Help Center > > Service Overview> What Is NAT Gateway?

What Is NAT Gateway?

Updated at: Apr 14, 2021 GMT+08:00

Public NAT gateways and private NAT gateways are used in different scenarios to provide network address translation (NAT).

Public NAT Gateway

Public NAT gateways provide network address translation (NAT) with 20 Gbit/s of bandwidth for servers in a Virtual Private Cloud (VPC), such as Elastic Cloud Servers (ECSs), Bare Metal Servers (BMSs), and Workspace desktops, or servers that connect to a VPC through Direct Connect or Virtual Private Network (VPN) in local data centers, allowing these servers to share elastic IP addresses (EIPs) to access the Internet or to provide services accessible from the Internet.

Public NAT gateways support source NAT (SNAT) and destination NAT (DNAT).

  • SNAT translates private IP addresses into EIPs, allowing servers in a VPC to share an EIP to access the Internet in a secure and efficient way.
    Figure 1 shows the SNAT architecture.
    Figure 1 SNAT architecture

  • DNAT enables servers in a VPC to share an EIP to provide services accessible from the Internet through IP address mapping or port mapping.

    Figure 2 shows the DNAT architecture.

    Figure 2 DNAT architecture

Private NAT Gateway

Private NAT gateways provide network address translation (NAT) for servers, such as ECSs, BMSs, and Workspace desktops, in a VPC, and allow multiple servers to share a private IP address to access or provide services accessible from an on-premises data center or a remote VPC.

A private NAT gateway allows network address translation between two VPCs or between a VPC and an on-premises network with no matter large, small, or overlapping network ranges. A private NAT gateway lets you avoid having to reconstruct services. It makes it safer and less expensive to migrate services to the cloud.

Private NAT gateways are available for the open beta test in regions AP-Hong-Kong, AP-Singapore, and AF-Johannesburg.

External Subnet

An external subnet functions as a transit network. You can assign a private IP address from an external subnet so that servers in a local VPC can share the private IP address to access an on-premises data center or a remote VPC.

Transit VPC

A transit VPC is one that an external subnet belongs to.

Figure 3 Private NAT gateway

Private NAT gateways support source NAT (SNAT) and destination NAT (DNAT).

  • After an external subnet IP address is associated with an SNAT rule, multiple servers across AZs in a VPC can share the external subnet IP address to access an on-premises data center or a remote VPC.
  • DNAT enables servers that share the same external subnet IP address in a VPC to provide services accessible from an on-premises data center or a remote VPC through the IP address or port mapping.

How Do I Access the NAT Gateway Service?

You can access the NAT Gateway service through the management console or using HTTPS-based APIs.
  • Management console

    You can use the console to perform operations on NAT gateways. Log in to the management console and choose NAT Gateway from the service list.

  • APIs

    Use APIs if you need to integrate NAT Gateway into a third-party system for secondary development. For details, see NAT Gateway API Reference.

Did you find this page helpful?

Submit successfully!

Thank you for your feedback. Your feedback helps make our documentation better.

Failed to submit the feedback. Please try again later.

Which of the following issues have you encountered?







Please complete at least one feedback item.

Content most length 200 character

Content is empty.

OK Cancel