What Is NAT Gateway?
Public NAT gateways and private NAT gateways are used in different scenarios to provide network address translation (NAT).
Public NAT Gateways
Public NAT gateways provide NAT with 20 Gbit/s of bandwidth for ECSs and BMSs in a VPC, or servers in on-premises data centers that connect to a VPC through Direct Connect or Virtual Private Network (VPN), allowing these servers to share elastic IP addresses (EIPs) to access the Internet or to provide services accessible from the Internet.
Public NAT gateways offer source NAT (SNAT) and destination NAT (DNAT).
- SNAT translates private IP addresses into EIPs, allowing servers in a VPC to share an EIP to access the Internet in a secure and efficient way.
Figure 1 shows how an SNAT rule works.
- DNAT enables multiple servers within an AZ or across multiple AZs in a VPC to share EIPs to provide services accessible from the Internet. With an EIP, a NAT gateway forwards the Internet requests from only a specific port and over a specific protocol to a specific port of a server, or it can forward all requests to the server regardless of which port they originated on.
Figure 2 shows how a DNAT rule works.
Private NAT Gateways
Private NAT gateways provide private address translation services for ECSs and BMSs in a VPC. You can configure SNAT and DNAT rules to translate the source and destination IP addresses into transit IP addresses, so that servers in the VPC can communicate with other VPCs or on-premises data centers.
- SNAT enables multiple servers within one AZ or across multiple AZs in a VPC to share a transit IP address to access on-premises data centers or other VPCs.
- DNAT enables servers that share the same transit IP address in a VPC to provide services accessible from on-premises data centers or other VPCs.
A transit subnet functions as a transit network. You can configure a transit IP address for the transit subnet so that servers in a local VPC can share the transit IP address to access on-premises data centers or other VPCs.
The transit VPC is the VPC that the transit subnet is a part of.
The preceding figure shows two ways a private NAT gateway can be deployed.
- Communications between two VPCs with an overlapping CIDR block
Normally, VPCs with overlapping CIDR blocks cannot communicate with each other. But with private NAT gateways, you can configure SNAT and DNAT rules to translate the private IP addresses in the VPCs to transit IP addresses and establish cross-VPC communications.
- Using a specific IP address to access a remote private network
A private NAT gateway lets you use a specific IP address to access an on-premises data center or a VPC on a remote private network. The on-premises data center is connected to the transit VPC through Direct Connect or VPN. The VPC is connected to the transit VPC through a VPC Peering connection. In the figure, VPC 1 uses a private NAT gateway to access the remote private network. To do this, SNAT rules need to be configured to translate the private IP address in VPC 1 into specific IP addresses that can communicate with the private network, on the left.
- Private NAT gateways are free for a limited time in the following regions: CN East-Shanghai2, CN Southwest-Guiyang1, CN-Hong Kong, LA-Sao Paulo1, AF-Johannesburg, and LA-Mexico City2.
- Private NAT gateways are billed in the following regions: CN South-Guangzhou, CN East-Shanghai1, CN North-Beijing4, AP-Bangkok, and AP-Singapore.
How Do I Access the NAT Gateway Service?
- Management console
Use APIs if you need to integrate NAT Gateway into your own system solution. For details, see the NAT Gateway API Reference.