This topic provides answers to some frequently asked questions about NAT Gateway.
What is the timeout period of an idle SNAT connection for a NAT gateway?
Can a NAT gateway process TCP, UDP, and ICMP fragmented packets?
Can an ECS instance use SNAT to access the DNAT service on the same Internet NAT gateway?
Can an EIP or a NAT IP address be specified in both a DNAT entry and an SNAT entry?
Why am I unable to find an existing EIP from the EIP list when I create a DNAT entry?
Can I create a DNAT entry for an ECS instance that is associated with an EIP?
Can I change the vSwitch and private IP address of a NAT gateway?
How many NAT gateways can I create with each Alibaba Cloud account?
If the source CIDR blocks of multiple SNAT entries overlap, how does the system determine the priorities of the SNAT entries?
The system determines the priorities of SNAT entries based on longest prefix match.
For example, if you create an SNAT entry for an ECS instance, the subnet mask of the source CIDR block is
/32, which is the longest subnet mask. Therefore, the SNAT entry has the highest priority.For SNAT entries that you create for other resources, the system determines the priorities of the SNAT entries based on the subnet mask length for the source CIDR block. An SNAT entry with a longer subnet mask length for the source CIDR block has a higher priority.
What is the timeout period of an idle SNAT connection for a NAT gateway?
TCP: 900 seconds.
UDP: 60 seconds.
Why do I fail to access an FTP server by using SNAT?
The issue may occur due to the following causes:
The active FTP mode is used.
A NAT gateway that has SNAT entries configured supports only outbound access. If the active FTP mode is used, connections will fail because SNAT does not support inbound access.
We recommend that you use the passive FTP mode.
Multiple EIPs are specified for an SNAT entry.
If multiple EIPs are specified for an SNAT entry, different EIPs may be used for the FTP control connection and data connection. This causes access failures.
We recommend that you enable the EIP affinity feature to ensure that connections from the same client always use the same EIP. Alternatively, you can configure an SNAT entry that uses only one EIP for the FTP client.
Why do the ports of a NAT gateway fail to be allocated?
If the number of concurrent connections is too high on a NAT gateway, TCP or UDP port allocations may occur. As a result, connections are dropped.
Each EIP or NAT IP address supports a limited number of port allocations. If the number of user sessions that access the same destination address is excessively large and the number of EIPs or NAT IP addresses specified in SNAT entries is insufficient, port allocation may fail.
If the number of port allocation failures keeps increasing, we recommend that you specify more EIPs or SNAT IP addresses in SNAT entries.
Can a NAT gateway process TCP, UDP, and ICMP fragmented packets?
Yes.
Why are NAT gateways unavailable in some zones?
NAT gateways are unavailable in some zones due to insufficient resource. You can create NAT gateways in supported zones to allow ECS instances in a VPC to access the Internet.
What are the differences between the two modes that are used to associate an EIP with an Internet NAT gateway?
Item | NAT mode | Multi-EIP-to-ENI mode |
Yes. | No. | |
Default mode | Supported when you create a NAT gateway in the console or by using OpenAPI Explorer. | Supported only by using OpenAPI Explorer. |
Mode switch | You cannot switch the mode to multi-EIP-to-ENI in the console or by using OpenAPI Explorer. |
Note
|
Whether IP addresses of the vSwitch are consumed | An IP address of the vSwitch is consumed as an EIP is associated. | No. |
Access a DNAT entry through an SNAT entry | Yes. | No. |
Meaning of log field collection | The following fields indicate the private IP address that is automatically assigned by the vSwitch when you associate an EIP with the Internet NAT gateway.
| The following fields indicate the EIP associated with the Internet NAT gateway.
|
Can an ECS instance use SNAT to access the DNAT service on the same Internet NAT gateway?
For a NAT gateway that is compatible with an IPv4 gateway, if DNAT and SNAT are configured on the Internet NAT gateway, instances that have SNAT enabled can access instances that have DNAT enabled on the same NAT gateway.
How do I check whether a NAT gateway is compatible with an IPv4 gateway?
You can call the DescribeNatGateways operation to query NAT gateways. If
NATis returned forEipBindMode, an IPv4 gateway is compatible.How do I make a NAT gateway compatible with an IPv4 gateway?
You can call the ModifyNatGatewayAttribute operation and set
NATforEipBindMode.
Can an EIP or a NAT IP address be specified in both a DNAT entry and an SNAT entry?
Yes, you can specify an EIP or a NAT IP address in both a DNAT entry and an SNAT entry. However, if Any Port is specified for a DNAT entry, the EIP or NAT IP address specified in the DNAT entry cannot be used for another DNAT entry or SNAT entry.
Why am I unable to find an existing EIP from the EIP list when I create a DNAT entry?
The EIP and NAT gateway do not belong to the same region. Select an EIP that belongs to the same region as the NAT gateway or create an EIP in the region of the NAT gateway.
Can I create a DNAT entry for an ECS instance that is associated with an EIP?
Yes.
However, the ECS instance cannot be accessed by using the DNAT entry. To access the ECS instance by using the DNAT entry, disassociate the EIP from the ECS instance.
Can I change the vSwitch and private IP address of a NAT gateway?
No.
You can change the vSwitch to which an Internet NAT gateway belongs by creating a NAT gateway and modifying routes. For more information, see Switch to another Internet NAT gateway in the same VPC.
How many NAT gateways can I create with an Alibaba Cloud account?
The number of NAT gateways that you can create with an Alibaba Cloud account is unlimited. For more information about NAT Gateway quotas, see Quotas.