Updated on 2024-03-30 GMT+08:00

Constraints and Limitations

Public NAT Gateway

When using a public NAT gateway, note the following:

  • Common restrictions
    • Rules on one public NAT gateway can use the same EIP, but rules on different NAT gateways must use different EIPs.
    • Each VPC can have only one NAT gateway.
    • Each VPC can be associated with multiple public NAT gateways.
    • SNAT and DNAT rules cannot use the same EIP.
    • If both an EIP and a public NAT gateway are configured for a server, data will be forwarded through the EIP.
    • Some carriers will block the following ports for security reasons. It is recommended that you do not use the following ports.

      Protocol

      Port

      TCP

      42 135 137 138 139 444 445 593 1025 1068 1434 3127 3128 3129 3130 4444 4789 4790 5554 5800 5900 9996

      UDP

      135~139 1026 1027 1028 1068 1433 1434 4789 4790 5554 9996

    • NAT Gateway supports TCP, UDP, and ICMP, but does not support application layer gateway (ALG)-related technologies. In addition, NAT Gateway does not support Encapsulating Security Payload (ESP) and Authentication Header (AH) used by Generic Routing Encapsulation (GRE) tunnels and Internet Protocol Security (IPsec). This is determined by the features of NAT Gateway.
  • SNAT restrictions
    • Only one SNAT rule can be added for each VPC subnet.
    • When you add an SNAT rule in the VPC scenario, the custom CIDR block must be a subset of the NAT gateway's VPC subnets.
    • If an SNAT rule is used in the Direct Connect scenario, the custom CIDR block must be a CIDR block of a Direct Connect connection and cannot overlap with the NAT gateway's VPC subnets.
    • There is no limit on the number of SNAT rules that can be added on a public NAT gateway.
  • DNAT restrictions
    • DNAT rules cannot map virtual IP addresses to EIPs.
    • Only one DNAT rule can be configured for each port on a server. One port can be mapped to only one EIP.
    • A maximum of 200 DNAT rules can be added on a public NAT gateway.

Private NAT Gateway

When using a private NAT gateway, note the following:

  • Common restrictions
    • Manually add routes in a VPC to connect it to a remote private network through a VPC peering connection, Direct Connect, or VPN connection.
    • The transit IP address and destination IP address cannot be in the same VPC.
    • SNAT and DNAT rules cannot share a transit IP address.
    • The total number of DNAT and SNAT rules that can be added on a private NAT gateway varies with the private NAT gateway specifications.
      • Small: 20 or less
      • Medium: 50 or less
      • Large: 200 or less
      • Extra-large: 500 or less
  • SNAT restrictions
    • Only one SNAT rule can be added for each VPC subnet.
  • DNAT restrictions
    • A DNAT rule with Port Type set to All ports cannot share a transit IP address with a DNAT rule with Port Type set to Specific port.