Internet NAT gateways allow instances to access the Internet by using the network address translation feature. This avoids address exposure and improves network security. Internet NAT gateways also support automatic scaling, high performance, high availability, and flexible billing. You can use Internet NAT gateways to manage Internet traffic.
Background information
The following figure describes the network topology of an Internet NAT gateway. You can use an Internet NAT gateway to meet the following requirements:
If your workloads in the cloud require Internet access but you do not want to expose the workloads to the Internet, you can use Internet NAT gateways. Internet NAT gateways can protect your workloads against attacks from the Internet.
If your services are expected to withstand outbound traffic spikes, you can use Internet NAT gateways. Internet NAT gateways can be scaled up and down as needed. In addition, Internet NAT gateways are cost-effective because they are billed on a pay-as-you-go basis.
If many devices require Internet access, you can create an Internet NAT gateway. This way, the devices can use the elastic IP addresses (EIPs) on the Internet NAT gateway to access the Internet. The Internet NAT gateway also provides fine-grained metrics and precise monitoring to control outbound traffic.
Why Internet NAT gateway?
Internet NAT gateways have the following features:
Security
Internet NAT Gateway can avoid exposing addresses, uses SNAT entries to control inbound traffic, and supports fine-grained outbound rules.
High elasticity
Internet NAT Gateway supports automatic scaling and high performance to meet requirements in scenarios such as traffic spikes.
High availability
Internet NAT Gateway supports cross-zone disaster recovery. This ensures that services can run as expected if one zone fails.
Flexible billing
Internet NAT Gateway supports the pay-as-you-go billing method to reduce costs.
Deep observability
Internet NAT Gateway supports multiple monitoring metrics in various dimensions, and supports session logs and VPC flow logs to meet different monitoring requirements.
Features
Feature | Description |
SNAT | Provides proxy services for accessing the Internet for cloud resources in a virtual private cloud (VPC) that do not have public IP addresses. |
DNAT | Maps Elastic IP Addresses (EIPs) associated with NAT gateways to ECS instances or cloud resources without public IP addresses in a VPC, allowing them to provide services over the Internet. |
NAT Gateway supports automatic scaling, which dynamically adjusts performance metrics based on changes in user traffic. | |
Primary/secondary zones for disaster recovery | NAT Gateway supports cross-zone disaster recovery. The secondary zone is selected by Alibaba Cloud. If the primary zone is down, the system automatically performs a failover to switch traffic from the primary zone to the secondary zone. The failover process takes no longer than 10 minutes. To improve service availability, you can deploy multiple Internet NAT gateways. |
NAT Gateway supports the session log feature. After you create an SNAT entry and traffic flows through a NAT gateway, SNAT sessions are recorded as logs to facilitate traffic monitoring and tracking. | |
Various monitoring metrics | NAT Gateway supports 26 monitoring metrics. You can monitor NAT gateway instances in real time, which improves the stability of your system. |
Scenarios
Configure SNAT to enable ECS instances to access the Internet
You can create an Internet NAT gateway, associate an EIP with the Internet NAT gateway, and then create an SNAT entry on the Internet NAT gateway. This way, the ECS instances in the VPC can use the same EIP to access the Internet. This saves public IP resources.
You can also associate multiple EIPs with an Internet NAT gateway. When an ECS instance needs to access the Internet, it randomly selects an EIP from the SNAT IP address pool. If one of the EIPs is under attack, the ECS instance can randomly select another EIP from the SNAT IP address pool to access the Internet. This ensures high availability for your workloads and prevents service interruptions caused by EIP failures.
NoteWhen you add multiple EIPs to an SNAT IP address pool, network traffic is distributed based on a hashing algorithm. Because traffic volume varies for each connection, traffic may be unevenly distributed across multiple EIPs. We recommend that you add all EIPs to the same Internet Shared Bandwidth to prevent service disruption when the bandwidth limit of a single EIP is reached.
Configure DNAT to provide services over the Internet
You can create an Internet NAT gateway, associate EIPs with the Internet NAT gateway, and then configure DNAT on the Internet NAT gateway. This way, ECS instances in a VPC can receive requests from the Internet through port mapping or IP mapping.
