Virtual Private Cloud:Create and enable an IPv4 gateway in a VPC associated with an Internet NAT gateway

Scenarios

A company created a VPC in the Singapore region and deployed an Elastic Compute Service (ECS) cluster in a vSwitch (VSW1) of the VPC. Cloud services are deployed in the ECS cluster. The ECS cluster uses an Internet NAT gateway (NATGW1) with DNAT enabled to provide services over the Internet. Due to business development, some ECS instances in the cluster are assigned static public IP addresses or elastic IP addresses (EIPs). These ECS instances can access the Internet without referencing the VPC route table.

Method 1: Create an Internet NAT gateway

This method requires you to create a vSwitch (VSW2) in the VPC and migrate ECS2 that has a public IP address from VSW1 to VSW2. Then, you need to create an Internet NAT gateway (NATGW2) in VSW2 and point routes to NATGW2 in VSW2, and delete NATGW1 from VSW1.

After you complete the preceding operations, ECS1 that does not have a public IP address assigned in VSW1 must use NATGW2 and the IPv4 gateway to access the Internet. ECS1 cannot use a public IP address to access the Internet. ECS2 that has a public IP address assigned in VSW2 can use the IPv4 gateway to access the Internet. This allows you to limit the ECS instances in the VPC from accessing the Internet.

Method 2: Use the existing Internet NAT gateway

This method requires you to perform the following operations: create an IPv4 gateway in the VPC, create a vSwitch (VSW2), associate VSW2 with subnet route table-2, migrate ECS1 with no public IP address assigned in VSW1 to VSW2, change the next hop of a route in subnet route table-1 that is associated with VSW1 from NATGW1 to the IPv4 gateway, set the next hop of the default route in subnet route table-2 to NATGW1, and then activate the IPv4 gateway.

After you complete the preceding operations, ECS1 that has no public IP address assigned in VSW2 must use NATGW1 and the IPv4 gateway to access the Internet. ECS1 cannot use a public IP address to access the Internet. ECS2 that has a public IP address assigned in VSW1 can use the IPv4 gateway to access the Internet. This allows you to limit the ECS instances in the VPC from accessing the Internet.

Procedure

Prerequisites

• A VPC is created in the Singapore region, and two vSwitches (VSW1 and VSW2) are created in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.

• An ECS instance (ECS1) that does not have a public IP address is created in VSW1, and another ECS instance (ECS2) that has a public IP address is created in VSW2. For information about how to create an ECS instance, see Create an instance on the Custom Launch tab.

• An Internet NAT gateway (NATGW2) is created in VSW2, and the Internet NAT gateway is associated with an EIP. For more information, see Create and manage Internet NAT gateways.

• Another Internet NAT gateway (NATGW1) is created in VSW1, and the Internet NAT gateway is associated with an EIP. The custom route that points to NATGW1 is deleted from the system route table of the VPC. For more information, see Delete a custom route table.

Step 1: Create an IPv4 gateway

The IPv4 gateway can be created if it is compatible with the Internet NAT gateway in the VPC. Otherwise, the IPv4 gateway fails to be created. You can change the mode of the Internet NAT gateway to make it compatible with IPv4 gateways before you create an IPv4 gateway. For more information about how to change the mode of an Internet NAT gateway, see Change the mode of an Internet NAT gateway.

1. Log on to the VPC console.

2. In the top navigation bar, select the region where you want to create an IPv4 gateway. Singapore is selected in this example.

   Note

   For more information about the regions that support IPv4 gateways, see Feature release and supported regions.

3. In the left-side navigation pane, click IPv4 Gateway.

4. On the IPv4 Gateway page, click Create IPv4 Gateway.

5. In the Create IPv4 Gateway dialog box, configure the following parameters and click Create.

   Parameter	Description
   Region	Displays the region where you want to create the IPv4 gateway.
   VPC	Select the VPC with which you want to associate the IPv4 gateway.
   Name	Enter a name for the IPv4 gateway.
   Description	Enter a description for the IPv4 gateway.

6. On the IPv4 Gateway page, view the created IPv4 gateway.

   After you create an IPv4 gateway, it is in the Available state.

Step 2: Create a custom route table

You need to create a custom route table and associate it with VSW2. Then, you need to add a route that points to the IPv4 gateway to the route table.

1. Log on to the VPC console.

2. In the left-side navigation pane, click Route Tables.

3. In the top navigation bar, select the region where you want to create the custom route table. Singapore is selected in this example.

4. On the Route Tables page, click Create Route Table.

5. On the Create Route Table page, configure the following parameters and click OK.

   Parameter	Description
   Resource Group	Select the resource group to which the custom route table belongs.
   VPC	Select the VPC to which the custom route table belongs. Note Select the VPC with which the IPv4 gateway is associated.
   Associated Resource Type	Select the type of the resource with which you want to associate the route table. In this example, vSwitch is selected.
   Name	Enter a name for the custom route table.
   Description	Enter a description for the custom route table.

6. On the Route Tables page, find the route table that you want to manage and click its ID.

7. On the details page of the route table, click the Associated vSwitch tab and click Associate vSwitch.

8. In the Associate vSwitch dialog box, select VSW2 and click OK.

Step 3: Add routes to the custom route table

1. Log on to the VPC console.

2. In the left-side navigation pane, click Route Tables.

3. In the top navigation bar, select the region where you want to create the custom route table. Singapore is selected in this example.

