Using a Private NAT Gateway and Direct Connect to Enable Communications Between a VPC and an On-premises Data Center

Scenarios

In a hybrid cloud architecture, if the private IP address of a cloud server in a VPC is not trusted by an on-premises data center, the cloud server cannot communicate with the on-premises data center. To address this issue, you can configure a NAT gateway and use Direct Connect or VPN to enable communications between a VPC and an on-premises data center.

Solution Architecture

1. A Direct Connect or VPN connection connects an on-premises data center to a transit VPC.
2. A private NAT gateway translates the source or destination IP address into a transit IP address (private IP address trusted by the on-premises data center) in the transit VPC using an SNAT or DNAT rule.
   Figure 1 Networking diagram
   

Solution Advantages

In a hybrid cloud network, the private IP addresses of ECSs in the VPC need to be mapped to those trusted by the on-premises data center to meet security compliance requirements.

Constraints

• The CIDR block of your on-premises data center cannot overlap with those of the transit VPC and the service VPC; otherwise, your on-premises data center will be unable to communicate with the service VPC.
• You need to define a CIDR block in the transit VPC to map private IP addresses from the service VPC. Generally, you use a private CIDR block or private IP addresses trusted by your on-premises data center.

Resource Planning

• In this practice, the private IP address (192.168.0.10) of the ECS is mapped to the private IP address (10.1.0.10) trusted by the on-premises data center through the private NAT gateway.
• The VPC, NAT gateway, Direct Connect connection, and ECS must be in the same region.

Procedure

1. Create a service VPC and a transit VPC.

   For details, see Creating a VPC with a Subnet.

2. Configure a Direct Connect or VPN connection between the on-premises data center and the transit VPC.

   For details, see Create a Connection.

3. Buy a private NAT gateway in the specified region and select the service VPC.

   For details, see Buying a Private NAT Gateway.

4. Assign a transit IP address.

   Select VPC-Test02 as the transit VPC and manually assign the transit IP address of 10.1.0.10.

5. Add an SNAT rule.

   On the SNAT Rules tab of the private NAT gateway, click Add SNAT Rule and set Subnet to 192.168.0.0/24, the service subnet with the IP addresses that need to be mapped. Set Transit IP Address to the one assigned in 4.

6. Add a DNAT rule.

   On the DNAT Rules tab of the private NAT gateway, click Add DNAT Rule. Set the instance type of the local network to Server with the private IP address of 192.168.0.10 and select the transit IP address assigned in 4 as the transit IP address of the transit network. For details, see Adding a DNAT Rule.

7. Configure routes.
   1. Add a route pointing to the private NAT gateway to the route table of the service VPC. Set Destination to 10.0.0.0/24.
   2. Add an inbound security group rule to allow traffic to the destination CIDR block that contains the IP address (10.0.0.62) of the on-premises server.

Verifying Network Connectivity

Test the network connectivity.

Log in to ECS-Test in the service VPC and ping the private IP address (10.0.0.62) of an on-premises server to verify the network connectivity.