What Is NAT Gateway?
Public NAT gateways and private NAT gateways are used in different scenarios to provide network address translation (NAT).
Public NAT Gateways
Public NAT gateways provide network address translation (NAT) with 20 Gbit/s of bandwidth for Elastic Cloud Servers (ECSs) and Bare Metal Servers (BMSs) in a Virtual Private Cloud (VPC), or servers in on-premises data centers that connect to a VPC through Direct Connect or Virtual Private Network (VPN), allowing these servers to share elastic IP addresses (EIPs) to access the Internet or to provide services accessible from the Internet.
Public NAT gateways support source NAT (SNAT) and destination NAT (DNAT).
- SNAT translates private IP addresses into EIPs, allowing servers in a VPC to share an EIP to access the Internet in a secure and efficient way.Figure 1 shows the SNAT architecture.
- DNAT enables servers in a VPC to share an EIP to provide services accessible from the Internet through IP address mapping or port mapping.
Figure 2 shows the DNAT architecture.
Private NAT Gateways
Private NAT gateways provide private address translation services for Elastic Cloud Servers (ECSs) and Bare Metal Servers (BMSs) in a VPC. You can configure source NAT (SNAT) and destination NAT (DNAT) rules for the private NAT gateway to translate the source and destination IP addresses into transit IP addresses. The transit IP addresses enable servers in a VPC to communicate with other VPCs or on-premises data centers.
To be specific,
- SNAT enables multiple servers across AZs in a VPC to share the transit IP address to access on-premises data centers or other VPCs.
- DNAT enables servers that share the same transit IP address in a VPC to provide services accessible from on-premises data centers or other VPCs through the IP address or port mapping.
A transit subnet functions as a transit network. You can assign a transit IP address in the transit subnet so that servers in a local VPC can share the transit IP address to access on-premises data centers or other VPCs.
A transit VPC is the VPC to which the transit subnet belongs.
The preceding figure shows two application scenarios of private NAT gateways.
- Communication between VPCs with an overlapping CIDR block
Under normal conditions, VPCs with an overlapping CIDR block cannot access each other. But with private NAT gateways, you can configure SNAT and DNAT rules to translate the private IP addresses of the VPCs to transit IP addresses, then servers in the two VPCs can communicate with each other.
- Using a specified IP address to access a remote private network
You are required to use a specified IP address to access an on-premises data center and a VPC on the remote private network. The on-premises data center is connected to the transit VPC through Direct Connect or VPN. The VPC is connected to the transit VPC through a VPC Peering connection. The local VPC1 uses a private NAT gateway. You need to configure SNAT rules to translate the private IP address of the local VPC1 to a specified IP address, so that servers in the local VPC1 can use the specified IP address to access the remote private network.
Private NAT gateways are in the OBT in the following regions: CN North-Beijing4, CN East-Shanghai1, CN South-Guangzhou, CN South-Guiyang1, AP-Hong Kong, AP-Singapore, AP-Bangkok, Africa-Johannesburg, and LA-Sao Paulo1.
How Do I Access the NAT Gateway Service?
- Management console
Use APIs if you need to integrate NAT Gateway into a third-party system for secondary development. For details, see NAT Gateway API Reference.