Updated on 2023-09-07 GMT+08:00
Constraints and Limitations
Public NAT Gateway
When using a public NAT gateway, note the following:
- Common restrictions
- Rules on one public NAT gateway can use the same EIP, but rules on different NAT gateways must use different EIPs.
- Each VPC can be associated with multiple public NAT gateways.
- The public NAT gateway does not translate IP addresses for Enterprise Edition VPN.
- If both an EIP and a public NAT gateway are configured for a server, data will be forwarded through the EIP.
- After you perform operations on backend resources, such as changing the specifications of an ECS, the existing NAT gateway rules will become invalid. Delete the rules and create some new rules for the ECS of the new specifications.
- Private IP addresses used by load balancers cannot be selected when you add DNAT rules on public NAT gateways for Internet communications.
- Some carriers will block the following ports for security reasons. It is recommended that you do not use the following ports.
Protocol
Port
TCP
42 135 137 138 139 444 445 593 1025 1068 1434 3127 3128 3129 3130 4444 4789 4790 5554 5800 5900 9996
UDP
135~139 1026 1027 1028 1068 1433 1434 4789 4790 5554 9996
- The system does not add a default route for a public NAT gateway. You need to add a route pointing to the public NAT gateway to the corresponding route table.
- Each public NAT gateway has an associated route table. The number of public NAT gateways that can be created in a VPC is determined by the number of route tables for the VPC.
- SNAT restrictions
- Only one SNAT rule can be added for each VPC subnet.
- When you add an SNAT rule in the VPC scenario, the custom CIDR block must be a subset of the NAT gateway's VPC subnets.
- If an SNAT rule is used in the Direct Connect scenario, the custom CIDR block must be a CIDR block of a Direct Connect connection and cannot overlap with the NAT gateway's VPC subnets.
- There is no limit on the number of SNAT rules that can be added on a public NAT gateway.
- DNAT restrictions
- Only one DNAT rule can be configured for each port on a server. One port can be mapped to only one EIP.
- A maximum of 200 DNAT rules can be added on a public NAT gateway.
Private NAT Gateway
When using a private NAT gateway, note the following:
- Common restrictions:
- Manually add routes in a VPC to connect it to a remote private network through a VPC peering connection, Direct Connect, or VPN connection.
- SNAT and DNAT rules cannot share a transit IP address.
- The total number of DNAT and SNAT rules that can be added on a private NAT gateway varies with the private NAT gateway specifications.
- Small: 20 or less
- Medium: 50 or less
- Large: 200 or less
- Extra-large: 500 or less
- SNAT restrictions
- Only one SNAT rule can be added for each VPC subnet.
- DNAT restrictions
- A DNAT rule with Port Type set to All ports cannot share a transit IP address with a DNAT rule with Port Type set to Specific port.
- Private NAT gateways are free for a limited time in the following regions: CN East-Shanghai2, CN-Hong Kong, LA-Sao Paulo1, AF-Johannesburg, and LA-Mexico City2.
- Private NAT gateways are billed in the following regions: CN South-Guangzhou, CN East-Shanghai1, CN North-Beijing4, AP-Bangkok, AP-Singapore, and CN Southwest-Guiyang1.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
The system is busy. Please try again later.
For any further questions, feel free to contact us through the chatbot.
Chatbot
