Public NAT Gateway
- Allowing a private network to access the Internet using SNAT
If your servers in a VPC need to access the Internet, you can configure SNAT rules to let these servers use one or more EIPs to access the Internet without exposing their private IP addresses. You can configure only one SNAT rule for each subnet in a VPC, and select one or more EIPs for each SNAT rule. Public NAT Gateway provides different numbers of connections, and you can create multiple SNAT rules to meet your service requirements.
Figure 1 shows how servers in a VPC access the Internet using SNAT.
- Allowing Internet users to access a service in a private network using DNAT
DNAT rules enable servers in a VPC to provide services accessible from the Internet.
After receiving requests from a specific port over a specific protocol, the public NAT gateway can forward the requests to a specific port of a server through port mapping. The public NAT gateway can also forward all requests destined for an EIP to a specific server through IP address mapping.
One DNAT rule can be configured for each server. If there are multiple servers, you can create multiple DNAT rules to map one or more EIPs to the private IP addresses of these servers.
Figure 2 shows how servers (ECSs or BMSs) in a VPC provide services accessible from the Internet using DNAT.
- Allowing servers in an on-premises data center to communicate with the Internet
In certain Internet, gaming, e-commerce, and financial scenarios, a large number of servers in a private cloud are connected to a VPC through Direct Connect or VPN. If such servers need secure, high-speed Internet access or need to provide services accessible from the Internet, you can deploy a NAT gateway and configure SNAT and DNAT rules to meet their requirements.
Figure 3 shows how to use SNAT and DNAT to provide high-speed Internet access or provide services accessible from the Internet.
- Setting up a highly available system by adding multiple EIPs to an SNAT rule
EIPs may be attacked. To improve system reliability, you can bind multiple EIPs to an SNAT rule so that if one EIP is attacked, another EIP can be used to ensure service continuity.
Each SNAT rule can have up to 20 EIPs. If an SNAT rule has multiple EIPs, the system randomly selects one EIP for servers to use to access the Internet.
If any EIP is blocked or attacked, manually remove it from the EIP pool.
Figure 4 shows a highly available system using an SNAT rule of a public NAT gateway.
- Using multiple NAT gateways together
If a single NAT gateway bottlenecks your services, for example, if there are over one million SNAT connections, or if the maximum bandwidth of 20 Gbit/s cannot meet service requirements, you can use multiple ones.
To use multiple NAT gateways together, associate route tables of the VPC subnets with these public NAT gateways.
Figure 5 shows how multiple public NAT gateways are used to overcome the performance bottleneck.
- The system does not add a default route for a public NAT gateway. You need to add a route pointing to the public NAT gateway to the corresponding route table.
- Each public NAT gateway has an associated route table. The number of public NAT gateways that can be created in a VPC is determined by the number of route tables for the VPC.