Creates an enhanced Internet NAT gateway or a Virtual Private Cloud (VPC) NAT gateway.

Usage notes

Before you call this operation, take note of the following limits:

  • The first time you create a NAT gateway, the system automatically creates the service-linked role AliyunServiceRoleForNatgw and attaches the policy AliyunServiceRolePolicyForNatgw to the role. This allows the NAT gateway to access other resources on Alibaba Cloud. For more information, see Service-linked roles.
  • After you create an enhanced Internet NAT gateway, a route entry is automatically added to the route table of the VPC. The destination CIDR block of the route entry is 0.0.0.0/0 and the next hop is the NAT gateway. This ensures that traffic is routed to the NAT gateway.
  • CreateNatGateway is an asynchronous operation. After you make a request, the ID of the Internet NAT gateway or the VPC NAT gateway is returned, but the NAT gateway is not created. The system creates the NAT gateway in the background. You can call the DescribeNatGateways to query the status of a NAT gateway.
    • If a NAT gateway is in the Creating state, the NAT gateway is being created. In this case, you can query the NAT gateway but cannot perform other operations.
    • If a NAT gateway is in the Available state, the NAT gateway is created.

      It takes 1 to 3 minutes to create a NAT gateway.

  • You cannot repeatedly call the CreateNatGateway operation to create a NAT gateway within the specified period of time, no matter whether it is an Internet NAT gateway or a VPC NAT gateway.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes CreateNatGateway

The operation that you want to perform. Set the value to CreateNatGateway.

RegionId String Yes cn-hangzhou

The ID of the region where you want to create the NAT gateway.

You can call the DescribeRegions operation to query the most recent region list.

VpcId String Yes vpc-bp1di7uewzmtvfuq8****

The ID of the VPC where you want to create the NAT gateway.

Name String No fortest

The name of the NAT gateway.

The name must be 2 to 128 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). The name must start with a letter.

If this parameter is not set, the system assigns a default name to the NAT gateway.

Description String No testnat

The description of the NAT gateway.

This parameter is optional. If you enter a description, the description must be 2 to 256 characters in length, and cannot start with http:// or https://.

ClientToken String No 5A2CFF0E-5718-45B5-9D4D-70B3FF3898

The client token that is used to ensure the idempotence of the request.

You can use the client to generate the value, but you must make sure that it is unique among different requests.

Note If you do not set this parameter, ClientToken is set to the value of RequestId. The value of RequestId for each API request may be different.
Spec String No Invalid parameter

Subscription Internet NAT gateways are no longer available for purchase. Ignore this parameter.

InstanceChargeType String No PostPaid

The billing method of the NAT gateway.

Set the value to PostPaid (pay-as-you-go), which is the default value.

For more information, see Internet NAT gateway billing and VPC NAT gateway billing.

PricingCycle String No Invalid parameter

Subscription Internet NAT gateways are no longer available for purchase. Ignore this parameter.

Duration String No Invalid parameter

Subscription Internet NAT gateways are no longer available for purchase. Ignore this parameter.

AutoPay Boolean No Invalid parameter

Subscription Internet NAT gateways are no longer available for purchase. Ignore this parameter.

VSwitchId String Yes vsw-bp1e3se98n9fq8hle****

The ID of the vSwitch to which the NAT gateway is attached.

When you create a NAT gateway, you must specify a vSwitch for the NAT gateway. Then, the system assigns an idle private IP address from the vSwitch to the NAT gateway.

  • To attach the NAT gateway to an existing vSwitch, make sure that the zone to which the vSwitch belongs supports NAT gateways. In addition, the vSwitch must have idle IP addresses.
  • If no vSwitch exists in the VPC, create a vSwitch in a zone that supports NAT gateways. Then, specify the vSwitch for the NAT gateway.
Note You can query the zones that support NAT gateways by calling the ListEnhanhcedNatGatewayAvailableZones operation. You can query the number of available IP addresses in a vSwitch by calling the DescribeVSwitches operation.
NatType String Yes Enhanced

The type of NAT gateway. Set the value to Enhanced (enhanced NAT gateway).

