What Is NAT Gateway?
Public NAT gateways and private NAT gateways are used in different scenarios to provide network address translation (NAT).
Public NAT Gateway
Public NAT gateways provide network address translation (NAT) with 20 Gbit/s of bandwidth for servers in a Virtual Private Cloud (VPC), such as Elastic Cloud Servers (ECSs), Bare Metal Servers (BMSs), and Workspace desktops, or servers that connect to a VPC through Direct Connect or Virtual Private Network (VPN) in local data centers, allowing these servers to share elastic IP addresses (EIPs) to access the Internet or to provide services accessible from the Internet.
Public NAT gateways support source NAT (SNAT) and destination NAT (DNAT).
- SNAT translates private IP addresses into EIPs, allowing servers in a VPC to share an EIP to access the Internet in a secure and efficient way.Figure 1 shows the SNAT architecture.
- DNAT enables servers in a VPC to share an EIP to provide services accessible from the Internet through IP address mapping or port mapping.
Figure 2 shows the DNAT architecture.
Private NAT Gateway
Private NAT gateways provide network address translation (NAT) for servers, such as ECSs, BMSs, and Workspace desktops, in a VPC, and allow multiple servers to share a private IP address to access or provide services accessible from an on-premises data center or a remote VPC.
A private NAT gateway allows network address translation between two VPCs or between a VPC and an on-premises network with no matter large, small, or overlapping network ranges. A private NAT gateway lets you avoid having to reconstruct services. It makes it safer and less expensive to migrate services to the cloud.
Private NAT gateways are available for the open beta test in regions AP-Hong-Kong, AP-Singapore, and AF-Johannesburg.
An external subnet functions as a transit network. You can assign a private IP address from an external subnet so that servers in a local VPC can share the private IP address to access an on-premises data center or a remote VPC.
A transit VPC is one that an external subnet belongs to.
Private NAT gateways support source NAT (SNAT) and destination NAT (DNAT).
- After an external subnet IP address is associated with an SNAT rule, multiple servers across AZs in a VPC can share the external subnet IP address to access an on-premises data center or a remote VPC.
- DNAT enables servers that share the same external subnet IP address in a VPC to provide services accessible from an on-premises data center or a remote VPC through the IP address or port mapping.
How Do I Access the NAT Gateway Service?
- Management console
Use APIs if you need to integrate NAT Gateway into a third-party system for secondary development. For details, see NAT Gateway API Reference.