4. On the Route Tables page, find the route table that you want to manage and click its ID.

5. On the details page of the route table, choose Route Entry List > Custom Route.

6. Click Add Route Entry. In the Add Route Entry panel, configure the following parameters and click OK.

   Parameter	Description
   Name	Enter a name for the custom route.
   Destination CIDR Block	Enter the destination CIDR block to which you want to route traffic. In this example, 0.0.0.0/0 is used.
   Next Hop Type	Select the type of next hop. In this example, IPv4 Gateway is selected.
   IPv4 Gateway	Select the ID of the IPv4 gateway.

Step 4: Create an SNAT entry for NATGW2 in VSW2

You need to create an SNAT entry for NATGW2 in VSW2 to allow ECS instances without public IP addresses in VSW1 to access the Internet by using NATGW2 in VSW2.

1. Log on to the NAT Gateway console.

2. In the top navigation bar, select the region where NATGW2 is deployed. Singapore is selected in this example.

3. On the Internet NAT Gateway page, find the NAT gateway that you want to manage and click Configure SNAT in the Actions column.

4. On the SNAT Management tab, click Create SNAT Entry.

5. On the Create SNAT Entry page, configure the following parameters and click OK.

   Parameter	Description
   SNAT Entry	Specify whether you want to create an SNAT entry for a VPC, a vSwitch, an ECS instance, or a custom CIDR block. In this example, Specify vSwitch is selected.
   Select vSwitch	Select the vSwitch in which the ECS instances can use the SNAT entry to access the Internet. In this example, VSW1 is selected.
   vSwitch CIDR Block	The CIDR block of the selected vSwitch is automatically displayed.
   Select Public IP Address	Select one or more EIPs that you want to use to access the Internet. In this example, Use Single IP is selected and the EIP associated with NATGW2 is selected from the drop-down list.
   Entry Name	Enter a name for the SNAT entry.

Step 5: Add a route to the system route table of the VPC

You need to add a route that points to NATGW2 to the system route table associated with VSW1. This route allows ECS instances without public IP addresses in VSW1 to access NATGW2, where SNAT is enabled.

1. Log on to the VPC console.

2. In the left-side navigation pane, click Route Tables.

3. In the top navigation bar, select the region where you want to create the custom route table. Singapore is selected in this example.

4. On the Route Tables page, find the system route table of the VPC and click its ID.

5. On the details page of the route table, choose Route Entry List > Custom Route.

6. Click Add Route Entry. In the Add Route Entry panel, configure the following parameters and click OK.

   Parameter	Description
   Name	Enter a name for the custom route.
   Destination CIDR Block	Enter the destination CIDR block to which you want to route traffic. In this example, 0.0.0.0/0 is used.
   Next Hop Type	Select the type of next hop. In this example, NAT Gateway is selected.
   NAT Gateway	In this example, the ID of NATGW2 is selected.

Step 6: Delete NATGW1 from VSW1

• No EIP is associated with the Internet NAT gateway. If an EIP is associated with the Internet NAT gateway, disassociate the EIP from the Internet NAT gateway. For more information, see Disassociate an EIP.

• The SNAT table does not contain SNAT entries. If the SNAT table contains SNAT entries, delete them. For more information, see Delete an SNAT entry.

• By default, Deletion Protection is in the Disabled state on the Basic Information tab of the Internet NAT gateway. If Deletion Protection is in the Enabled state, disable deletion protection.

1. Log on to the NAT Gateway console.

2. In the top navigation bar, select the region where NATGW1 is deployed. Singapore is selected in this example.

3. On the Internet NAT Gateway page, find the Internet NAT gateway that you want to delete and choose > Delete in the Actions column.

4. In the Delete Gateway message, click OK.

   If you want to forcefully delete an Internet NAT gateway and its resources, select Force Delete (Delete the NAT gateway and associated SNAT/DNAT entries) in the Delete Gateway dialog box. When you forcefully delete an Internet NAT gateway, the system automatically disassociates EIPs from the Internet NAT gateway and deletes SNAT entries and DNAT entries from the Internet NAT gateway.

Step 7: Enable the IPv4 gateway

You must enable the IPv4 gateway before it can forward traffic. Only enabled IPv4 gateways allow ECS instances in associated VPCs to access the Internet.

1. Log on to the VPC console.

2. In the top navigation bar, select the IPv4 gateway. In the top navigation bar, select the region where the IPv4 gateway is deployed. Singapore is selected in this example.

3. In the left-side navigation pane, click IPv4 Gateway.

4. On the IPv4 Gateway page, find the IPv4 gateway that you want to enable and click Activate in the Actions column.

Step 8: Test the network connectivity

After you complete the preceding steps, you must test whether ECS1 in VSW1 can access the destination CIDR block by using NATGW2 and the IPv4 gateway, and whether ECS2 in VSW2 can access the destination CIDR block by using the IPv4 gateway. In this example, both ECS1 and ECS2 run the Linux operating system.

1. Test whether ECS1 can access the destination CIDR block.

   1. Log on to ECS1. For more information, see Connection method overview.

   2. Run the curl www.aliyun.com command on ECS1.

   3. The following echo reply packet indicates that ECS1 can access www.aliyun.com.

2. Test whether ECS2 can access the destination CIDR block.

   1. Remotely log on to ECS2.

   2. Run the curl www.aliyun.com command on ECS2.

   3. The following echo reply packet indicates that ECS2 can access www.aliyun.com.