InternetChargeType String No PayByLcu

The metering method of the NAT gateway. Set the value to PayByLcu, which specifies the pay-by-CU metering method.

NetworkType String No internet

The network type of the NAT gateway. Valid values:

  • internet: Internet
  • intranet: VPC
SecurityProtectionEnabled Boolean No false

Specifies whether to enable the firewall feature. Valid values:

  • false (default): disables the firewall feature
  • true: enables the firewall feature
IcmpReplyEnabled Boolean No false

Specifies whether to enable the ICMP non-retrieval feature. Valid values:

  • false (default): disables ICMP non-retrieval
  • true: enables ICMP non-retrieval
EipBindMode String No MULTI_BINDED

The mode in which the NAT gateway is associated with an elastic IP address (EIP). Valid values:

  • MULTI_BINDED (default): Multi-EIP-to-ENI mode.
  • NAT: NAT mode, which is compatible with IPv4 addresses.
    Note If you use the NAT mode, the EIP occupies one private IP address on the vSwitch of the NAT gateway. Make sure that the vSwitch has sufficient private IP addresses. Otherwise, the NAT gateway fails to be associated with the EIP. In NAT mode, you can associate a NAT gateway with at most 50 EIPs.

Response parameters

Parameter Type Example Description
NatGatewayId String ngw-112za33e4****

The ID of the NAT gateway.

RequestId String 2315DEB7-5E92-423A-91F7-4C1EC9AD97C3

The ID of the request.

ForwardTableIds Array of String ftb-11tc6xgmv****

A list of DNAT entries.

SnatTableIds Array of String stb-SnatTableIds****

A list of SNAT entries.

FullNatTableIds Array of String fulltb-gw88z7hhlv43rmb26****

A list of FULLNAT entries.

Examples

Sample requests

http(s)://[Endpoint]/?Action=CreateNatGateway
&RegionId=cn-hangzhou
&VpcId=vpc-bp1di7uewzmtvfuq8****
&Name=fortest
&Description=testnat
&ClientToken=5A2CFF0E-5718-45B5-9D4D-70B3FF3898
&Spec=Invalid parameter
&InstanceChargeType=PostPaid
&PricingCycle=Invalid parameter
&Duration=Invalid parameter
&AutoPay=false
&VSwitchId=vsw-bp1e3se98n9fq8hle****
&NatType=Enhanced
&InternetChargeType=PayByLcu
&NetworkType=internet
&SecurityProtectionEnabled=false
&IcmpReplyEnabled=false
&EipBindMode=MULTI_BINDED
&Common request parameters

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<CreateNatGatewayResponse>
    <NatGatewayId>ngw-112za33e4****</NatGatewayId>
    <RequestId>2315DEB7-5E92-423A-91F7-4C1EC9AD97C3</RequestId>
    <ForwardTableIds>ftb-11tc6xgmv****</ForwardTableIds>
    <SnatTableIds>stb-SnatTableIds****</SnatTableIds>
    <FullNatTableIds>fulltb-gw88z7hhlv43rmb26****</FullNatTableIds>
</CreateNatGatewayResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "NatGatewayId" : "ngw-112za33e4****",
  "RequestId" : "2315DEB7-5E92-423A-91F7-4C1EC9AD97C3",
  "ForwardTableIds" : [ "ftb-11tc6xgmv****" ],
  "SnatTableIds" : [ "stb-SnatTableIds****" ],
  "FullNatTableIds" : [ "fulltb-gw88z7hhlv43rmb26****" ]
}

