To prevent burst traffic from workloads such as data analytics or log downloads from saturating your outbound bandwidth and affecting the stability of critical services, you can configure rate limiting rules for a NAT Gateway. These rules limit the outbound bandwidth based on source IP address ranges (CIDR blocks).
NAT Gateway rate limiting is available only in the UK (London) region. To enable this feature, contact your account manager.
Multi-tenant bandwidth management: Configure different bandwidth limits for the IP ranges of different tenants to ensure fair resource allocation.
Cost control: Limit the bandwidth usage of test environments or low-priority services to reduce public traffic costs.
Emergency throttling: Quickly restrict the bandwidth of abnormal traffic sources to avoid impacting other services.
How it works
Rate limiting model
A NAT Gateway uses a distributed cluster architecture to process network traffic, and each forwarding node enforces rate limiting policies independently. Therefore, rate limiting is best-effort, not absolutely precise. The actual maximum bandwidth depends on multiple factors. The following formula describes the basic logic:
Actual rate limit per connection ≈ (Configured rule rate limit / Number of forwarding nodes) × 1.33Number of forwarding nodes: The system dynamically adjusts this number based on factors such as the NAT Gateway's specifications, load, and number of connections.
Burst factor: The system reserves this redundant headroom to handle traffic fluctuations.
Error range: When traffic is stable, the actual rate limit typically fluctuates between 80% and 140% of the configured value.
For example, if a rate limiting rule is set to 1200 Mbps and the cluster has 4 forwarding nodes, the approximate bandwidth limit for a single connection is
(1200 / 4) × 1.33 ≈ 400 Mbps.
Total traffic bandwidth approaches the configured rate limit only when there are many concurrent connections and traffic is evenly distributed across all forwarding nodes. If you have few concurrent connections, we recommend setting the rule's rate limit slightly higher than your expected bandwidth.
Dropping packets due to rate limiting does not trigger auto-scaling for the NAT Gateway. If your services require precise rate limiting, we recommend using additional traffic control tools, such as tc, within your ECS instance.
Rule priority
When the source CIDR blocks of multiple rate limiting rules overlap, the system follows the longest prefix match principle to determine which rule applies.
For example, for traffic originating from 192.168.1.100, if two rules exist:
Rule A: Source address is
192.168.1.0/24Rule B: Source address is
192.168.1.0/25
Because a /25 subnet mask is longer than a /24 subnet mask, Rule B has higher priority, and the system applies its rate limiting policy.
Limitations
This feature supports only SNAT rules. DNAT rules are not supported.
Minimum bandwidth: The rate limit for a single rule must be at least 10 Mbps. Rate limiting accuracy is not guaranteed for values below this threshold.
Quota: Each NAT Gateway instance supports up to 100 rate limiting rules, and each rule supports up to 10 source CIDR blocks.
Configure a rate limiting rule
Console
Log on to the NAT Gateway console and click Actions in the Manage column for the target instance.
Select the Bandwidth Limit Rule tab and click Create Rule.
Bandwidth Limit: Set the maximum outbound bandwidth for the rule, in Mbps. The minimum value is 10 Mbps.
Source CIDR: Select the source CIDR blocks whose traffic you want to limit.
The drop-down list displays all VSwitch CIDR blocks in the current VPC by default. You can also enter a more specific CIDR block that is part of a VSwitch CIDR block. For example, you can configure a
/32rule to limit the rate for a single IP address.A single rule supports up to 10 CIDR blocks.
Rule Name and Description: Use these fields to organize and manage your resources.
To verify the effect of the rule, check the
OutInternetBandwidth(outbound public bandwidth) metric for the NAT Gateway instance in CloudMonitor. Verify that the peak bandwidth stays close to your configured rate limit.No direct metric tracks packets dropped by rate limiting. Instead, assess the effect indirectly by observing application latency or retransmission rates on the client side.
After you create a rule, you can modify or delete it.
Modifying a rate limiting rule may briefly affect existing network connections within the rule's scope. Perform this action during off-peak hours.
After you delete a rule, the NAT Gateway no longer limits the bandwidth for outbound traffic from the corresponding source CIDR block.
Billing
The rate limiting feature is free of charge.
Rate limiting works by dropping data packets that exceed the configured threshold. These dropped packets are not included in your public network traffic charges, which helps control costs in a pay-by-traffic billing model.
For reliable transport protocols such as TCP, packet loss triggers client-side retransmissions, which may slightly increase data consumption at the application layer.
FAQ
Why isn't my rate limiting rule working?
If a rate limiting rule does not work as expected after you configure it, follow these steps to troubleshoot:
Check the rule status: In the Rate limiting rules list, ensure the Status of the target rule is Active.
Check the traffic path: Ensure your service traffic uses this NAT Gateway as its public egress point. By default, an ECS instance with an assigned public IP address accesses the internet through its own IP. You must configure policy-based routing or use a secondary elastic network interface to force its traffic through the NAT Gateway.
Check the source address match: Verify that the private IP address of the instance or container initiating the traffic falls within the rule's Source CIDR block.
Check rule priority: Verify that a higher-priority rule (one with a longer subnet mask) is not overriding the current rule. According to the longest prefix match principle, the more specific rule takes precedence.
Understand best-effort behavior: Check the peak bandwidth in your monitoring data. This feature provides best-effort rate limiting, so it is normal for the actual bandwidth to fluctuate around the configured value. For details, see How it works.
Do rate limits affect inbound traffic?
No. Rate limiting rules apply only to outbound traffic that passes through the NAT Gateway to access the internet.