All Products
Search
Document Center

Virtual Private Cloud:IPv4 gateway overview

Last Updated:May 30, 2024

An IPv4 gateway is a network component that connects a virtual private cloud (Virtual Private Cloud) to the Internet. You can use an IPv4 gateway together with the subnet routing feature to enable access control for a VPC and route traffic destined for the Internet to virtual firewalls to enhance security. This topic describes the features, limits, and use scenarios of IPv4 gateways.

Features and supported regions

By default, IPv4 gateways are supported in the following regions.

Area

Region

Asia Pacific

China (Hangzhou), China (Shanghai), China (Nanjing - Local Region), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), China (Wuhan - Local Region), China (Fuzhou - Local Region), Japan (Tokyo), South Korea (Seoul), Singapore, Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), and India (Mumbai)

Europe & Americas

Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia)

Middle East

UAE (Dubai) and SAU (Riyadh - Partner Region)

Important

The SAU (Riyadh - Partner Region) region is operated by a partner.

Overview

An IPv4 gateway supports the following features:

  • An IPv4 gateway can serve as the next hop of a route in a VPC route table and control the range of destination addresses that a VPC can access over the Internet.

  • An IPv4 gateway provides the network address translation service for resources that are assigned public IPv4 addresses, such as Elastic Compute Service (ECS) instances and elastic network interfaces (ENIs).

Scenarios

Manage Internet access

ECS instances that are assigned static public IP addresses or elastic IP addresses (EIPs) in a VPC can access the Internet without being affected by the route tables of the VPC. To reduce the security threats that may arise when ECS instances in a VPC access the Internet, you can use an IPv4 gateway and subnet routing to manage Internet access for the VPC. You can allow specific subnets to access the Internet or prevent specific subnets from accessing the Internet based on your business requirements. 公网访问控制The preceding figure shows the configuration procedure:

  1. Create an IPv4 gateway in a VPC. For more information, see Create and manage an IPv4 gateway.

  2. Create an Internet NAT gateway in vSwitch 1 and create a custom route table named Subnet route table-1 for vSwitch 1. Set the next hop of the default 0.0.0.0/0 route in the custom route table point to the IPv4 gateway.

  3. Create a custom route table named Subnet route table-2 for vSwitch 2 and vSwitch 3. Set the next hop of the default 0.0.0.0/0 route in the custom route table point to the Internet NAT gateway.

  4. Activate the IPv4 gateway.

    After you activate the IPv4 gateway, if no route that points to the IPv4 gateway is added to a VPC route table, the subnet that is associated with the route table cannot access the Internet. This subnet is called a private subnet. If routes that point to the IPv4 gateway are added to a VPC route table, the subnet that is associated with the route table can access the Internet. This subnet is called a public subnet.

Manage inbound routing policies

You can use the subnet routing feature together with an IPv4 gateway to route inbound traffic to a virtual firewall, such as Cloud Firewall. This protects your ECS instances against malicious requests. IPv4虚拟防火墙In scenarios where the traffic between ECS instances associated with EIPs and the Internet is filtered by a firewall, configure routes as shown in the preceding figure.

  1. Create an IPv4 gateway in a specified VPC.

  2. Deploy a dedicated vSwitch for the virtual firewall and associate a custom route table with the vSwitch. Set the next hop of the default 0.0.0.0/0 route of the route table to the IPv4 gateway. This way, the vSwitch in which the virtual firewall is deployed can access the Internet.

  3. Deploy a dedicated vSwitch for your workloads and associate a custom route table with the vSwitch. Set the next hop of the default 0.0.0.0/0 route of the route table to the ENI of the virtual firewall.

  4. Create a custom route table in the VPC and associate the route table with the IPv4 gateway to control inbound traffic from the Internet. This route table is called the gateway route table. In the gateway route table, find the route that points to the CIDR block of the vSwitch in which your workloads are deployed and change the next hop of the route to the ENI of the virtual firewall.

Limits

Limits

  • IPv4 gateways support only IPv4 traffic.

  • You can use an IPv4 gateway only in one region.

  • You can create only one IPv4 gateway in a VPC and associate an IPv4 gateway with only one VPC.

  • Only activated IPv4 gateways support access to the Internet.

  • You can associate only one gateway route table with an IPv4 gateway.

  • You cannot associate a system route table with an IPv4 gateway.

  • You cannot associate a route table that is already associated with a vSwitch with an IPv4 gateway.

  • No, you cannot configure custom routes in a gateway route table. However, you can modify the next hop type of a route in a gateway route table.

    Supported next hop types: Local, ENI, and ECS Instance. Take note of the following limit when you modify the next hop: If the next hop type is set to ENI and you want to change the next hop type to ECS Instance, you must first change the next hop type to Local, and then change the next hop type to ECS Instance. Then, you can select an ECS instance as the next hop. This rule also applies to the scenario where you want to change the next hop type from ECS Instance to ENI. You cannot directly change the next hop type from ECS Instance to ENI or from ENI to ECS Instance.

  • If a VPC contains one of the following resources, you cannot create an IPv4 gateway in the VPC:

Usage notes

  • After you create an IPv4 gateway in a VPC, you must activate the IPv4 gateway. This way, the IPv4 gateway can manage Internet access for the VPC. To prevent service interruptions that are caused by activating the IPv4 gateway, you must find the 0.0.0.0 default route or a route with a more specific public CIDR block in a VPC route table, and change the next hop of the route to the IPv4 gateway.

  • After you create an IPv4 gateway in a VPC and activate the IPv4 gateway, the IPv4 gateway can manage Internet access for the VPC. Before the VPC can access the Internet, make sure that the next hop of a route in the VPC points to the IPv4 gateway.

Quotas

Name/ID

Description

Default value

Adjustable

N/A

Maximum number of IPv4 gateways that can be created in each VPC

1

No

Maximum number of gateway route tables that can be associated with each IPv4 gateway

1