You cannot use the NAT Gateway console to directly switch network traffic to another Internet NAT gateway in the same virtual private cloud (VPC). However, you can create an Internet NAT gateway in the VPC and modify the route whose destination CIDR block is 0.0.0.0/0. This way, network traffic is switched to an Internet NAT gateway that belongs to a different vSwitch or uses a different private IP address.

Procedure

This topic describes how to switch network traffic to an Internet NAT gateway in a different vSwitch. Procedure for the International site

Prerequisites

Before you start, make sure that the following requirements are met:
  • A VPC named VPC1 is created in the China (Hangzhou) region and vSwitches named VSW1 and VSW2 are created in the VPC. VSW1 is created in Zone B, and VSW2 is created in Zone H. For more information, see Create an IPv4 VPC.
  • An Elastic Compute Service (ECS) instance named ECS1 is created in VSW1 and no static public address is allocated to ECS1. For more information, see Create an instance by using the wizard.
  • An Internet NAT gateway (Internet NAT Gateway A) is created in VSW1. An SNAT entry is created for VPC1. A DNAT entry that uses port mapping is configured. In the DNAT entry, the private IP address is set to the private IP address of ECS1, the public port and the private port are set to 22, and the protocol is set to TCP.

Step 1: Check whether NAT Gateway A works as expected

  1. Log on to ECS1 in VSW1. For more information, see Connection methods.
  2. Run the ping command to check the network connectivity.
  3. Run the curl myip.ipip.net command to query the public IP address that ECS1 uses to access the Internet.
    The query result shows the public IP address that ECS1 uses to access the Internet is the same as the elastic IP address (EIP) configured in the SNAT entry of NAT Gateway A. This indicates that ECS1 accesses the Internet by using the SNAT feature of NAT Gateway A. Query the public IP address
  4. Log on to an on-premises Linux machine.
  5. Run the ssh root@public IP address command. In this command, the public IP address is the EIP configured in the DNAT entry of NAT Gateway A. Then, enter the password of ECS1 and check if you can connect to ECS1.
    If Welcome to Alibaba Cloud Elastic Compute Service! is returned, it indicates that ECS1 uses the DNAT feature of NAT Gateway A to provide services over the Internet. ssh

Step 2: Create NAT Gateway B and associate an EIP with NAT Gateway B

In this example, NAT Gateway B is attached to VSW2.

  1. Log on to the NAT Gateway console.
  2. On the Internet NAT Gateway page, click Create NAT Gateway.
  3. When you create an Internet NAT gateway for the first time, click Create in the Notes on Creating Service-linked Roles section of the buy page to create a service-linked role. After the service-linked role is created, you can create NAT gateways.
    Create the service-linked role For more information, see Service-linked roles for NAT Gateway.
  4. On the buy page, set the following parameters and click Buy Now.
    Parameter Description
    Billing Method

    By default, Pay-As-You-Go is selected. You can pay for resources after you use them. For more information, see Billing of Internet NAT gateways.

    Region

    Select the region where you want to create the Internet NAT gateway.

    VPC

    Select the VPC for which you want to create the Internet NAT gateway. After the Internet NAT gateway is created, you cannot change the VPC to which the Internet NAT gateway belongs.

    Associate vSwitch

    Select the vSwitch to which the Internet NAT gateway belongs.

    Billing Method

    By default, Pay-By-CU is selected. You are charged based on the resources that you use. For more information, see Billing of Internet NAT gateways.

    Billing Cycle

    By default, By Hour is selected. Fees are calculated on an hourly basis. If you use an Internet NAT gateway for less than 1 hour, the usage duration is rounded up to 1 hour.

    Instance Name

    Enter a name for the Internet NAT gateway.

    The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.

    Access Mode

    Select whether to enable SNAT for the resources in the specified VPC. Supported options:

    • SNAT for All VPC Resources: After the Internet NAT gateway is created, all resources in the VPC can access the Internet by using the SNAT feature of the NAT gateway.

      If you select SNAT for All VPC Resources, you must also specify an EIP.

    • Configure Later: If you select this option, SNAT is disabled. You can configure SNAT on the Internet NAT gateway in the console after you complete the payment.

      If you select Configure Later, only the Internet NAT gateway is created. No SNAT entry is created.

    In this example, Configure Later is selected.
  5. On the Confirm page, confirm the information, select the Terms of Service check box, and then click Confirm.
    When the message Order complete. appears, the Internet NAT gateway is created.
  6. On the Internet NAT Gateway page, find NAT Gateway B, and click Associate Now in the Elastic IP Address column.
  7. In the Associate EIP dialog box, set the following parameters and click OK.

    EIPs: Select the EIP that you want to associate with the Internet NAT gateway. In this example, Purchase and Associate EIP is selected.

