Internet NAT gateways allow instances to access the Internet by using the network address translation feature. This avoids address exposure and improves network security. Internet NAT gateways also support automatic scaling, high performance, high availability, and flexible billing. You can use Internet NAT gateways to manage Internet traffic.
Background information
The following figure describes the network topology of an Internet NAT gateway. You can use an Internet NAT gateway to meet the following requirements:
If your workloads in the cloud require Internet access but you do not want to expose the workloads to the Internet, you can use Internet NAT gateways. Internet NAT gateways can protect your workloads against attacks from the Internet.
If your services are expected to withstand outbound traffic spikes, you can use Internet NAT gateways. Internet NAT gateways can be scaled up and down as needed. In addition, Internet NAT gateways are cost-effective because Internet NAT gateways are billed on a pay-as-you-go basis.
If a large number of devices require Internet access, you can create an Internet NAT gateway. This way, the devices can use the elastic IP addresses (EIPs) on the Internet NAT gateway to access the Internet. The Internet NAT gateway also provides fine-grained metrics and precise monitoring to control outbound traffic.
Why Internet NAT gateway?
Internet NAT gateways have the following features:
Security
Internet NAT Gateway can avoid exposing addresses, uses SNAT entries to control inbound traffic, and supports fine-grained outbound rules.
High elasticity
Internet NAT Gateway supports automatic scaling and high performance to meet requirements in scenarios such as traffic spikes.
High availability
Internet NAT Gateway supports cross-zone disaster recovery. This ensures that services can run as expected if one zone fails.
Flexible billing
Internet NAT Gateway supports the pay-as-you-go billing method to reduce costs.
Monitoring
Internet NAT Gateway supports multiple monitoring metrics in various dimensions, and supports session logs and VPC flow logs to meet different monitoring requirements.
Features
Feature | Description | References |
SNAT | Allows instances with no public IP addresses assigned in a VPC to access the Internet. | Use the SNAT feature of an Internet NAT gateway to access the Internet |
DNAT | Maps EIPs to instances with no public IP addresses assigned in a VPC so that the instances can provide services over the Internet. | - |
Auto scaling | Internet NAT Gateway supports auto scaling based on your business requirements. By default, Internet NAT Gateway supports 5 Gbit/s traffic processing, 100,000 new connections per second, and 2 million concurrent connections per minute. The traffic processing capacity can be scaled up to 15 Gbit/s automatically. | |
Primary/secondary zones for disaster recovery | Internet NAT Gateway supports the primary/secondary zone mechanism. The secondary zone is selected by Alibaba Cloud. If the primary zone is down, the system automatically performs a failover to switch traffic from the primary zone to the secondary zone. The failover process takes no longer than 10 minutes. To improve service availability, you can deploy multiple Internet NAT gateways. | - |
Session log | NAT Gateway supports the session log feature. After you create an SNAT entry and traffic flows through a NAT gateway, SNAT sessions are recorded as logs to facilitate traffic monitoring and tracking. | |
Various monitoring metrics | Internet NAT gateways support 26 metrics. You can monitor Internet NAT gateways in real time, which improves the stability of your system. |
Scenarios
Configure SNAT to enable ECS instances to access the Internet
You can create an Internet NAT gateway, associate an EIP with the Internet NAT gateway, and then create an SNAT entry on the Internet NAT gateway. This way, the ECS instances in the VPC can use the same EIP to access the Internet. This saves public IP resources. For more information, see Use the SNAT feature of an Internet NAT gateway to access the Internet.
You can also associate multiple EIPs with an Internet NAT gateway. When an ECS instance needs to access the Internet, it randomly selects an EIP from the SNAT IP address pool. If one of the EIPs is under attack, the ECS instance can randomly select another EIP from the SNAT IP address pool to access the Internet. This ensures high availability for your workloads and prevents service interruptions caused by EIP failures.
NoteIf you add multiple EIPs to an SNAT IP address pool, network traffic is distributed based on a hashing algorithm instead of being evenly distributed to each EIP. To prevent individual EIPs from being overloaded, we recommend that you associate the EIPs with the same Internet Shared Bandwidth instance. For more information, see Associate EIPs with and disassociate EIPs from Internet Shared Bandwidth.
Configure DNAT to provide services over the Internet
You can create an Internet NAT gateway, associate EIPs with the Internet NAT gateway, and then configure DNAT on the Internet NAT gateway. This way, ECS instances in a VPC can receive requests from the Internet through port mapping or IP mapping.
NoteDescriptions of port mapping and IP mapping:
Port mapping: An Internet NAT gateway forwards requests destined for an EIP to the specified ECS instance. Requests are forwarded based on the specified source and destination ports and the specified protocol used by both ports.
