Help Center/ NAT Gateway/ Best Practices/ Using a Public NAT Gateway and VPC Peering to Enable Communications Between VPCs and the Internet
Updated on 2026-03-26 GMT+08:00
View PDF
Share

Using a Public NAT Gateway and VPC Peering to Enable Communications Between VPCs and the Internet

Scenarios

There are two VPCs in the same region: VPC A and VPC B. VPC A has a subnet (subnet A), and VPC B has a subnet (subnet B). You can create a public NAT gateway in subnet A, and add SNAT and DNAT rules to enable servers in subnet A to access and be accessed from the Internet. Then you can create a VPC peering connection to connect subnet B in VPC B to subnet A in VPC A. In this way, servers in subnet B can use the public NAT gateway in subnet A to access and be accessed from the Internet. You do not need to configure another public NAT gateway for subnet B.

Solution Advantages

Only one public NAT gateway needs to be configured. Servers in the two VPCs can use the same public NAT gateway to communicate with the Internet, saving gateway resources.

Typical Topology

The CIDR block of VPC A is 192.168.0.0/16 and that of subnet A is 192.168.1.0/24.

The CIDR block of VPC B is 192.168.0.0/16 and that of subnet B is 192.168.2.0/24.

Implementation procedure:

  1. Create a NAT gateway in VPC A, and add SNAT and DNAT rules.
  2. Create a VPC peering connection between subnet A and subnet B, enabling servers in subnet B to use the public NAT gateway in subnet A to access and be accessed from the Internet.

Prerequisites

  • If VPCs connected by a VPC peering connection have overlapping CIDR blocks, the connection can only enable communications between specific (non-overlapping) subnets in the VPCs.
  • At least one pair of subnets in the two VPCs does not have overlapping CIDR blocks.

Configuring a Public NAT Gateway

  1. Buy a public NAT gateway.

    Select VPC A for VPC. For details about how to configure other parameters, see Buying a Public NAT Gateway.

  2. Add SNAT rules.

    1. Select VPC for Scenario and subnet A for Subnet. For more details, see Adding an SNAT Rule.
    2. Add an SNAT rule for subnet B. Set Scenario to Direct Connect/Cloud Connect and enter the CIDR block of subnet B.

  3. Add DNAT rules.

    1. Add a DNAT rule for subnet A. Select VPC for Scenario and enter an IP address of a server in subnet A for Private IP Address. For more details, see Adding a DNAT Rule.
    2. Add a DNAT rule for subnet B. Set Scenario to Direct Connect/Cloud Connect and enter an IP address of a server in subnet B for Private IP Address.

Creating a VPC Peering Connection

  1. Create VPC A, VPC B, subnet A, and subnet B.

    For details, see Creating a VPC with a Subnet.

  2. Create a VPC peering connection between subnet A and subnet B.

    For detailed operations, see Creating a VPC Peering Connection to Connect Two VPCs in the Same Account.

    The local VPC is VPC A, and the peer VPC is VPC B.

    In addition to the existing local and peer routes, you also need to add a route to the route table of VPC B. Set Destination to 0.0.0.0/0 and Next Hop to the VPC peering connection between VPC A and VPC B.

Testing Network Connectivity

Test the network connectivity.

Log in to a server in subnet B and ping its EIP. If the following information is displayed, the network is connected.

Log in to a server that can access the Internet and is not deployed in VPC A or VPC B. Use curl to check whether the server can communicate with subnet B via the EIP associated with the DNAT rule configured for subnet B. If the following information is displayed, the network is connected.