Help Center > > Service Overview> What Is NAT Gateway?

What Is NAT Gateway?

Updated at: Sep 02, 2021 GMT+08:00

Public NAT gateways and private NAT gateways are used in different scenarios to provide network address translation (NAT).

Public NAT Gateways

Public NAT gateways provide network address translation (NAT) with 20 Gbit/s of bandwidth for Elastic Cloud Servers (ECSs) and Bare Metal Servers (BMSs) in a Virtual Private Cloud (VPC), or servers in on-premises data centers that connect to a VPC through Direct Connect or Virtual Private Network (VPN), allowing these servers to share elastic IP addresses (EIPs) to access the Internet or to provide services accessible from the Internet.

Public NAT gateways support source NAT (SNAT) and destination NAT (DNAT).

  • SNAT translates private IP addresses into EIPs, allowing servers in a VPC to share an EIP to access the Internet in a secure and efficient way.
    Figure 1 shows the SNAT architecture.
    Figure 1 SNAT architecture

  • DNAT enables servers in a VPC to share an EIP to provide services accessible from the Internet through IP address mapping or port mapping.

    Figure 2 shows the DNAT architecture.

    Figure 2 DNAT architecture

Private NAT Gateways

Private NAT gateways provide private address translation services for Elastic Cloud Servers (ECSs) and Bare Metal Servers (BMSs) in a VPC. You can configure source NAT (SNAT) and destination NAT (DNAT) rules for the private NAT gateway to translate the source and destination IP addresses into transit IP addresses. The transit IP addresses enable servers in a VPC to communicate with other VPCs or on-premises data centers.

To be specific,

  • SNAT enables multiple servers across AZs in a VPC to share the transit IP address to access on-premises data centers or other VPCs.
  • DNAT enables servers that share the same transit IP address in a VPC to provide services accessible from on-premises data centers or other VPCs through the IP address or port mapping.

Transit Subnet

A transit subnet functions as a transit network. You can assign a transit IP address in the transit subnet so that servers in a local VPC can share the transit IP address to access on-premises data centers or other VPCs.

Transit VPC

A transit VPC is the VPC to which the transit subnet belongs.

Figure 3 Private NAT gateway

The preceding figure shows two application scenarios of private NAT gateways.

  • Communication between VPCs with an overlapping CIDR block

    Under normal conditions, VPCs with an overlapping CIDR block cannot access each other. But with private NAT gateways, you can configure SNAT and DNAT rules to translate the private IP addresses of the VPCs to transit IP addresses, then servers in the two VPCs can communicate with each other.

  • Using a specified IP address to access a remote private network

    You are required to use a specified IP address to access an on-premises data center and a VPC on the remote private network. The on-premises data center is connected to the transit VPC through Direct Connect or VPN. The VPC is connected to the transit VPC through a VPC Peering connection. The local VPC1 uses a private NAT gateway. You need to configure SNAT rules to translate the private IP address of the local VPC1 to a specified IP address, so that servers in the local VPC1 can use the specified IP address to access the remote private network.

Private NAT gateways are in the OBT in the following regions: CN North-Beijing4, CN East-Shanghai1, CN South-Guangzhou, CN South-Guiyang1, CN-Hong Kong, AP-Singapore, AP-Bangkok, Africa-Johannesburg, and LA-Sao Paulo1.

How Do I Access the NAT Gateway Service?

You can access the NAT Gateway service through the management console or using HTTPS-based APIs.
  • Management console

    You can use the console to perform operations on NAT gateways. Log in to the management console and choose NAT Gateway from the service list.

  • APIs

    Use APIs if you need to integrate NAT Gateway into a third-party system for secondary development. For details, see NAT Gateway API Reference.

Did you find this page helpful?

Submit successfully!

Thank you for your feedback. Your feedback helps make our documentation better.

Failed to submit the feedback. Please try again later.

Which of the following issues have you encountered?







Please complete at least one feedback item.

Content most length 200 character

Content is empty.

OK Cancel