Error codes

HttpCode Error code Error message Description
400 Forbidden.NatPayBySpec Pay-by-specification NAT is no longer supported. Newly purchased pay-as-you-go NAT gateways only support the pay-by-CU metering method. The error message returned because pay-by-specification NAT gateways are no longer available for purchase. Set the InternetChargeType parameter to PayByLcu.
400 InvalidVPCStatus vpc incorrect status. The error message returned because the operation is not supported when the VPC is in the current state. Check whether the state of the VPC is valid.
400 InvalidNatGatewayName.MalFormed NatGateway name is not valid. The error message returned because the specified name of the NAT gateway is invalid.
400 InvalidNatGatewayDescription.MalFormed NatGateway description is not valid. The error message returned because the specified description is invalid.
400 MissingParameter.BandwidthPackage only support one BandwidthPackage be created with NatGateway. The error message returned because no EIP bandwidth plan is specified. You must specify an EIP bandwidth plan.
400 MissingParameter Miss mandatory parameter. The error message returned because one or more required parameters are not set. Check whether all required parameters are set before you call this operation.
400 QuotaExceeded.BandwidthPackageIps The specified ipCount exceeded quota. The error message returned because the number of IP addresses has reached the upper limit. Request a quota increase on the Quota Management page.
400 InvalidParameter.Name.Malformed The specified Name is not valid. The error message returned because the format of the specified name is invalid. Specify a name in the valid format.
400 InvalidParameter.Description.Malformed The specified Description is not valid. The error message returned because the specified description is invalid.
400 ZONE_NO_AVAILABLE_IP The Zone have no available ip. The error message returned because no IP address is available in the zone.
400 InvalidParameter.BandwidthPackage.n.ISP.ValueNotSupport The specified ISP of BandwidthPackage is not valid. The error message returned because the specified Internet service provider (ISP) of the EIP bandwidth plan is invalid.
400 InvalidNatGatewayId.NotFound The NatGatewayId not exist. The error message returned because the specified NAT gateway ID does not exist. Check whether the value of the NatGatewayId parameter is valid.
400 VswitchStatusError The VSwitch is creating . The error message returned because the operation is not supported when the vSwitch is being created.
400 VpcStatusError The Vpc is creating . The error message returned because the operation is not supported when the VPC is being created.
400 InvalidParameter.Spec.ValueNotSupported The specified Spec is not valid. The error message returned because the specified size is invalid.
400 Forbidden.CheckEntryRuleQuota Route entry quota rule check error. The error message returned because an error occurred when the system was checking the quota of route entries.
400 OperationFailed.UnpaidBillsExist The account has unpaid bills. Please pay your overdue bill first. The error message returned because unpaid orders exist.
400 OperationFailed.EnhancedQuotaExceed Enhanced nat gateway per vpc quota is exceeded The error message returned because the number of enhanced NAT gateways in the specified VPC has reached the upper limit.
400 OperationFailed.VswNotBelongToVpc Operation failed because the specified VSwitch is not bound to the same VPC with NAT gateway. The error message returned because the vSwitch and NAT gateway do not belong to the same VPC.
400 OperationFailed.EnhancedUserIsUnAuthorized Operation failed because the user is not authorized to create an enhanced NAT gateway. The error message returned because you do not have the permissions to create enhanced NAT gateways.
400 OperationUnsupported.PrePaidPyByLcu The operation failed because the subscription NAT gateway does not support the pay-by-LCU billing method. The error message returned because subscription NAT gateways do not support the pay-by-CU metering method.
400 OperationFailed.NormalInventoryNotEnough Standard NAT gateways are no longer offered. You can create enhanced NAT gateways and set the correct natType. The error message returned because you can no longer create standard NAT gateways. Set the NatType parameter to Enhanced.
404 InvalidRegionId.NotFound The specified RegionId does not exist in our records. The error message returned because the specified region ID does not exist.
404 InvalidVpcId.NotFound Specified value of VpcId is not found in our record. The error message returned because the specified VPC does not exist. Check whether the specified VPC is valid.
404 InvalidZoneId.NotFound Specified value of ZoneId is not exists. The error message returned because the specified zone does not exist.
404 InvalidZoneId.NotFound Can not find ZoneId for allocated ip. The error message returned because the zone of the specified IP address is invalid.
404 UnsupportedZoneForFwNat The zone is unsupported for FW NAT. The error message returned because the specified zone does not support enhanced NAT gateways that have firewalls enabled.

For a list of error codes, visit the API Error Center.