Help Center> NAT Gateway> Best Practices> Enabling Private Networks to Access the Internet Using Cloud Connect and SNAT
Updated on 2023-08-10 GMT+08:00

Enabling Private Networks to Access the Internet Using Cloud Connect and SNAT


When customers require high-speed Internet access from their on-premises data centers to locations outside the Chinese mainland, they can use VPN, Cloud Connect, NAT Gateway (SNAT rules), and EIP.

For example, these services can enable fast access to services in Africa, Europe, or America.

Use Cases

  1. Using VPN to connect a customer's on-premises data center to a VPC in CN North-Beijing4
  2. Using Cloud Connect to connect the VPC in CN North-Beijing4 to a VPC in CN-Hong Kong for network acceleration
  3. Purchasing NAT gateway in CN-Hong Kong, and adding an SNAT rule to enable on-premises servers to share the EIP to access the Internet outside the Chinese mainland

Figure 1 shows the networking topology.

Figure 1 Networking
  • In this solution, the network in CN East-Shanghai1 represents the on-premises data center.
  • The CIDR block of the Internet outside the Chinese mainland is, and is the only IP address used for testing.


In addition to cross-border connectivity, network access is accelerated to provide better user experience.

Constraints and Limitations

The user account needs cross-border permissions. Otherwise, the user needs to authorize the current VPCs to an account with the cross-border permissions to create a cloud connection.

Resource Planning

Table 1 Resources required


Resource Name





Region: CN East-Shanghai1

CIDR block: represents the on-premises network.



Region: CN North-Beijing4

CIDR block:



Region: CN-Hong Kong

CIDR block:




Region: CN-Hong Kong


NAT gateway


You need to purchase it in VPC-Test03 and use EIP EIP-Test.


VPN gateway


Region: CN North-Beijing4

Local gateway:



Region: CN East-Shanghai1

Local gateway:


VPN connection


It is created to connect to VPN-GW-Test01.



It is created to connect to VPN-GW-Test02.


Cloud connection


It enables cross-region access between CN North-Beijing4 and CN-Hong Kong and accelerates network access.




Region: CN East-Shanghai1

Private IP address:



Region: CN East-Beijing4

Private IP address:



Region: CN-Hong Kong region

Private IP address:



  1. Create VPCs.

    For details, see Creating a VPC.

    Ensure that the VPC CIDR blocks do not conflict with each other.

    • VPC in CN East-Shanghai1 (VPC-Test01):
    • VPC in CN North-Beijing4 (VPC-Test02):
    • VPC in the CN-Hong Kong (VPC-Test03):

  2. Create two VPN connections.

    Buy VPN-GW-Test01 in CN North-Beijing4 and buy VPN-Test01.

    Create VPN-GW-Test02 in CN East-Shanghai1 and buy VPN-Test02.

    For details, see Buying a VPN Gateway and Buying a VPN Connection.

    • In CN North-Beijing4:
      • Local subnets:,, and
      • Remote gateway:
      • Remote subnet:
    • In CN East-Shanghai1:
      • Local subnet:
      • Remote gateway:
      • Remote subnets:,, and

    When configuring the VPN connection between CN North-Beijing4 and CN East-Shanghai1, you need to ensure that local CIDR blocks in CN North-Beijing4 and remote subnets in CN East-Shanghai1 are included ( so that these subnets can access the Internet outside of the Chinese mainland.

  3. Configure a cloud connection.

    1. Create a cloud connection (CC-Test).

      For details, see Creating a Cloud Connection.

    2. Load the three VPCs to the created cloud connection.

      For details, see Loading a Network Instance.

    3. Add custom CIDR blocks.

      For details, see Adding a Custom CIDR block.

      • When you load the VPC in CN North-Beijing4, you need to add CIDR blocks and
      • When you load the VPC in CN-Hong Kong, you need to add CIDR blocks and

      To enable communications among all nodes, you need to add all local subnets.

    4. Buy a bandwidth package.

      By default, the system allocates 10 kbit/s of bandwidth for testing network connectivity across regions. You need to buy a bandwidth package to ensure normal network communications across regions.

      For details, see Buying a Bandwidth Package.

    5. Assign inter-region bandwidths.

      For details, see Assigning an Inter-Region Bandwidth.

  4. Buy three ECSs.

    Buy one ECS in each of the following regions: CN East-Shanghai1, CN North-Beijing4, and CN-Hong Kong.

    For details, see Purchasing an ECS.

    • Private IP address of the ECS (ECS-Test01) in CN North-Beijing4 :
    • Private IP address of the ECS (ECS-Test02) in CN North-Beijing4:
    • Private IP address of the ECS (ECS-Test03) in CN-Hong Kong:

  5. Buy an EIP and a NAT gateway.

    Buy an EIP (EIP-Test) in the CN-Hong Kong region, buy a public NAT gateway (NAT-Test), and add an SNAT rule for each of the following CIDR blocks:

    For details, see Assigning an EIP and Binding It to an ECS and Adding an SNAT Rule.

    • VPC CIDR block:
    • Direct connection/Cloud connection CIDR blocks: and

    SNAT rules allow servers in private networks to access the Internet outside the Chinese mainland (


Test the network connectivity.

Ping the gateway ( from the ECS in CN East-Shanghai1.