Using the SNAT Rule of a Private NAT Gateway and Direct Connect to Enable Cloud Servers to Access an On-premises Data Center
Scenarios
When an ECS in a VPC needs to communicate with an on-premises data center through a Direct Connect connection, the private IP address of the ECS needs to be translated into a private IP address trusted by the on-premises data center.
Solution Architecture
- A Direct Connect connection connects an on-premises data center to a transit VPC.
- A private NAT gateway translates the private IP address of the ECS in the service VPC into a transit IP address (private IP address trusted by the on-premises data center) in the transit VPC.
Figure 1 Networking diagram
Solution Advantages
In a hybrid cloud network, the private IP addresses of ECSs in the VPC need to be mapped to those trusted by the on-premises data center to meet security compliance requirements.
Constraints
- The CIDR block of your on-premises data center cannot overlap with those of the transit VPC and the service VPC; otherwise, your on-premises data center will be unable to communicate with the service VPC.
- You need to define a CIDR block in the transit VPC to map private IP addresses from the service VPC. Generally, you use a private CIDR block or private IP addresses trusted by your on-premises data center.
Resource Planning
|
Resource |
Resource Name |
Description |
Quantity |
|---|---|---|---|
|
VPC |
VPC-Test01 |
The service VPC with the CIDR block of 192.168.0.0/24. |
1 |
|
VPC-Test02 |
The transit VPC with the CIDR block of 10.1.0.0/24. |
1 |
|
|
NAT gateway |
NAT-Private-Test |
The private NAT gateway deployed in VPC-Test01. |
1 |
|
NAT-Ext-Sub-IP-Test |
The transit IP address (10.1.0.10) in the transit VPC (VPC-Test02). |
1 |
|
|
Direct Connect connection |
DC-Test |
The Direct Connect connection that connects the on-premises data center to the transit VPC. |
1 |
|
ECS |
ECS-Test |
The ECS (private IP address: 192.168.0.10) purchased and deployed in the service VPC (VPC-Test01). |
1 |
|
On-premises data center |
IDC-Test |
CIDR block: 10.0.0.0/24; private IP address of an on-premises server: 10.0.0.62 |
1 |
- In this practice, the private IP address (192.168.0.10) of the ECS is mapped to the private IP address (10.1.0.10) trusted by the on-premises data center through the private NAT gateway.
- The VPC, NAT gateway, Direct Connect connection, and ECS must be in the same region.
Procedure
Implementation Procedure
- Create a service VPC and a transit VPC.
For details, see Creating a VPC with a Subnet.
- Configure a Direct Connect connection.
Create a Direct Connect connection between the on-premises data center and the transit VPC. For details, see Using Direct Connect to Connect an On-Premises Data Center to the Cloud.
- Buy a private NAT gateway.
- Buy a private NAT gateway in the specified region and select a service VPC.
- Assign a transit IP address. Set Transit VPC to VPC-Test02. Select Manual for Transit IP Address, and set IP Address to 10.1.0.10.
- On the SNAT Rules tab of the private NAT gateway, click Add SNAT Rule and set Subnet to 192.168.0.0/24, the service subnet with the IP addresses that need to access the on-premises data center. Set Transit IP Address to the address configured in the previous step.
- Add a route pointing to the private NAT gateway to the route table of the service VPC. Set Destination to 10.0.0.0/24.
Figure 2 Adding a route
- Add an inbound security group rule to allow traffic to the destination CIDR block that contains the IP address (10.0.0.62) of the on-premises server.
Verification
Test the network connectivity.
Log in to ECS-Test in the service VPC and ping the private IP address (10.0.0.62) of an on-premises server to verify the network connectivity.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
