You cannot use the NAT Gateway console to directly switch network traffic to another
Internet NAT gateway in the same virtual private cloud (VPC). However, you can create
an Internet NAT gateway in the VPC and modify the route whose destination CIDR block
is 0.0.0.0/0. This way, network traffic is switched to an Internet NAT gateway that
belongs to a different vSwitch or uses a different private IP address.
Procedure
This topic describes how to switch network traffic to an Internet NAT gateway in a
different vSwitch.
Prerequisites
Before you start, make sure that the following requirements are met:
- A VPC named VPC1 is created in the China (Hangzhou) region and vSwitches named VSW1
and VSW2 are created in the VPC. VSW1 is created in Zone B, and VSW2 is created in
Zone H. For more information, see Create an IPv4 VPC.
- An Elastic Compute Service (ECS) instance named ECS1 is created in VSW1 and no static
public address is allocated to ECS1. For more information, see Create an instance by using the wizard.
- An Internet NAT gateway (Internet NAT Gateway A) is created in VSW1. An SNAT entry
is created for VPC1. A DNAT entry that uses port mapping is configured. In the DNAT
entry, the private IP address is set to the private IP address of ECS1, the public
port and the private port are set to 22, and the protocol is set to TCP.
Step 1: Check whether NAT Gateway A works as expected
- Log on to ECS1 in VSW1. For more information, see Connection methods.
- Run the
ping
command to check the network connectivity.
- Run the
curl myip.ipip.net
command to query the public IP address that ECS1 uses to access the Internet. The query result shows the public IP address that ECS1 uses to access the Internet
is the same as the elastic IP address (EIP) configured in the SNAT entry of NAT Gateway
A. This indicates that ECS1 accesses the Internet by using the SNAT feature of NAT
Gateway A.
- Log on to an on-premises Linux machine.
- Run the
ssh root@public IP address
command. In this command, the public IP address is the EIP configured in the DNAT
entry of NAT Gateway A. Then, enter the password of ECS1 and check if you can connect
to ECS1. If Welcome to Alibaba Cloud Elastic Compute Service! is returned, it indicates that
ECS1 uses the DNAT feature of NAT Gateway A to provide services over the Internet.
Step 2: Create NAT Gateway B and associate an EIP with NAT Gateway B
In this example, NAT Gateway B is attached to VSW2.
- Log on to the NAT Gateway console.
- On the Internet NAT Gateway page, click Create NAT Gateway.
- When you create an Internet NAT gateway for the first time, click Create in the Notes on Creating Service-linked Roles section of the buy page to create a service-linked role. After the service-linked
role is created, you can create NAT gateways.
- On the buy page, set the following parameters and click Buy Now.
Parameter |
Description |
Billing Method |
By default, Pay-As-You-Go is selected. You can pay for resources after you use them. For more information,
see Billing of Internet NAT gateways.
|
Region |
Select the region where you want to create the Internet NAT gateway.
|
VPC |
Select the VPC for which you want to create the Internet NAT gateway. After the Internet
NAT gateway is created, you cannot change the VPC to which the Internet NAT gateway
belongs.
|
Associate vSwitch |
Select the vSwitch to which the Internet NAT gateway belongs.
|
Billing Method |
By default, Pay-By-CU is selected. You are charged based on the resources that you use. For more information,
see Billing of Internet NAT gateways.
|
Billing Cycle |
By default, By Hour is selected. Fees are calculated on an hourly basis. If you use an Internet NAT gateway
for less than 1 hour, the usage duration is rounded up to 1 hour.
|
Instance Name |
Enter a name for the Internet NAT gateway.
The name must be 2 to 128 characters in length and can contain digits, underscores
(_), and hyphens (-). The name must start with a letter.
|
Access Mode |
Select whether to enable SNAT for the resources in the specified VPC. Supported options:
- SNAT for All VPC Resources: After the Internet NAT gateway is created, all resources in the VPC can access the
Internet by using the SNAT feature of the NAT gateway.
If you select SNAT for All VPC Resources, you must also specify an EIP.
- Configure Later: If you select this option, SNAT is disabled. You can configure SNAT on the Internet
NAT gateway in the console after you complete the payment.
If you select Configure Later, only the Internet NAT gateway is created. No SNAT entry is created.
In this example, Configure Later is selected.
|
- On the Confirm page, confirm the information, select the Terms of Service check box, and then click
Confirm.
When the message Order complete. appears, the Internet NAT gateway is created.
- On the Internet NAT Gateway page, find NAT Gateway B, and click Associate Now in the Elastic IP Address column.
- In the Associate EIP dialog box, set the following parameters and click OK.
EIPs: Select the EIP that you want to associate with the Internet NAT gateway. In this
example, Purchase and Associate EIP is selected.
Step 3: Configure an SNAT entry and a DNAT entry on NAT Gateway B
Configure an SNAT entry and a DNAT entry on NAT Gateway B. Use the same configurations
of NAT Gateway A for NAT Gateway B. However, the EIP of NAT Gateway B must be different
from the EIP of NAT Gateway A.
