What Can I Do If a DNAT Rule Is Not Working?

Checking Whether There Is a Route Pointing to the Current NAT Gateway

Check whether there is a route pointing to the public NAT gateway in the route table associated with the VPC where the public NAT gateway is located. If there is no such a route, configure one destined for the CIDR block of the public NAT gateway or 0.0.0.0/0. Otherwise, the public NAT gateway cannot receive traffic.

Checking Whether the DNAT Rule Is Correctly Configured

Check whether the DNAT rule status is normal on the DNAT rule list page. If the status is not normal, access will fail.

Checking the Inbound Rules of the Security Group and Network ACL of the ECS

After traffic passes through the NAT gateway, it is filtered by the security group and network ACL rules of the ECS. Check whether the security group and network ACL rules allow access from the client IP address.

Checking Whether the Service Port of the ECS Is Enabled

Check whether the service port of the ECS configured for the DNAT rule is enabled. If the service port is not enabled, the access will fail.

Run the following command on the ECS to check whether the service port is enabled:

netstat -tuln | grep port

Checking Whether the EIP Configured for the DNAT Rule Has a Bandwidth Bound

To route traffic, the EIP configured for the DNAT rule must have a bandwidth.

Checking the Domain Name Resolution and ICP Filing

If the domain name cannot be directly accessed but can be accessed through the EIP bound to it, the DNAT rule is normal. In this case, you need to check the domain name resolution and ICP filing.