Updated on 2024-04-23 GMT+08:00

Adding a DNAT Rule

Scenarios

After a public NAT gateway is created, add DNAT rules to allow servers in your VPC to provide services accessible from the Internet.

Only one DNAT rule can be configured for each port on a server. One port can be mapped to only one EIP. If multiple servers need to provide services accessible from the Internet, create multiple DNAT rules.

Restrictions and Limitations

  • DNAT rules cannot map virtual IP addresses to EIPs.
  • Only one DNAT rule can be configured for each port on a server. One port can be mapped to only one EIP.
  • A maximum of 200 DNAT rules can be added on a public NAT gateway.

Prerequisites

A public NAT gateway is available.

Procedure

  1. Log in to the management console.
  2. Click Service List in the upper left corner. Under Network, select NAT Gateway.

    The Public NAT Gateway page is displayed.

  3. On the displayed page, click the name of the public NAT gateway on which you need to add a DNAT rule.
  4. On the public NAT gateway details page, click the DNAT Rules tab.
  5. Click Add DNAT Rule.
  6. Configure required parameters. For details, see Table 1.
    Table 1 Descriptions of DNAT rule parameters

    Parameter

    Description

    Scenario

    Select VPC if your servers in a VPC will use the DNAT rule to share the same EIP to provide services accessible from the Internet.

    Direct Connect: Select this scenario if your on-premises servers will use the DNAT rule to provide services accessible from the Internet.

    Port Type

    The port type

    • All ports: All requests received by the gateway through all ports over any protocol will be forwarded to the private IP address of your server.
    • Specific port: Only requests received from a specified port over a specified protocol will be forwarded to the specified port on the server.

    Protocol

    The protocol can be TCP or UDP.

    This parameter is available if you select Specific port for Port Type. If you select All ports, the value of this parameter is All by default.

    Public IP Address Type

    The EIP that will be used by the server to provide services accessible from the Internet

    You can select an EIP that either has not been bound, has been bound to a DNAT rule of the current public NAT gateway with Port Type set to Specific port, or has been bound to an SNAT rule of the current public NAT gateway.

    Outside Port

    The port of the EIP used by the NAT gateway for external communication

    This parameter is only available if you select Specific port for Port Type. Range: 1 to 65535

    You can enter a specific port number or a port range, for example, 80 or 80-100.

    Instance Type

    The type of the instance that will be providing services accessible from the Internet. Possible values are:

    • Server
    • Virtual IP address
    • Custom

    NIC

    The NIC of the server. This parameter is available if you set Instance Type to Server.

    Private IP Address

    • In a VPC scenario, set this parameter to the private IP address of a server in the NAT gateway's VPC. The server will provide services accessible from the Internet through DNAT.
    • In a Direct Connect scenario, set this parameter to IP address of the server in your on-premises data center or your private IP address. This IP address is used by on-premises servers that are connected to a VPC through Direct Connect to provide services accessible from the Internet through DNAT.
    • Configure the port of Private IP Address if you select Specific port for Port Type.

    Inside Port

    The port of the server over which the originating requests will be forwarded

    This parameter is only available if you select Specific port for Port Type.

    Range: 1 to 65535

    You can enter a specific port number or a port range, for example, 80 or 80-100.

    Description

    Provides supplementary information about the DNAT rule. Enter up to 255 characters. Angle brackets (<>) are not allowed.

  7. Click OK.

    Once the rule is created, its status changes to Running.

After you add a DNAT rule, add rules to the security group associated with the servers to allow inbound or outbound traffic. Otherwise, the DNAT rule does not take effect.