessionActiveConnection: the number of concurrent connections per minute.
- Data forwarding: the amount of inbound and outbound traffic processed per hour.
Limits
Limits on instances
Item | Limit | Adjustable |
The maximum number of Internet NAT gateways that can be created in a VPC | 5 | You can increase the quota by performing the following operations:
|
The maximum number of EIPs that can be associated with an Internet NAT gateway | 20 Note Starting September 19, 2022, if you associate an EIP with a newly created Internet NAT gateway, a private IP address of the vSwitch where the NAT gateway resides is used. Make sure that the vSwitch has sufficient private IP addresses available for use. Otherwise, you cannot associate an EIP with the NAT gateway. Existing NAT gateways are not affected. | You can increase the quota by performing the following operations:
|
Creating an Internet NAT gateway in a VPC that contains a custom route whose destination CIDR block is 0.0.0.0/0 | Supported. | N/A |
Limits on SNAT
Item | Limit | Adjustable |
The maximum number of SNAT entries that you can create on an Internet NAT gateway | 40 | You can increase the quota by performing the following operations:
|
The maximum number of EIPs that you can specify in an SNAT entry | 50 | N/A |
Whether the bandwidth of a vSwitch is limited by the bandwidth limits of the EIPs in the SNAT entry that is created for the vSwitch | Yes Note If the EIPs of an Internet NAT gateway are associated with an Internet Shared Bandwidth, the bandwidth of the vSwitch is limited by the bandwidth limit of the Internet Shared Bandwidth. | N/A |
Whether the number of concurrent connections is limited by the number of EIPs specified in an SNAT entry | When ECS instances that are not assigned public IP addresses use an Internet NAT gateway to access the same destination IP address and port over the Internet, the number of concurrent connections supported by the Internet NAT gateway is N × 55,000. N is the number of EIPs specified in the SNAT entry. | |
The bandwidth limit of each EIP in an SNAT entry | If you specify multiple EIPs in an SNAT entry, network traffic is distributed based on a hashing algorithm instead of being evenly distributed to each EIP. To prevent individual EIPs from being overloaded, we recommend that you associate the EIPs with the same Internet Shared Bandwidth. The bandwidth of EIPs that are added to an SNAT IP address pool is not limited. For more information, see Create an SNAT IP address pool. |
Limits on DNAT
Item | Limit | Adjustable |
The maximum number of DNAT entries that you can create on an Internet NAT gateway | 100 | You can increase the quota by performing the following operations:
|
Creating DNAT entries for ECS instances with which EIPs are associated | Not supported if the ECS instances are associated with only one ENI. Before you can create DNAT entries for the ECS instances, you must disassociate the EIPs from the ECS instances. For more information, see Disassociate an EIP from a cloud resource and Create and manage DNAT entries. Note If you create a DNAT entry for an ECS instance that is associated with an EIP, the ECS instance preferentially uses the EIP to communicate with the Internet. | N/A |
Creating DNAT entries for ECS instances that have static public IP addresses | Not supported if the ECS instances are associated with only one ENI. Before you can create DNAT entries for the ECS instances, you must convert the static public IP addresses to EIPs, and disassociate the EIPs from the ECS instances. For more information, see Convert the static public IP address of an ECS instance in a VPC to an EIP. Note If you create a DNAT entry for an ECS instance that has a static public IP address, the ECS instance preferentially uses the static public IP address to communicate with the Internet. | N/A |