Help Center> NAT Gateway> Best Practices> Enabling Private Networks to Access the Internet Using Cloud Connect and SNAT
Updated on 2023-08-10 GMT+08:00

Enabling Private Networks to Access the Internet Using Cloud Connect and SNAT

Scenarios

When customers require high-speed Internet access from their on-premises data centers to locations outside the Chinese mainland, they can use VPN, Cloud Connect, NAT Gateway (SNAT rules), and EIP.

For example, these services can enable fast access to services in Africa, Europe, or America.

Use Cases

  1. Using VPN to connect a customer's on-premises data center to a VPC in CN North-Beijing4
  2. Using Cloud Connect to connect the VPC in CN North-Beijing4 to a VPC in CN-Hong Kong for network acceleration
  3. Purchasing NAT gateway in CN-Hong Kong, and adding an SNAT rule to enable on-premises servers to share the EIP to access the Internet outside the Chinese mainland

Figure 1 shows the networking topology.

Figure 1 Networking
  • In this solution, the network in CN East-Shanghai1 represents the on-premises data center.
  • The CIDR block of the Internet outside the Chinese mainland is 8.8.8.0/24, and 8.8.8.8 is the only IP address used for testing.

Advantages

In addition to cross-border connectivity, network access is accelerated to provide better user experience.

Constraints and Limitations

The user account needs cross-border permissions. Otherwise, the user needs to authorize the current VPCs to an account with the cross-border permissions to create a cloud connection.

Resource Planning

Table 1 Resources required

Resource

Resource Name

Description

Quantity

VPC

VPC-Test01

Region: CN East-Shanghai1

CIDR block: 172.18.0.0/24

172.18.0.0/24 represents the on-premises network.

1

VPC-Test02

Region: CN North-Beijing4

CIDR block: 172.16.0.0/24

1

VPC-Test03

Region: CN-Hong Kong

CIDR block: 172.17.0.0/24

1

EIP

EIP-Test

Region: CN-Hong Kong

1

NAT gateway

NAT-Test

You need to purchase it in VPC-Test03 and use EIP EIP-Test.

1

VPN gateway

VPN-GW-Test01

Region: CN North-Beijing4

Local gateway: 49.49.49.49

1

VPN-GW-Test02

Region: CN East-Shanghai1

Local gateway: 223.223.223.223

1

VPN connection

VPN-Test01

It is created to connect to VPN-GW-Test01.

1

VPN-Test02

It is created to connect to VPN-GW-Test02.

1

Cloud connection

CC-Test

It enables cross-region access between CN North-Beijing4 and CN-Hong Kong and accelerates network access.

1

ECS

ECS-Test01

Region: CN East-Shanghai1

Private IP address: 172.18.0.3

1

ECS-Test02

Region: CN East-Beijing4

Private IP address: 172.16.0.3

1

ECS-Test03

Region: CN-Hong Kong region

Private IP address: 172.17.0.3

1

Procedure

  1. Create VPCs.

    For details, see Creating a VPC.

    Ensure that the VPC CIDR blocks do not conflict with each other.

    • VPC in CN East-Shanghai1 (VPC-Test01): 172.18.0.0/24
    • VPC in CN North-Beijing4 (VPC-Test02): 172.16.0.0/24
    • VPC in the CN-Hong Kong (VPC-Test03): 172.17.0.0/24

  2. Create two VPN connections.

    Buy VPN-GW-Test01 in CN North-Beijing4 and buy VPN-Test01.

    Create VPN-GW-Test02 in CN East-Shanghai1 and buy VPN-Test02.

    For details, see Buying a VPN Gateway and Buying a VPN Connection.

    • In CN North-Beijing4:
      • Local subnets: 172.16.0.0/24, 172.17.0.0/24, and 8.8.8.0/24
      • Remote gateway: 223.223.223.223
      • Remote subnet: 172.18.0.0/24
    • In CN East-Shanghai1:
      • Local subnet: 172.18.0.0/24
      • Remote gateway: 49.49.49.49
      • Remote subnets: 172.16.0.0/24, 172.17.0.0/24, and 8.8.8.0/24

    When configuring the VPN connection between CN North-Beijing4 and CN East-Shanghai1, you need to ensure that local CIDR blocks in CN North-Beijing4 and remote subnets in CN East-Shanghai1 are included (8.8.8.0/24) so that these subnets can access the Internet outside of the Chinese mainland.

  3. Configure a cloud connection.

    1. Create a cloud connection (CC-Test).

      For details, see Creating a Cloud Connection.

    2. Load the three VPCs to the created cloud connection.

      For details, see Loading a Network Instance.

    3. Add custom CIDR blocks.

      For details, see Adding a Custom CIDR block.

      • When you load the VPC in CN North-Beijing4, you need to add CIDR blocks 172.18.0.0/24 and 172.16.0.0/24.
      • When you load the VPC in CN-Hong Kong, you need to add CIDR blocks 172.17.0.0/24 and 8.8.8.0/24.

      To enable communications among all nodes, you need to add all local subnets.

    4. Buy a bandwidth package.

      By default, the system allocates 10 kbit/s of bandwidth for testing network connectivity across regions. You need to buy a bandwidth package to ensure normal network communications across regions.

      For details, see Buying a Bandwidth Package.

    5. Assign inter-region bandwidths.

      For details, see Assigning an Inter-Region Bandwidth.

  4. Buy three ECSs.

    Buy one ECS in each of the following regions: CN East-Shanghai1, CN North-Beijing4, and CN-Hong Kong.

    For details, see Purchasing an ECS.

    • Private IP address of the ECS (ECS-Test01) in CN North-Beijing4 : 172.18.0.3
    • Private IP address of the ECS (ECS-Test02) in CN North-Beijing4: 172.16.0.3
    • Private IP address of the ECS (ECS-Test03) in CN-Hong Kong: 172.17.0.3

  5. Buy an EIP and a NAT gateway.

    Buy an EIP (EIP-Test) in the CN-Hong Kong region, buy a public NAT gateway (NAT-Test), and add an SNAT rule for each of the following CIDR blocks:

    For details, see Assigning an EIP and Binding It to an ECS and Adding an SNAT Rule.

    • VPC CIDR block: 172.17.0.0/24
    • Direct connection/Cloud connection CIDR blocks: 172.18.0.0/24 and 172.16.0.0/24

    SNAT rules allow servers in private networks to access the Internet outside the Chinese mainland (8.8.8.0/24).

Verification

Test the network connectivity.

Ping the gateway (8.8.8.8) from the ECS in CN East-Shanghai1.