Internet NAT gateways are enterprise-class gateways that provide the SNAT and DNAT features. An Internet NAT gateway provides a forwarding capacity of up to 100 Gbit/s and supports cross-zone disaster recovery. Internet NAT gateways support high performance, automatic elasticity, flexible billing, and fine-grained O&M. Internet NAT gateways allow you to manage data transfer over the Internet in a more efficient manner.

Background information

The following figure describes the network topology of an Internet NAT gateway. You can use an Internet NAT gateway to meet the following requirements:
  • If your workloads in the cloud require Internet access but you do not want to expose the workloads to the Internet, you can use Internet NAT gateways. Internet NAT gateways can protect your workloads against attacks from the Internet.
  • If your services are expected to withstand outbound traffic spikes, you can use Internet NAT gateways. Internet NAT gateways can be scaled up and down as needed. In addition, Internet NAT gateways are cost-effective because Internet NAT gateways are billed on a pay-as-you-go basis.
  • If a large number of devices require Internet access, you can create an Internet NAT gateway. This way, the devices can use the elastic IP addresses (EIPs) on the Internet NAT gateway to access the Internet. The Internet NAT gateway also provides fine-grained metrics and precise monitoring to control outbound traffic.
Diagram

Feature

  • High performance
    Internet NAT gateways can handle traffic spikes. You can improve the performance of Internet NAT gateways by submitting a ticket. Internet NAT gateways are suitable for scenarios that require high concurrency.
  • High availability
    Internet NAT gateways support cross-zone disaster recovery. If a zone is down, your services are not interrupted. This ensures high availability.
  • Fine-grained O&M
    Internet NAT gateways can detect Elastic Compute Service (ECS) instances with traffic spikes and provide multiple monitoring metrics on data transfer.
  • High elasticity
    Internet NAT gateways adopt an advanced architecture and support high elasticity to meet the requirements of different scenarios.

Performance

Pay-by-CU Internet NAT gateways can handle traffic spikes. You can submit a ticket to increase the performance.

SizeMaximum number of connectionsMaximum number of new connectionsThroughput
Default2,000,000100,0005 Gbit/s to 15 Gbit/s (automatic scaling)
Maximum quota that you can request by submitting a ticket10,000,0001,000,000100 Gbps

Features

FeatureDescriptionReferences
SNATSNAT allows ECS instances that are deployed in a virtual private cloud (VPC) to access the Internet when no public IP addresses are assigned to the ECS instances. Use the SNAT feature of an Internet NAT gateway to access the Internet
DNATDNAT maps the EIPs that are associated with an Internet NAT gateway to ECS instances. This way, the ECS instances can provide Internet-facing services. Configure DNAT on an Internet NAT gateway for an ECS instance
Various metricsInternet NAT gateways support 26 metrics. You can monitor Internet NAT gateways in real time, which improves the stability of your system. Monitor and maintain Internet NAT gateways
Multiple Internet NAT gateways in one VPCYou can create multiple Internet NAT gateways in one VPC to forward traffic to different destinations. This way, you can better manage traffic that is destined for the Internet. You can also use security services to protect each Internet NAT gateway based on your business requirements.

You can configure the same SNAT entry on multiple Internet NAT gateways to access the Internet, or configure the same DNAT entry on multiple Internet NAT gateways to provide Internet-facing services. You can also configure routes to forward network traffic to a specified egress.

Important
  • To replace an existing Internet NAT gateway with a new one, you must reconfigure the routes. This may cause transient connections. To minimize the impact of transient connections on your business, we recommend that you reconfigure the routes during off-peak hours.
  • If you create both an SNAT entry and a DNAT entry on an Internet NAT gateway, an ECS instance configured with the SNAT entry cannot access another ECS instance configured with the DNAT entry. If you want an ECS instance to access another ECS instance configured with a DNAT entry in the same VPC, we recommend that you create another Internet NAT gateway, and create SNAT and DNAT entries on different Internet NAT gateways.
Deploy multiple Internet NAT gateways in one VPC

Scenarios

  • Configure SNAT to enable ECS instances to access the Internet

    You can create an Internet NAT gateway, associate an EIP with the Internet NAT gateway, and then create an SNAT entry on the Internet NAT gateway. This way, the ECS instances in the VPC can use the same EIP to access the Internet. This saves public IP resources. For more information, see Use the SNAT feature of an Internet NAT gateway to access the Internet.

    You can also associate multiple EIPs with an Internet NAT gateway. When an ECS instance needs to access the Internet, it randomly selects an EIP from the SNAT IP address pool. If one of the EIPs is under attack, the ECS instance can randomly select another EIP from the SNAT IP address pool to access the Internet. This ensures high availability for your workloads and prevents service interruptions caused by EIP failures.
    Note If you add multiple EIPs to an SNAT IP address pool, network traffic is distributed based on a hashing algorithm instead of being evenly distributed to each EIP. To prevent individual EIPs from being overloaded, we recommend that you associate the EIPs with the same EIP bandwidth plan. For more information, see Associate EIPs with and disassociate EIPs from EIP bandwidth plans.
    Configure SNAT to achieve high availability
  • Configure DNAT to provide Internet-facing services
    You can create an Internet NAT gateway, associate EIPs with the Internet NAT gateway, and then configure DNAT on the Internet NAT gateway. This way, ECS instances in a VPC can receive requests from the Internet through port mapping or IP mapping. For more information, see Configure DNAT on an Internet NAT gateway for an ECS instance.
    Note Descriptions of port mapping and IP mapping:
    • Port mapping: An Internet NAT gateway forwards requests destined for an EIP to the specified ECS instance. Requests are forwarded based on the specified source and destination ports and the specified protocol used by both ports.
    • IP mapping: An Internet NAT gateway forwards requests destined for an EIP to the specified ECS instance. The ECS instance can also use the EIP to access the Internet. If an Internet NAT gateway is configured with an SNAT entry and a DNAT entry that uses IP mapping, the ECS instance preferentially uses DNAT to access the Internet.
    Configure DNAT to provide Internet-facing services
  • Share public bandwidth

