All Products
Search

This Product

    Serverless App Engine:Configure an Internet NAT gateway to enable SAE applications to access the Internet

    Document Center

    Serverless App Engine:Configure an Internet NAT gateway to enable SAE applications to access the Internet

    Last Updated:Sep 12, 2025

    SAE application instances do not have public IP addresses and cannot directly access resources or services on the Internet. You can create an Internet NAT gateway in the virtual private cloud (VPC) of your SAE application. This gateway provides a proxy service that allows all SAE application instances to access the Internet.

    When an SAE application accesses the Internet through an Internet NAT gateway, the source IP addresses of all application instance requests are converted to a single, static public IP address. This is suitable for most scenarios. For example, you can add the static public IP address to the whitelist of a public database service. Note that you must create an Internet NAT gateway for outbound traffic. This allows SAE application instances to access resources or services on the Internet and is required even if you have configured a Service or Ingress for inbound traffic.

    In some scenarios, each SAE application instance may need an independent public IP address to connect to other public services. In this case, an alternative method to enable Internet access is to bind an EIP to each SAE application instance. Note that the public IP address of an application instance is dynamic because instances can be created or destroyed at any time.

    Procedure

    1. Create an Internet NAT gateway

    If the VPC where your SAE application is deployed does not have an Internet NAT gateway, you can follow the steps in this section to create one.

    If a gateway already exists, skip this step and proceed to configure the existing Internet NAT gateway instance. To avoid potential route conflicts, create only one Internet NAT gateway instance in a VPC.

    How to find the VPC of an SAE application

    An SAE application belongs to a namespace. Each namespace must be associated with a VPC, and all SAE application instances are deployed in that VPC. You can find the VPC as follows:

    1. In the SAE application list, select the destination region and namespace in the top navigation bar. Click the target Application ID to go to the application details page.

    2. In the navigation pane on the left, click Basic Information, and then click the Application Information tab.

    3. In the Application Information section, you can view the VPC of the application. Click the VPC ID to go to the VPC details page.

    How to check if an Internet NAT gateway already exists in the VPC

    1. On the VPC details page, click the Resource Management tab.

    2. In the Public Network Access Service section, view the number of Internet NAT Gateway instances in the current VPC.

    3. Click the number of instances to go to the Internet NAT Gateway list.

    1. Log on to the NAT Gateway console.
    2. In the top navigation bar, select the region where you want to create the NAT gateway.
    3. On the Internet NAT Gateway page, click Create NAT Gateway.

    4. When you create an Internet NAT gateway for the first time, click Create in the Notes on Creating Service-linked Roles section of the buy page to create a service-linked role. After the service-linked role is created, you can create Internet NAT gateways.

      创建角色 For more information, see Service-linked roles.

    5. Configure the following parameters, and then click Buy Now and then Activate Now. For more information, see NAT Gateway billing.

      1. Set Region to the region where the SAE application is deployed.

      2. For Network And Zone, select the VPC of the SAE application and the zone where you want to deploy the Internet NAT gateway instance. Then, select an existing vSwitch or create a new one.

      3. Set Network Type to Internet NAT Gateway.

      4. For Elastic IP Address, select Purchase Elastic IP Address and configure Peak Bandwidth, or select Select Existing Elastic IP Address Instance. The Internet NAT gateway instance is automatically attached to the specified EIP instance after the gateway is created.

    6. On the Internet NAT Gateway page, you can view the Internet NAT gateway instance that you created and its attached EIP.

    2. Configure an SNAT entry

    1. On the Internet NAT Gateway page, find the NAT gateway that you want to manage and click Configure SNAT in the Actions column.

    2. On the SNAT Management tab, click Create SNAT Entry.

    3. Configure the following parameters and click OK.

      1. For SNAT Entry Granularity, select VSwitch, and then select all vSwitches where the SAE application instances are deployed.

        How to find the vSwitches of an SAE application instance

        When you create an SAE application, you must select one or more vSwitches. The SAE application instances are deployed in these vSwitches. To find the vSwitches, perform the following steps:

        1. In the SAE application list, select the destination region and namespace in the top navigation bar. Click the target Application ID to go to the application details page.

        2. In the navigation pane on the left, click Basic Information, and then click the Application Information tab.

        3. In the Application Information section, you can view one or more VSwitches of the application. Click the vSwitch ID to go to the vSwitch details page.

      2. For Select Elastic IP Address, select the public IP address of the attached EIP instance.

    4. In the SNAT Entry List, you can view the SNAT entry that you created, the source CIDR block, and the public IP address used for translation.