NoteDescriptions of port mapping and IP mapping:
Port mapping: An Internet NAT gateway forwards requests destined for an EIP to the specified ECS instance. Requests are forwarded based on the specified source and destination ports and the specified protocol used by both ports.
IP mapping: An Internet NAT gateway forwards requests destined for an EIP to the specified ECS instance. The ECS instance can also use the EIP to access the Internet. If an Internet NAT gateway is configured with an SNAT entry and a DNAT entry that uses IP mapping, the ECS instance preferentially uses DNAT to access the Internet.
Usage notes
When you create an Internet NAT gateway, you must specify a VPC and a vSwitch that you want to associate with the Internet NAT gateway. After an Internet NAT gateway is created, we recommend that you create an independent vSwitch for the Internet NAT gateway to reserve sufficient IP addresses for later use.
For more information, see Purchase an Internet NAT gateway.
Internet NAT gateways support primary/secondary zones for disaster recovery. The vSwitch that you specify when you create an Internet NAT gateway resides in the primary zone. You do not need to specify the vSwitch in the secondary zone.
The default throughput of an Internet NAT gateway is 5 Gbit/s, which can automatically scale up to 15 Gbit/s based on business requirements. For higher performance, contact your account manager.
Performance metric
New connections per second (CPS)
Throughput (including inbound and outbound traffic)
Concurrent connections
Packets per second (PPS)
Initial metrics
20,000
5 Gbit/s
500,000
800,000
Elastic limit
100,000
15 Gbit/s
2,000,000
2,500,000
NoteIn actual business scenarios, the performance of NAT gateways is affected by various factors such as packet length, connection type (long-lived or short-lived connections), and network architecture. Therefore, the actual performance of instances may vary. We recommend that you conduct stress tests based on your business characteristics to evaluate instance performance in advance, and configure appropriate monitoring items to ensure smooth business operations.
When the performance of a NAT gateway exceeds the maximum metrics, business access may face packet loss risks, which can affect service access.
Traffic generated by DNAT entries is also subject to the maximum concurrent connection limit.
Limits
Instance limits
Item | Limit | Increase quota |
Maximum number of Internet NAT gateways that can be created in a VPC | 5 | You can request a quota increase by using one of the following methods:
|
Maximum number of EIPs that can be associated with an Internet NAT gateway | 20 | You can request a quota increase by using one of the following methods:
|
Creating an Internet NAT gateway in a VPC that contains a custom route whose destination CIDR block is 0.0.0.0/0 | Supported | N/A |
SNAT limits
Item | Limit | Increase quota |
Maximum number of SNAT entries that you can create on an Internet NAT gateway | 40 | You can request a quota increase by using one of the following methods:
|
Whether the bandwidth of a vSwitch is limited by the bandwidth limits of the EIPs in the SNAT entry that is created for the vSwitch | Yes Note If the EIPs of an Internet NAT gateway are associated with an EIP bandwidth plan, the bandwidth of the vSwitch is limited by the bandwidth limit of the EIP bandwidth plan. | N/A |
Whether the number of concurrent connections is limited by the number of EIPs specified in an SNAT entry | When ECS instances that are not assigned public IP addresses use an Internet NAT gateway to access the same destination IP address and port over the Internet, the number of concurrent connections supported by the Internet NAT gateway is N × 55,000. N is the number of EIPs specified in the SNAT entry. | |
The bandwidth limit of each EIP in an SNAT entry | If you specify multiple EIPs in an SNAT entry, network traffic is distributed based on a hashing algorithm instead of being evenly distributed to each EIP. To prevent individual EIPs from being overloaded, we recommend that you associate the EIPs with the same EIP bandwidth plan. The bandwidth of EIPs that are added to an SNAT IP address pool is not limited. For more information, see Create an SNAT IP address pool. |
DNAT limits
Resource | Limit | Increase quota |
Maximum number of DNAT entries that you can create on an Internet NAT gateway | 100 | You can request a quota increase by using one of the following methods:
|
Whether external users can access ECS instances that have EIPs or static public IP addresses through DNAT entries | No. To access an ECS instance through a DNAT entry, you must first disassociate the EIP or static public IP address from the ECS instance. This is because EIPs and static public IP addresses have higher priority than DNAT entries. | N/A |