- Log on to the NAT Gateway console.
- In the top navigation bar, select the region where you want to create the NAT gateway.
- On the Internet NAT Gateway page, find the NAT gateway that you want to manage and click Configure SNAT in the Actions column.
- On the SNAT Management tab, click Create SNAT Entry.
- On the Create SNAT Entry page, set the following parameters and click Confirm.
Parameter |
Description |
SNAT Entry |
Specify whether you want to create an SNAT entry for a VPC, a vSwitch, an ECS instance,
or a custom CIDR block.
In this example, Specify VPC is selected. All ECS instances in VPC1 can access the Internet by using the SNAT
entry.
|
Select Public IP Address |
Select one or more EIPs that are used to access the Internet.
In this example, Use One IP address is selected and the EIP associated with NAT Gateway B is selected from the drop-down
list.
|
Entry Name |
Enter a name for the SNAT entry.
The name must be 2 to 128 characters in length, and can contain digits, underscores
(_), and hyphens (-). The name must start with a letter.
|
- Go back to the Internet NAT Gateway page, find NAT Gateway B and click Configure DNAT in the Actions column.
- On the DNAT Management tab, click Create DNAT Entry.
- On the Create DNAT Entry page, set the following parameters and click Confirm.
Parameter |
Description |
Select Public IP Address |
Select an EIP that is used to provide Internet-facing services. In this example, the
EIP associated with NAT Gateway B is selected.
|
Select Private IP Address |
Select the ECS instance that uses the DNAT entry to provide Internet-facing services.
In this example, Select by ECS or ENI is selected and ECS1 is selected from the drop-down list.
|
Port Settings |
Select a DNAT mapping method.
In this example, Specific Port is selected. Public Port is set to 22, Private Port is set to 22, and Protocol Type is set to TCP.
|
Entry Name |
Enter a name for the DNAT entry.
The name must be 2 to 128 characters in length, and can contain digits, underscores
(_), and hyphens (-). The name must start with a letter.
|
Step 4: Modify the custom route in the system route table
After you create the first Internet NAT gateway in a VPC, a route is automatically
added to the route table of the VPC. The destination CIDR block of the route is 0.0.0.0/0
and the next hop is the Internet NAT gateway. This ensures that network traffic is
routed to the Internet NAT gateway. After you create NAT Gateway B, the system does
not add a route whose destination CIDR block is 0.0.0.0/0 and whose next hop is NAT
Gateway B to the system route table. Therefore, network traffic cannot be routed to
NAT Gateway B. You must modify the route whose destination CIDR block is 0.0.0.0/0
by specifying NAT Gateway B as the next hop. This way, network traffic is routed to
NAT Gateway B instead of NAT Gateway A.
- Log on to the VPC console.
- In the left-side navigation pane, click Route Tables.
- In the top navigation bar, select the region to which the route table belongs.
- On the Route Tables page, find the route table of VPC1 and click its ID.
- Choose , find the custom route whose destination CIDR block is 0.0.0.0/0 and whose next hop
is NAT Gateway A, and then click Delete in the Actions column.
- In the Delete Route Entry message, click OK.
- Click Add Route Entry. In the Add Route Entry panel, set the following parameters and click OK.
Parameter |
Description |
Name |
Enter a name for the route entry.
The name must be 2 to 128 characters, and can contain digits, underscores (_), and
hyphens (-). The name must start with a letter.
|
Destination CIDR Block |
Enter the destination CIDR block. In this example, IPv4 CIDR Block is selected and 0.0.0.0/0 is entered.
|
Next Hop Type |
Select the next hop type. In this example, NAT Gateway is selected.
|
NAT Gateway |
Select a NAT gateway as the next hop. In this example, NAT Gateway B is selected.
|
Note After the route is created, existing connections can resume only after your workloads
are reconnected. We recommend that you create the route during off-peak hours.
Step 5: Test network connectivity
Check whether network traffic is switched from NAT Gateway A to NAT gateway B. In
this example, network traffic is switched to an Internet NAT gateway that belongs
to a different vSwitch and uses a different private IP address. If you want to switch
to an Internet NAT gateway that uses a different private IP address in the same vSwitch,
you can also refer to the procedure in this topic.
- Log on to ECS1 in VSW1.
- Run the
ping
command to test the network connectivity.
- Run the
curl myip.ipip.net
command to query the public IP address that ECS1 uses to access the Internet. The query result shows the public IP address that ECS1 uses to access the Internet
is the same as the EIP configured in the SNAT entry of NAT Gateway B. This indicates
that ECS1 accesses the Internet by using the SNAT feature of NAT Gateway B.
- Log on to an on-premises Linux machine.
- Run the
ssh root@public IP address
command. In this command, the public IP address is the EIP configured in the DNAT
entry of NAT Gateway B. Then, enter the password of ECS1 and check if you can connect
to ECS1. If Welcome to Alibaba Cloud Elastic Compute Service! is returned, it indicates that
ECS1 can use the DNAT feature of NAT Gateway B to provide services over the Internet.