Help Center/ NAT Gateway/ Best Practices/ Using a Public NAT Gateway and VPC Peering to Enable Communications Between VPCs and the Internet
Updated on 2024-08-15 GMT+08:00

Using a Public NAT Gateway and VPC Peering to Enable Communications Between VPCs and the Internet

Scenarios

There are two VPCs in the same region: VPC A and VPC B. VPC A has a subnet subnet A. VPC B has a subnet subnet B. Create a public NAT gateway for subnet A. Then add SNAT and DNAT rules to enable servers in subnet A to access the Internet and provide services accessible from the Internet. subnet B connects to subnet A through a VPC peering connection. Then servers in subnet B can use the public NAT gateway for subnet A to access the Internet and provide services accessible from the Internet. You do not need to configure another public NAT gateway specifically for subnet B.

Solution Advantages

Only one public NAT gateway needs to be configured. Servers in the two VPCs can use the same public NAT gateway to communicate with the Internet, saving gateway resources.

Typical Topology

The CIDR block of VPC A is 192.168.0.0/16 and that of subnet A is 192.168.1.0/24.

The CIDR block of VPC B is 192.168.0.0/16 and that of subnet B is 192.168.2.0/24.

Implementation methods:

  1. Configure NAT Gateway in VPC A. Add SNAT and DNAT rules.
  2. Create a VPC peering connection between subnet A and subnet B, enabling servers in subnet B to use a public NAT gateway to access the Internet and provide services accessible from the Internet.

Prerequisites

  • If VPCs connected by a VPC peering connection have overlapping CIDR blocks, the connection can only enable communications between specific (non-overlapping) subnets in the VPCs.
  • All subnets of the two VPCs do not overlap with each other.

Configuring a Public NAT Gateway

  1. Buy a public NAT gateway.

    Select VPC A for VPC. For details about how to configure other parameters, see Buying a Public NAT Gateway.

  2. Add an SNAT rule.

    1. Select VPC for Scenario and subnet A for Subnet. For more details, see Adding an SNAT Rule.
    2. Add an SNAT rule for subnet B. Set Scenario to Direct Connect/Cloud Connect and enter the CIDR block of subnet B.

  3. Add a DNAT rule.

    1. Add a DNAT rule for subnet A. Select VPC for Scenario and enter an IP address of a server in subnet A for Private IP Address. For more details, see Adding a DNAT Rule.
    2. Add a DNAT rule for subnet B. Set Scenario to Direct Connect/Cloud Connect and enter an IP address of a server in subnet B for Private IP Address.

Creating a VPC Peering Connection

  1. Create VPC A, VPC B, subnet A, and subnet B.

    For detailed operations, see Creating a VPC.

  2. Create a VPC peering connection.

    Create a VPC peering connection between subnet A and subnet B. For detailed operations, see Creating a VPC Peering Connection with Another VPC in Your Account.

    The local VPC is VPC A, and the peer VPC is VPC B.

    Add a route in the route table of VPC B. Set Destination to 0.0.0.0/0 and Next Hop to the created VPC peering connection between VPC A and VPC B.

Testing Connectivity of a VPC Peering Connection

After the configuration is complete, test the network connectivity.

Log in to a server in subnet B and ping a public IP address.

Log in to a server that can access the Internet and is not deployed in VPC A or VPC B. Use curl to check whether the server can communicate with subnet B via the EIP associated with the DNAT rule configured for subnet B.