Binding or Unbinding a NAT Gateway (OBT)

Scenarios

In public access scenarios, you typically use an EIP to connect to an instance. However, binding an EIP directly to an instance increases security risk. If security rules are misconfigured or a vulnerability is exploited, an attacker may obtain your access credentials and perform malicious operations on database resources.

To mitigate this risk, TaurusDB allows you to bind or unbind a NAT gateway. With a NAT gateway, public access is implemented as a one-way DNAT rule on the public NAT gateway. Only inbound traffic on the ports you configure can reach the instance's private IP address, meeting your access requirements while limiting exposure and reducing the attack surface.

If you no longer need to access the instance through an EIP, you can unbind the NAT gateway address. Ensure that you have evaluated your service requirements before doing so.

Prerequisites

Binding a NAT gateway is in the OBT phase. To use this function, submit a service ticket.
Before binding a public gateway, create a public NAT gateway first and ensure that its VPC and subnet match those of the TaurusDB instance. For details about how to create a public NAT gateway, see Buying a Public NAT Gateway.

Required Permissions

If you bind a gateway address using a Huawei Cloud account, no additional configuration is required. If you bind a gateway address as an IAM user for the first time, you need to obtain the permission to create an agency.
When binding a DNAT gateway to a TaurusDB instance, you are advised to select IAM project authorization for policy-based authorization. Enterprise project authorization is not supported.

You must have the following permissions to bind a gateway address.

**Table 1** IAM permissions and agencies
Current IAM Policy	Required IAM 3.0 Permission	Required IAM 5.0 Permission
Role/Policy-based (IAM 3.0)	gaussdb:instance:unbindPublicIp gaussdb:instance:bindPublicIp gaussdb:instance:list nat:dnatRules:create nat:natGateways:list nat:snatRules:list nat:dnatRules:delete nat:natGateways:get nat:dnatRules:get nat:dnatRules:update nat:dnatRules:list If you do not have these permissions, create a custom policy.	eip:publicIps:associateInstance eip:publicIps:disassociateInstance nat:natGateways:listTags If you do not have these permissions, create a custom identity policy and attach it to the principal.
Identity policy-based (IAM 5.0)	N/A	nat:dnatRules:create nat:dnatRules:delete nat:dnatRules:get nat:dnatRules:list nat:dnatRules:update nat:natGateways:get nat:natGateways:list nat:natGateways:listTags nat:snatRules:list eip:publicIps:associateInstance eip:publicIps:disassociateInstance If you do not have these permissions, create a custom identity policy and attach it to the principal.

Precautions

You need to configure security group rules and enable specific IP addresses and ports to access the DB instance. Before accessing the DB instance, you need to add an individual IP address or an IP address range that will access the DB instance to the inbound rule. For details, see Configuring Security Group Rules.
You can use a NAT gateway to map different ports of the same EIP to different DB instances. If you cannot access a DB instance after binding a gateway address, rectify the fault by referring to What Can I Do If Connection Between My Servers and the Internet Fails After I Add SNAT and DNAT Rules?

Constraints

If an EIP has been bound to a DB instance, you need to unbind it before binding a NAT gateway address.
After a NAT gateway is bound to a DB instance, do not delete the DNAT rule on the NAT gateway's DNAT Rules page. If the DNAT rule is deleted, it will not be removed from the TaurusDB console, and the EIP will no longer be usable for connecting to the DB instance.

Billing

You need to pay for the NAT Gateway and EIP services separately. For details about the NAT Gateway billing, see NAT Gateway Pricing Details. For details about the EIP billing, see EIP Pricing Details.

Binding or Unbinding a NAT Gateway

Log in to the TaurusDB console.
On the Instances page, click the instance name to go to the Basic Information page.
In the Network Information area, click Bind under Gateway Address.

Figure 1 Binding a gateway

In the displayed dialog box, select the gateway name and EIP, enter a port, and click OK.

Figure 2 Binding a gateway address
Click to enlarge

**Table 2** Parameter description
Parameter	Description
Gateway Name	Name of the public NAT gateway. If no available gateway addresses are displayed, click Gateway Address and buy a public NAT gateway.
EIP	EIP to be bound. You can select an EIP that is not bound to any resource. If an EIP is bound to another resource, go to the NAT Gateway > Public NAT Gateways page, click the target gateway name, and check the existing EIPs on the DNAT Rules tab. Then return to the TaurusDB console and bind an EIP.
Port	Port used to provide services for external systems. You can connect to the DB instance using the EIP and this port. The value ranges from 1 to 65535.

In the Network Information area, check the binding result under Gateway Address. If the Gateway Address column shows an IP address and port, the binding is successful.

The IP address is the bound EIP.

Figure 3 Checking the binding result

Log in to the TaurusDB console.
On the Instances page, click the instance name to go to the Basic Information page.
In the Network Information area, click Unbind under Gateway Address.
In the displayed dialog box, confirm the information and click OK.
If you have enabled operation protection, click Send Code in the displayed Identity Verification dialog box and enter the obtained verification code. Then, click OK.

Two-factor authentication improves the security of your account. For details about how to enable operation protection, see Identity and Access Management User Guide.
In the Network Information area, check the unbinding result under Gateway Address. If the Gateway Address column is empty, the unbinding is successful.

To bind a gateway address to the instance again, see Binding a NAT Gateway.