    To allow an application that is deployed on an ECS instance to provide services over the Internet, you must purchase public bandwidth resources. Make sure that you have sufficient public bandwidth resources to handle traffic fluctuations. When multiple applications need to provide services over the Internet, you may need to purchase public bandwidth resources for each application. However, this increases costs and causes a waste of resources.

    To manage data transfer over the Internet and reduce bandwidth costs, you can associate EIPs with your Internet NAT gateway and then associate the EIPs with an EIP bandwidth plan. Share public bandwidth

Usage notes

  • When you create an Internet NAT gateway, you must specify a VPC and a vSwitch that you want to associate with the Internet NAT gateway. After an Internet NAT gateway is created, the system assigns an idle private IP address from the vSwitch to the Internet NAT gateway. We recommend that you create a vSwitch that is exclusive to the Internet NAT gateway. This way, you can plan networks as needed.
    • Internet NAT gateways can be deployed across zones for disaster recovery. To deploy an Internet NAT gateway across zones, specify the vSwitch of the primary zone. You do not need to specify the vSwitch of the secondary zone.
    • For more information about how to create an Internet NAT gateway, see Purchase an Internet NAT gateway.
  • When you create an Internet NAT gateway, an elastic network interface (ENI) from the specified vSwitch is allocated to the Internet NAT gateway. Then, a security group is created for and associated with the ENI. You can only view the security group but cannot modify the configuration. For more information, see Overview.
  • The default throughput capacity of an Internet NAT gateway is 5 Gbit/s. The throughput capacity can be automatically scaled to 15 Gbit/s based on business requirements. If you need a larger throughput,To request a quota increase, submit a ticket.

Limits

Limits on instances

ItemLimitAdjustable
The maximum number of Internet NAT gateways that can be created in a VPC5
You can increase the quota by performing the following operations:
The maximum number of EIPs that can be associated with an Internet NAT gateway20
Note Starting September 19, 2022, if you associate an EIP with a newly created Internet NAT gateway, a private IP address of the vSwitch where the NAT gateway resides is used. Make sure that the vSwitch has sufficient private IP addresses available for use. Otherwise, you cannot associate an EIP with the NAT gateway. Existing NAT gateways are not affected.
You can increase the quota by performing the following operations:
Creating an Internet NAT gateway in a VPC that contains a custom route whose destination CIDR block is 0.0.0.0/0Supported. N/A

Limits on SNAT

ItemLimitAdjustable
The maximum number of SNAT entries that you can create on an Internet NAT gateway40
You can increase the quota by performing the following operations:
The maximum number of EIPs that you can specify in an SNAT entry50 N/A
Whether the bandwidth of a vSwitch is limited by the bandwidth limits of the EIPs in the SNAT entry that is created for the vSwitchYes
Note If the EIPs of an Internet NAT gateway are associated with an EIP bandwidth plan, the bandwidth of the vSwitch is limited by the bandwidth limit of the EIP bandwidth plan.
N/A
Whether the number of concurrent connections is limited by the number of EIPs specified in an SNAT entryWhen ECS instances that are not assigned public IP addresses use an Internet NAT gateway to access the same destination IP address and port over the Internet, the number of concurrent connections supported by the Internet NAT gateway is N × 55,000. N is the number of EIPs specified in the SNAT entry.
The bandwidth limit of each EIP in an SNAT entryIf you specify multiple EIPs in an SNAT entry, network traffic is distributed based on a hashing algorithm instead of being evenly distributed to each EIP. To prevent individual EIPs from being overloaded, we recommend that you associate the EIPs with the same EIP bandwidth plan. The bandwidth of EIPs that are added to an SNAT IP address pool is not limited.

For more information, see Create an SNAT IP address pool.

Limits on DNAT

ItemLimitAdjustable
The maximum number of DNAT entries that you can create on an Internet NAT gateway100
You can increase the quota by performing the following operations:
Creating DNAT entries for ECS instances with which EIPs are associatedNot supported if the ECS instances are associated with only one ENI.

Before you can create DNAT entries for the ECS instances, you must disassociate the EIPs from the ECS instances. For more information, see Disassociate an EIP from a cloud resource and Create and manage DNAT entries.

Note If you create a DNAT entry for an ECS instance that is associated with an EIP, the ECS instance preferentially uses the EIP to communicate with the Internet.
N/A
Creating DNAT entries for ECS instances that have static public IP addressesNot supported if the ECS instances are associated with only one ENI.

Before you can create DNAT entries for the ECS instances, you must convert the static public IP addresses to EIPs, and disassociate the EIPs from the ECS instances. For more information, see Convert the static public IP address of an ECS instance in a VPC to an EIP.

Note If you create a DNAT entry for an ECS instance that has a static public IP address, the ECS instance preferentially uses the static public IP address to communicate with the Internet.
N/A

Related Alibaba Cloud services