Help Center> Cloud Connect> Best Practices> Working with SNAT to Access the Internet Outside China from a Private Network
View PDF

Working with SNAT to Access the Internet Outside China from a Private Network

Scenarios

This practice provides detailed operations for accessing the Internet outside China by using Cloud Connect, VPN, and NAT Gateway.

Figure 1 shows the networking topology.

Figure 1 Networking
  • In this practice, consider the VPC in CN East-Shanghai1 as the on-premises network.
  • The network outside China is 8.8.8.0/24, and 8.8.8.8 is the only IP address for test.
  • Your account must have the permission for cross-border network communication. If you do not have the permission, you can authorize the other user to load the VPCs.

Procedure

  1. Create the following VPCs and ensure that the VPC CIDR blocks do not conflict with each other.

    • VPC in CN East-Shanghai1: 172.18.0.0/24
    • VPC in CN North-Beijing4: 172.16.0.0/24
    • VPC in CN-Hong Kong: 172.17.0.0/24

    For details, see Creating a VPC.

  2. Configure the VPN service.

    Buy a VPN gateway and a VPN connection to connect networks in CN North-Beijing4 and CN East-Shanghai1.

    For details, see Buying a VPN Gateway and Buying a VPN Connection.

    • Gateway and subnet configurations for CN North-Beijing4:
      • Local subnets: 172.16.0.0/24, 172.17.0.0/24, and 8.8.8.0/24
      • Remote gateway: 223.223.223.223
      • Remote subnet: 172.18.0.0/24
    • Gateway and subnet configurations for CN East-Shanghai1:
      • Local subnet: 172.18.0.0/24
      • Remote gateway: 49.49.49.49
      • Remote subnets: 172.16.0.0/24, 172.17.0.0/24, and 8.8.8.0/24

    When you configure the VPN connection between CN North-Beijing4 and CN East-Shanghai1, ensure that local subnets in CN North-Beijing4 and remote subnets in CN East-Shanghai1 contain the network outside China (8.8.8.0/24) so that this network can be pinged.

  3. Configure Cloud Connect.

    1. Create a cloud connection.

      For details, see Creating a Cloud Connection.

    2. Load the VPCs.

      For details, see Loading a Network Instance.

    3. Add custom CIDR blocks.

      For details, see Adding a Custom CIDR block.

      • Custom CIDR blocks for CN North-Beijing4: 172.18.0.0/24 and 172.16.0.0/24
      • Custom CIDR blocks for CN-Hong Kong: 172.17.0.0/24 and 8.8.8.0/24

      To enable communications among all nodes, you need to add all local subnets.

    4. Buy a bandwidth package.

      By default, the system allocates 10 kbit/s of bandwidth for testing network connectivity across regions. You need to buy a bandwidth package to ensure normal network communications across regions.

      For details, see Buying a Bandwidth Package.

    5. Assign inter-region bandwidths.

      For details, see Assigning Inter-Region Bandwidth.

  4. Buy an ECS in CN North-Beijing4, CN East-Shanghai1, and CN-Hong Kong.

    For details, see Purchasing an ECS.

    • Private IP address of the ECS in CN North-Beijing4: 172.16.0.3
    • Private IP address of the ECS in CN East-Shanghai1: 172.18.0.3
    • Private IP address of the ECS in CN-Hong Kong: 172.17.0.3

  5. Buy an EIP and configure a NAT gateway.

    Buy an EIP in the CN-Hong Kong region, buy a NAT gateway, and add SNAT rules that include the following CIDR blocks:

    For details, see Assigning an EIP and Binding It to an ECS and Adding an SNAT Rule.

    • VPC CIDR block: 172.17.0.0/24
    • Direct Connect/Cloud Connect CIDR block: 172.18.0.0/24
    • Direct Connect/Cloud Connect CIDR block: 172.16.0.0/24

    Add SNAT rules to allow access to the Internet and ping the network outside China (8.8.8.0/24).

Verification

After the configuration is complete, test the network connectivity.

Ping the gateway (8.8.8.8) from the ECS in CN East-Shanghai1.