Use the SNAT feature of an Internet NAT gateway to access the Internet - NAT Gateway

This topic describes how to configure an SNAT entry on an Internet NAT gateway to enable Internet access for an Elastic Compute Service (ECS) instance with no public IP address assigned.

Example scenario

An enterprise created a virtual private cloud (VPC) and a vSwitch on Alibaba Cloud. Multiple ECS instances are created in the vSwitch. The ECS instances are not assigned static public IP addresses or associated with elastic IP addresses (EIPs). Due to business growth, each ECS instance needs to access the Internet.

In this scenario, you can configure SNAT on an Internet NAT gateway. SNAT allows ECS instances in a VPC to access the Internet when the ECS instances are not assigned public IP addresses.

Prerequisites

A VPC and two vSwitches are created, and ECS instances are created in the vSwitches. For more information, see Create a VPC with an IPv4 CIDR block.
The VPC must meet the following requirements:
- A custom route whose destination CIDR block is 0.0.0.0/0 does not exist in the VPC. If the custom route exists, delete it.
- If you want to configure SNAT as a Resource Access Management (RAM) user, make sure that the RAM user has access permissions on the VPC. Otherwise, contact the Alibaba Cloud account owner to acquire the permissions.

Limits

By default, you can add up to 40 SNAT entries to an Internet NAT gateway.

You can increase the quota in one of the following ways:

Go to the Quota Management page to increase the quota. For more information, see Manage NAT Gateway quotas.
Go to the Quota Center to increase the quota. For more information, see Create a quota increase application.

For more information about NAT gateways, see NAT Gateway FAQ.

Procedure

Step 1: Create an Internet NAT gateway

Log on to the NAT Gateway console.
On the Internet NAT Gateway page, click Create Internet NAT Gateway.

On the NAT Gateway page, configure the following parameters and click Buy Now.

Parameter	Description
Region	Select the region where you want to create the Internet NAT gateway.
Network And Zone	Select the VPC and vSwitch to which the NAT gateway belongs. After the NAT gateway is created, you cannot change the VPC or vSwitch.
Network Type	In this example, Internet NAT Gateway is selected. Internet NAT Gateway: provides Network Address Translation capabilities and can be associated with EIPs to allow ECS instances to access the Internet, enabling communication between private and public networks. VPC NAT Gateway: also provides Network Address Translation capabilities but cannot be associated with EIPs. It can only provide address translation within private networks for ECS instances, suitable for scenarios such as hiding internal addresses and avoiding address conflicts.
Elastic IP Address	In this example, Purchase And Associate EIP is selected. Select Existing EIP Instance: Select an EIP that is Not Associated With An Instance. Purchase And Associate EIP: By default, a pay-by-traffic BGP (Multi-ISP) EIP is created. You can select a Bandwidth Peak based on your business requirements. Note If you want to associate an EIP with a different line type or billing method, first apply for an EIP, and then Select An Existing EIP to associate. Each EIP that you associate with a NAT gateway occupies a private IP address of the vSwitch to which the NAT gateway belongs. Make sure that the vSwitch has sufficient available private IP addresses. Otherwise, you cannot associate new EIPs with the NAT gateway. Configure Later: The created NAT gateway will not have Internet access capabilities. You need to manually associate an EIP with the NAT gateway.

You can find the Internet NAT gateway on the Internet NAT Gateway page.

Step 2: Add a route entry

Add a 0.0.0.0/0 route to the route table and point it to the NAT gateway to forward IPv4 traffic to the NAT gateway.

When the vSwitch to which the ECS instance belongs is associated with a custom route table, you must manually configure a route that points to the Internet NAT gateway.
When the vSwitch to which the ECS instance belongs is associated with a system route table::
- If the system route table does not contain a 0.0.0.0/0 route, a route that points to the Internet NAT gateway is automatically created after the Internet NAT gateway is created. Therefore, you can skip this step.
- If the system route table already contains a 0.0.0.0/0 route, you need to delete the route after the Internet NAT gateway is created. Then, create a route that points to the Internet NAT gateway.

Log on to the VPC console.
In the left-side navigation pane, click Route Tables.
In the top navigation bar, select the region to which the route table belongs.
On the Route Tables page, find the route table that you want to manage and click its ID.
On the details page, choose Route Entry List > Custom Route and click Add Route Entry.

In the Add Route Entry dialog box, set the following parameters and click OK.

Parameter	Description
Name	Enter a name for the custom route.
Resource Group	The resource group to which the next hop belongs.
Destination CIDR Block	Enter the destination CIDR block. In this example, IPv4 CIDR Block is selected and 0.0.0.0/0 is used.
Next Hop Type	Select NAT Gateway from the drop-down list.
NAT Gateway	Select the Internet NAT gateway that you created.
Description	Enter the description of the custom route.

Step 3: Create an SNAT entry

After you configure the route entry, you need to configure an SNAT entry on the NAT gateway to ensure that the specified resources can access the Internet through the associated EIP.

Log on to the NAT Gateway console.
In the top navigation bar, select the region where you want to create the NAT gateway.
On the Internet NAT Gateway page, find the target Internet NAT gateway instance, and then click Configure SNAT in the Actions column.
On the SNAT Management tab, click Create SNAT Entry.

On the Create SNAT Entry page, configure the following parameters and click OK.

Parameter

Description

SNAT Entry

In this example, VPC is selected. You can select an SNAT entry type based on your business requirements.

VPC: Suitable for scenarios where all ECS instances in the VPC, along with ECS instances in other VPCs or data centers that are connected through CEN or dedicated lines and have 0.0.0.0/0 routes pointing to this VPC, need to access the Internet through the same EIP.
VSwitch: Suitable for scenarios where fine-grained control over Internet access is required, allowing only specified vSwitches to have Internet access capabilities.
ECS/ENI: Suitable for scenarios where fine-grained control over Internet access is required, allowing only specified ECS instances or elastic network interfaces (ENIs) to have Internet access capabilities.
Custom CIDR Block: Suitable for scenarios where you need to flexibly specify any IP CIDR block to configure Internet access capabilities through NAT gateway. This can cover various network environments within a VPC, across VPCs, or across on-premises data centers, meeting the requirements of complex or customized network structures.

Note

If you select multiple vSwitches or ECS instances/ENIs, multiple SNAT entries will be created using the same public IP address.

Select EIP

Select the EIP that is used to access the Internet.

After the SNAT entry is created, you can view the SNAT entry in the SNAT Entry List section.

Verification

After you create an SNAT entry, you can test whether the ECS instances can access the Internet. In this example, an ECS instance that runs Linux is used.

Note

Make sure that the security group rules of the ECS instance allow the ECS instance to access the Internet. For more information about security group rules, see Overview.

Log on to an ECS instance in the vSwitch. For more information, see Methods for connecting to an ECS instance.
Run the ping command, ping www.aliyun.com to test the network connectivity.
If you can receive echo reply packets, the connection is established.
The result shows that the ECS instance can access the Internet.

FAQ

Why are NAT gateways unavailable in some zones?

NAT gateways are unavailable in some zones due to insufficient resource. You can create NAT gateways in supported zones to allow ECS instances in a VPC to access the Internet.

How do I determine the priorities of public IP addresses, EIPs, SNAT entries, and DNAT entries (any port) when I configure Internet access for an ECS instance?

The following priority rule is applied: public IP address/EIP > DNAT IP mapping (any port) > EIP specified in SNAT.