Configure a NAT gateway for an SAE application to enable Internet access - Serverless App Engine

In most cases, the business operations of the applications that are deployed on Serverless App Engine (SAE) are performed by accessing resources over the Internet or across virtual private clouds (VPCs). This topic describes how to configure a NAT gateway for an SAE application to access the Internet from a VPC.

Background information

Internet access is required during application deployment in the following scenarios:

Containers run based on the Internet.
You use third-party resources. For example, Internet access is required when you use a WeChat mini program.
Applications need to access databases across VPCs or regions.

Solution

Configure a NAT gateway and bind an elastic IP address (EIP) for all application instances in a VPC. If no public IP addresses are associated with application instances that are deployed in a VPC, you can use the source network address translation (SNAT) feature to enable Internet access for the application instances without the need to configure a proxy.

Note

If the instances that are associated with multiple vSwitches in a VPC need to access the Internet, you must configure an SNAT entry for each vSwitch.
If multiple applications in a VPC need to access the Internet, you need to associate only one EIP after you configure a proxy.

Usage notes

If multiple NAT gateways exist in a VPC, make sure that the routing rules in the route table of the VPC are bound to the NAT gateway associated with SAE. For information about how to modify a route table, see Create and manage a route table.

Step 1: Create a NAT gateway

Log on to the NAT Gateway console.
In the top navigation bar, select the region where you want to create the NAT gateway.
On the Internet NAT Gateway page, click Create NAT Gateway.
When you create an Internet NAT gateway for the first time, click Create in the Notes on Creating Service-linked Roles section of the buy page to create a service-linked role. After the service-linked role is created, you can create Internet NAT gateways.
For more information, see Service-linked roles.

On the Internet NAT Gateway page, configure the parameters and click Buy Now. The following table describes the parameters.

Parameter	Description
Billing Method	The billing method. By default, Pay-As-You-Go is selected. You can pay for resources after you use them.
Resource Group	The resource group. Select the resource group to which the VPC belongs.
Tags	Select existing tags or configure the Tag Key and Tag Value parameters. You can specify up to 20 key-value pairs. A tag key or a tag value can be up to 128 characters in length. The tag key or tag value cannot start with `aliyun` or `acs:`, and cannot contain `http://` or `https://`.
Region	The region where the Internet NAT gateway resides. Select the region where the application that is deployed on SAE resides.
VPC	The VPC to which the Internet NAT gateway belongs. Select the ID of the VPC to which the application that is deployed on SAE belongs. After the Internet NAT gateway is created, you cannot change the VPC to which the Internet NAT gateway belongs.
Associate vSwitch	The ID of the vSwitch that you want to associate with the Internet NAT gateway.
Metering Method	The metering method. By default, Pay-By-CU is selected. You are charged based on the resources that you use.
Billing Cycle	The billing cycle. By default, By Hour is selected. Fees are calculated on an hourly basis. If you use an Internet NAT gateway for less than 1 hour, the usage duration is rounded up to 1 hour.
Instance Name	The name of the Internet NAT gateway.
Access Mode	Specifies whether to enable SNAT for the resources in the specified VPC. Valid values: SNAT for All VPC Resources: After the Internet NAT gateway is created, all resources in the VPC can access the Internet by using the SNAT feature of the NAT gateway. If you select SNAT for All VPC Resources, you must configure an EIP. Configure Later: If you select this option, SNAT is disabled. You can configure SNAT on the Internet NAT gateway in the console after you complete the payment. If you select Configure Later, only the Internet NAT gateway is created. No SNAT entry is created. In this example, SNAT for All VPC Resources is selected.
EIP	The EIP that you want to associate with the Internet NAT gateway. Valid values: Select EIP: Select an existing EIP from the EIP drop-down list. Purchase EIP: Purchase a pay-as-you-go EIP in the region where the Internet NAT gateway is deployed. Line Type: By default, BGP(Multi-ISP) is selected. Security Protection: By default, Anti-DDoS Origin Basic is used, which can protect the system from DDoS attacks whose bandwidth is up to 5 Gbit/s. Maximum Bandwidth: the maximum bandwidth of the EIP. You can specify a custom value based on your business requirements. Metering Method: Select a metering method for the EIP. Pay-By-Data-Transfer: You are charged based on the amount of data that is transferred over the Internet per hour. For more information, see Internet data transfer fee. Pay-By-Bandwidth: You are charged based on the specified maximum bandwidth per day, regardless of the actual usage. For more information, see Pay-as-you-go. Note From September 19, 2022, if you associate an EIP with a new Internet NAT gateway, a random private IP address of the vSwitch of the NAT gateway is used. Make sure that the vSwitch has sufficient private IP addresses that are available for operations. Otherwise, you cannot associate an EIP with the NAT gateway.

On the Confirm page, confirm the configuration, read and select Terms of Service, and then click Confirm.
If the Purchased message appears, the Internet NAT gateway is created. On the Internet NAT Gateway page, you can view the created Internet NAT gateway and the associated EIP.

Step 2: Create an SNAT entry

You can create an SNAT entry to allow application instances that are deployed in a VPC to access the Internet even when no public IP addresses are associated with the application instances.

Log on to the NAT Gateway console.
In the top navigation bar, select the region where you want to create the NAT gateway.
On the Internet NAT Gateway page, find the NAT gateway that you want to manage and click Configure SNAT in the Actions column.
On the SNAT Management tab, click Create SNAT Entry.

On the Create SNAT Entry page, configure the parameters and click OK. The following table describes the parameters.

Parameter	Description
SANT Entry	Select Specify vSwitch.
Select vSwitch	Select a vSwitch that resides in the VPC. All application instances that are associated with the vSwitch can access the Internet by using the SNAT feature. Note If an application instance is associated with an EIP, the instance uses a public IP address. If the instance initiates a request to access the Internet, the system uses the public IP address instead of the SNAT feature of NAT Gateway.
vSwitch CIDR Block	After you select a vSwitch, the CIDR block of the vSwitch is automatically displayed in this section.
Select Public IP Address	Select the public IP address that you want to use to access the Internet. Note A public IP address that is already used in an SNAT entry cannot be used in the current SNAT entry.
Entry Name	Enter a custom entry name.

After the SNAT entry is created, you can view the SNAT entry in the Used in SNAT Entry section.