Step 3: Configure an SNAT entry and a DNAT entry on NAT Gateway B

Configure an SNAT entry and a DNAT entry on NAT Gateway B. Use the same configurations of NAT Gateway A for NAT Gateway B. However, the EIP of NAT Gateway B must be different from the EIP of NAT Gateway A.

  1. Log on to the NAT Gateway console.
  2. In the top navigation bar, select the region where you want to create the NAT gateway.
  3. On the Internet NAT Gateway page, find the NAT gateway that you want to manage and click Configure SNAT in the Actions column.
  4. On the SNAT Management tab, click Create SNAT Entry.
  5. On the Create SNAT Entry page, set the following parameters and click Confirm.
    Parameter Description
    SNAT Entry Specify whether you want to create an SNAT entry for a VPC, a vSwitch, an ECS instance, or a custom CIDR block.

    In this example, Specify VPC is selected. All ECS instances in VPC1 can access the Internet by using the SNAT entry.

    Select Public IP Address Select one or more EIPs that are used to access the Internet.

    In this example, Use One IP address is selected and the EIP associated with NAT Gateway B is selected from the drop-down list.

    Entry Name Enter a name for the SNAT entry.

    The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.

  6. Go back to the Internet NAT Gateway page, find NAT Gateway B and click Configure DNAT in the Actions column.
  7. On the DNAT Management tab, click Create DNAT Entry.
  8. On the Create DNAT Entry page, set the following parameters and click Confirm.
    Parameter Description
    Select Public IP Address Select an EIP that is used to provide Internet-facing services. In this example, the EIP associated with NAT Gateway B is selected.
    Select Private IP Address Select the ECS instance that uses the DNAT entry to provide Internet-facing services.

    In this example, Select by ECS or ENI is selected and ECS1 is selected from the drop-down list.

    Port Settings Select a DNAT mapping method.

    In this example, Specific Port is selected. Public Port is set to 22, Private Port is set to 22, and Protocol Type is set to TCP.

    Entry Name Enter a name for the DNAT entry.

    The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.

Step 4: Modify the custom route in the system route table

After you create the first Internet NAT gateway in a VPC, a route is automatically added to the route table of the VPC. The destination CIDR block of the route is 0.0.0.0/0 and the next hop is the Internet NAT gateway. This ensures that network traffic is routed to the Internet NAT gateway. After you create NAT Gateway B, the system does not add a route whose destination CIDR block is 0.0.0.0/0 and whose next hop is NAT Gateway B to the system route table. Therefore, network traffic cannot be routed to NAT Gateway B. You must modify the route whose destination CIDR block is 0.0.0.0/0 by specifying NAT Gateway B as the next hop. This way, network traffic is routed to NAT Gateway B instead of NAT Gateway A.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Route Tables.
  3. In the top navigation bar, select the region to which the route table belongs.
  4. On the Route Tables page, find the route table of VPC1 and click its ID.
  5. Choose Route Entry List > Custom Route, find the custom route whose destination CIDR block is 0.0.0.0/0 and whose next hop is NAT Gateway A, and then click Delete in the Actions column.
  6. In the Delete Route Entry message, click OK.
  7. Click Add Route Entry. In the Add Route Entry panel, set the following parameters and click OK.
    Parameter Description
    Name Enter a name for the route entry.

    The name must be 2 to 128 characters, and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.

    Destination CIDR Block Enter the destination CIDR block. In this example, IPv4 CIDR Block is selected and 0.0.0.0/0 is entered.
    Next Hop Type Select the next hop type. In this example, NAT Gateway is selected.
    NAT Gateway Select a NAT gateway as the next hop. In this example, NAT Gateway B is selected.
    Note After the route is created, existing connections can resume only after your workloads are reconnected. We recommend that you create the route during off-peak hours.

Step 5: Test network connectivity

Check whether network traffic is switched from NAT Gateway A to NAT gateway B. In this example, network traffic is switched to an Internet NAT gateway that belongs to a different vSwitch and uses a different private IP address. If you want to switch to an Internet NAT gateway that uses a different private IP address in the same vSwitch, you can also refer to the procedure in this topic.

  1. Log on to ECS1 in VSW1.
  2. Run the ping command to test the network connectivity.
  3. Run the curl myip.ipip.net command to query the public IP address that ECS1 uses to access the Internet.
    The query result shows the public IP address that ECS1 uses to access the Internet is the same as the EIP configured in the SNAT entry of NAT Gateway B. This indicates that ECS1 accesses the Internet by using the SNAT feature of NAT Gateway B. snat
  4. Log on to an on-premises Linux machine.
  5. Run the ssh root@public IP address command. In this command, the public IP address is the EIP configured in the DNAT entry of NAT Gateway B. Then, enter the password of ECS1 and check if you can connect to ECS1.
    If Welcome to Alibaba Cloud Elastic Compute Service! is returned, it indicates that ECS1 can use the DNAT feature of NAT Gateway B to provide services over the Internet. test