Help Center/ NAT Gateway/ Service Overview/ Constraints and Limitations
Updated on 2023-09-12 GMT+08:00

Constraints and Limitations

Public NAT Gateway

When using a public NAT gateway, note the following:

  • Common restrictions
    • Rules on one public NAT gateway can use the same EIP, but rules on different NAT gateways must use different EIPs.
    • Each VPC can be associated with multiple public NAT gateways.
    • SNAT and DNAT rules can use the same EIP to save resources. However, an SNAT rule cannot share an EIP with a DNAT rule whose Port Type is set to All ports, because the resource in the DNAT rule will preferentially use all ports of the EIP.
    • The public NAT gateway does not translate IP addresses for Enterprise Edition VPN.
    • If both an EIP and a public NAT gateway are configured for a server, data will be forwarded through the EIP.
    • After you perform operations on backend resources, such as changing the specifications of an ECS, the existing NAT gateway rules will become invalid. Delete the rules and create some new rules for the ECS of the new specifications.
    • Private IP addresses used by load balancers cannot be selected when you add DNAT rules on public NAT gateways for Internet communications.
    • Some carriers will block the following ports for security reasons. It is recommended that you do not use the following ports.

      Protocol

      Port

      TCP

      42 135 137 138 139 444 445 593 1025 1068 1434 3127 3128 3129 3130 4444 4789 4790 5554 5800 5900 9996

      UDP

      135~139 1026 1027 1028 1068 1433 1434 4789 4790 5554 9996

    • The system does not add a default route for a public NAT gateway. You need to add a route pointing to the public NAT gateway to the corresponding route table.
    • Each public NAT gateway has an associated route table. The number of public NAT gateways that can be created in a VPC is determined by the number of route tables for the VPC.
  • SNAT restrictions
    • Only one SNAT rule can be added for each VPC subnet.
    • When you add an SNAT rule in the VPC scenario, the custom CIDR block must be a subset of the NAT gateway's VPC subnets.
    • If an SNAT rule is used in the Direct Connect scenario, the custom CIDR block must be a CIDR block of a Direct Connect connection and cannot overlap with the NAT gateway's VPC subnets.
    • There is no limit on the number of SNAT rules that can be added on a public NAT gateway.
  • DNAT restrictions
    • Only one DNAT rule can be configured for each port on a server. One port can be mapped to only one EIP.
    • A maximum of 200 DNAT rules can be added on a public NAT gateway.

Private NAT Gateway

When using a private NAT gateway, note the following:

  • Common restrictions:
    • Manually add routes in a VPC to connect it to a remote private network through a VPC peering connection, Direct Connect, or VPN connection.
    • SNAT and DNAT rules cannot share a transit IP address.
    • The total number of DNAT and SNAT rules that can be added on a private NAT gateway varies with the private NAT gateway specifications.
      • Small: 20 or less
      • Medium: 50 or less
      • Large: 200 or less
      • Extra-large: 500 or less
  • SNAT restrictions
    • Only one SNAT rule can be added for each VPC subnet.
  • DNAT restrictions
    • A DNAT rule with Port Type set to All ports cannot share a transit IP address with a DNAT rule with Port Type set to Specific port.