IP mapping: An Internet NAT gateway forwards requests destined for an EIP to the specified ECS instance. The ECS instance can also use the EIP to access the Internet. If an Internet NAT gateway is configured with an SNAT entry and a DNAT entry that uses IP mapping, the ECS instance preferentially uses DNAT to access the Internet.
Deploy multiple Internet NAT gateways for high availability
You can deploy multiple Internet NAT gateways in different zones of a VPC. If one Internet NAT gateway in a zone is down, another Internet NAT gateway in another zone can take over.
Usage notes
When you create an Internet NAT gateway, you must specify a VPC and a vSwitch that you want to associate with the Internet NAT gateway. After an Internet NAT gateway is created, we recommend that you create an independent vSwitch for the Internet NAT gateway to reserve sufficient IP addresses for later use.
Internet NAT gateways support primary/secondary zones for disaster recovery. The vSwitch that you specify when you create an Internet NAT gateway resides in the primary zone. You do not need to specify the vSwitch in the secondary zone.
For more information about how to create an Internet NAT gateway, see Purchase an Internet NAT gateway.
By default, an Internet NAT gateway can process traffic at 5 Gbit/s and scale up to 15 Gbit/s as traffic increases. To increase the traffic processing capacity, new connection rate, and concurrent connection rate, contact your account manager.
Metrics SessionNewConnection SessionActiveConnection Data forwarding Default metric 100,000 2,000,000 5 Gbit/s to 15 Gbit/s (automatic scaling) The following content describes the preceding metrics:- SessionNewConnection: the number of new connections per second.
- SessionActiveConnection: the number of concurrent connections per minute.
- Data forwarding: the amount of inbound and outbound traffic processed per hour.
Limits
Instance limits
Item | Limit | Adjustable |
Maximum number of Internet NAT gateways that can be created in a VPC | 5 | You can request a quota increase by using one of the following methods:
|
Maximum number of EIPs that can be associated with an Internet NAT gateway | 20 Note Starting September 19, 2022, if you associate an EIP with a newly created Internet NAT gateway, a private IP address of the vSwitch where the NAT gateway resides is used. Make sure that the vSwitch has sufficient private IP addresses available for use. Otherwise, you cannot associate an EIP with the NAT gateway. Existing NAT gateways are not affected. | You can request a quota increase by using one of the following methods:
|
Creating an Internet NAT gateway in a VPC that contains a custom route whose destination CIDR block is 0.0.0.0/0 | Supported | N/A |
SNAT limits
Item | Limit | Adjustable |
Maximum number of SNAT entries that you can create on an Internet NAT gateway | 40 | You can request a quota increase by using one of the following methods:
|
Whether the bandwidth of a vSwitch is limited by the bandwidth limits of the EIPs in the SNAT entry that is created for the vSwitch | Yes Note If the EIPs of an Internet NAT gateway are associated with an EIP bandwidth plan, the bandwidth of the vSwitch is limited by the bandwidth limit of the EIP bandwidth plan. | N/A |
Whether the number of concurrent connections is limited by the number of EIPs specified in an SNAT entry | When ECS instances that are not assigned public IP addresses use an Internet NAT gateway to access the same destination IP address and port over the Internet, the number of concurrent connections supported by the Internet NAT gateway is N × 55,000. N is the number of EIPs specified in the SNAT entry. | |
The bandwidth limit of each EIP in an SNAT entry | If you specify multiple EIPs in an SNAT entry, network traffic is distributed based on a hashing algorithm instead of being evenly distributed to each EIP. To prevent individual EIPs from being overloaded, we recommend that you associate the EIPs with the same EIP bandwidth plan. The bandwidth of EIPs that are added to an SNAT IP address pool is not limited. For more information, see Create an SNAT IP address pool. |
DNAT limits
Item | Limit | Adjustable |
Maximum number of DNAT entries that you can create on an Internet NAT gateway | 100 | You can request a quota increase by using one of the following methods:
|
Creating DNAT entries for ECS instances with which EIPs are associated | Not supported if the ECS instances are associated with only one ENI. Before you can create DNAT entries for the ECS instances, you must disassociate the EIPs from the ECS instances. For more information, see Disassociate an EIP from a cloud resource and Create and manage DNAT entries. Note If you create a DNAT entry for an ECS instance that is associated with an EIP, the ECS instance preferentially uses the EIP to communicate with the Internet. | N/A |
Creating DNAT entries for ECS instances that have static public IP addresses | Not supported if the ECS instances are associated with only one ENI. Before you can create DNAT entries for the ECS instances, you must convert the static public IP addresses to EIPs, and disassociate the EIPs from the ECS instances. For more information about how to convert a static public IP address to an EIP, see Convert the static public IP address of an ECS instance in a VPC to an EIP. Note If you create a DNAT entry for an ECS instance that has a static public IP address, the ECS instance preferentially uses the static public IP address to communicate with the Internet. | N/A |