Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive
Help Center/ NAT Gateway/ User Guide (Ankara Region)/ Getting Started/ Using a Private NAT Gateway to Connect Cloud and On-premises Networks

Using a Private NAT Gateway to Connect Cloud and On-premises Networks

Updated on 2025-01-10 GMT+08:00

Scenarios

You can use a private NAT gateway to enable communications between cloud and on-premises networks.

The following figure shows how a private NAT gateway enables ECSs in a VPC to communicate with your on-premises data center that has been connected to the cloud using Direct Connect.

Figure 1 Networking diagram

Operation Process

Procedure

Description

Step 1: Create a Service VPC and a Transit VPC

Create a service VPC and a transit VPC.

Step 2: Create a VPC Peering Connection

Create a VPC peering connection to connect your local data center to a transit VPC.

Step 3: Buy a Private NAT Gateway

Buy a private NAT gateway.

Step 4: Assign a Transit IP Address

Assign a transit IP address so that cloud servers in a VPC can use the same transit IP address.

Step 5: Add an SNAT Rule

After the private NAT gateway is created, add an SNAT rule so that servers in the VPC can share a transit IP address to access on-premises data centers or other VPCs.

Step 6: Add a Route

You can add a route and configure the destination, next hop type, and next hop in the routes to determine where network traffic is directed.

Step 7: Add a Security Group Rule

Add an inbound security group rule to allow traffic to servers in the destination VPC.

Preparations

Before using NAT gateways, sign up for a HUAWEI ID, enable Huawei Cloud services, complete real-name authentication, and top up your account.

  • .
  • .
  • .

Step 1: Create a Service VPC and a Transit VPC

A VPC provides an isolated virtual network for ECSs. You can configure and manage your network as required.

You need to create two VPCs, one for your services, and one as the transit VPC.

For details, see .

Step 2: Create a VPC Peering Connection

Create a Direct Connect connection to link your on-premises data center to the cloud (the region). In this example, a VPC peering connection is used.

Create a VPC peering connection to connect your local data center to a transit VPC. For details, see .

NOTE:

For details about how to use Direct Connect to connect your data center (the destination VPC in the VPC peering connection) to the transit VPC, see .

Step 3: Buy a Private NAT Gateway

  1. On the Create Private NAT Gateway page, configure required parameters.
    Table 1 Descriptions of private NAT gateway parameters

    Parameter

    Description

    Region

    The region where the private NAT gateway is located.

    Name

    The name of the private NAT gateway. Enter up to 64 characters including only digits, letters, underscores (_), and hyphens (-).

    VPC

    The service VPC that the private NAT gateway belongs to.

    The selected VPC cannot be changed after the private NAT gateway is created.

    Subnet

    The subnet that the private NAT gateway belongs to.

    The subnet must have at least one available IP address.

    The selected subnet cannot be changed after the private NAT gateway is created.

    Specifications

    The specifications of the private NAT gateway.

    Enterprise Project

    The enterprise project that the private NAT gateway belongs to. If you have not configured any enterprise project, select the default enterprise project.

    You can configure the enterprise project to which the private network NAT gateway belongs only after the enterprise project function is enabled for you.

    Tag

    The private NAT gateway tag. A tag is a key-value pair. You can add up to 20 tags to each private NAT gateway.

    Description

    Supplementary information about the private NAT gateway. Enter up to 255 characters. Angle brackets (<>) are not allowed.

  2. Click Create Now.
  3. In the private NAT gateway list, check the gateway status.

Step 4: Assign a Transit IP Address

  1. On the Private NAT Gateways page, click Transit IP Addresses < Assign Transit IP Address.
  2. Configure required parameters. For details, see Table 2.
    Table 2 Parameter descriptions of a transit IP address

    Parameter

    Example

    Description

    Transit VPC

    -

    The VPC to which the transit IP address belongs.

    Transit Subnets

    -

    A transit subnet is a transit network and is the subnet to which the transit IP address belongs.

    The subnet must have at least one available IP address.

    Transit IP Address

    Automatic

    The transit IP address can be assigned in either of the following ways:

    Automatic: The system automatically assigns a transit IP address.

    Manual: You need to manually assign a transit IP address.

    Enterprise Project

    default

    The enterprise project to which the transit IP address belongs.

    Tag

    Not required

    The transit IP address tag, which consists of a key and value pair. You can add up to 20 tags to each transit IP address.

  3. Click OK.

Step 5: Add an SNAT Rule

  1. On the Private NAT Gateways page, click the name of the private NAT gateway on which you need to add an SNAT rule.
  2. On the SNAT Rules tab, click Add SNAT Rule.
  3. Configure required parameters. For details, see Table 3.
    Table 3 Descriptions of SNAT rule parameters

    Parameter

    Example

    Description

    Subnet

    Existing

    The subnet type of the SNAT rule. Select Existing or Custom.

    Select a subnet where IP address translation is required in the service VPC.

    Monitoring

    -

    You can create alarm rules to watch the number of SNAT connections.

    Transit IP Address

    -

    The transit IP address you assigned in Step 4: Assign a Transit IP Address.

    Description

    Not required

    Supplementary information about the SNAT rule. Enter up to 255 characters. Angle brackets (<>) are not allowed.

  4. Click OK.
  5. View details in the SNAT rule list. If Status is Running, the rule has been added.

Step 6: Add a Route

  1. In the route table list, click the name of the route table associated the service VPC.
  2. Click Add Route and configure required parameters.
    Table 4 Route parameters

    Parameter

    Example

    Description

    Destination

    10.0.0.0/24

    The destination CIDR block.

    Set it to the CIDR block used by your on-premises data center.

    Next Hop Type

    NAT gateway

    Type of the next hop.

    Next Hop

    private-nat-01

    Set Next Hop to the private NAT gateway.

    Description

    Not required

    (Optional) Supplementary information about the route.

    Enter up to 255 characters. Angle brackets (<>) are not allowed.

  3. Click OK.

Step 7: Add a Security Group Rule

  1. Locate the target security group and click Manage Rules in the Operation column.

    The page for configuring security group rules is displayed.

  2. On the Inbound Rules tab, click Add Rule. In the displayed dialog box, configure required parameters.

    You can click + to add more inbound rules.

    Table 5 Description of inbound rule parameters

    Parameter

    Example

    Description

    Priority

    1

    Priority of a rule. A smaller value indicates a higher priority.

    Action

    Allow

    Allow or Deny

    • If the Action is set to Allow, access from the source is allowed to ECSs in the security group over specified ports.
    • If the Action is set to Deny, access from the source is denied to ECSs in the security group over specified ports.

    Protocol & Port

    TCP

    Protocol: Network protocol. The value can be All, TCP, UDP, ICMP, or GRE.

    22 or 22-30

    Port: The port or port range over which the traffic can reach your ECS. The value ranges from 1 to 65535.

    Source

    0.0.0.0/0

    Source of the security group rule. The value can be a single IP address, an IP address group, or a security group, to allow access from the specified IP address, IP address group, or instances in another security group.

    Description

    Not required

    (Optional) Supplementary information about the security group rule.

    Enter up to 255 characters. Angle brackets (<>) are not allowed.

  3. Click OK.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback