Using a Private NAT Gateway to Connect Cloud and On-premises Networks
Scenarios
You can use a private NAT gateway to enable communications between cloud and on-premises networks.
The following figure shows how a private NAT gateway enables ECSs in a VPC to communicate with your on-premises data center that has been connected to the cloud using Direct Connect.
Operation Process
|
Procedure |
Description |
|---|---|
|
Before using cloud services, sign up for a HUAWEI ID, enable Huawei Cloud services, complete real-name authentication, and top up your account. |
|
|
Create a service VPC and a transit VPC. |
|
|
Create a VPC peering connection to connect your local data center to a transit VPC. |
|
|
Buy a private NAT gateway. |
|
|
After the private NAT gateway is created, add an SNAT rule so that servers in the VPC can share a transit IP address to access on-premises data centers or other VPCs. |
|
|
You can add a route and configure the destination, next hop type, and next hop in the routes to determine where network traffic is directed. |
|
|
Add an inbound security group rule to allow traffic to servers in the destination VPC. |
Preparations
Before using NAT gateways, sign up for a HUAWEI ID, enable Huawei Cloud services, complete real-name authentication, and top up your account.
Step 1: Create a Service VPC and a Transit VPC
A VPC provides an isolated virtual network for ECSs. You can configure and manage your network as required.
You need to create two VPCs, one for your services, and one as the transit VPC.
For details, see Creating a VPC.
Step 2: Create a VPC Peering Connection
Create a Direct Connect connection to link your on-premises data center to the cloud (the CN-Hong Kong region). In this example, a VPC peering connection is used.
Create a VPC peering connection to connect your local data center to a transit VPC. For details, see VPC Peering Connection.
For details about how to use Direct Connect to connect your data center (the destination VPC in the VPC peering connection) to the transit VPC, see Overview.
Step 3: Buy a Private NAT Gateway
- Go to the Buy Private NAT Gateway page.
- On the Buy Private NAT Gateway page, configure required parameters.
Figure 2 Buy Private NAT Gateway
Table 1 Descriptions of private NAT gateway parameters Parameter
Example
Description
Billing Mode
Pay-per-use
The billing mode of the private NAT gateway.
Region
CN-Hong Kong
The region where the private NAT gateway is located.
Name
private-nat-01
The name of the private NAT gateway. Enter up to 64 characters including only digits, letters, underscores (_), and hyphens (-).
VPC
vpc-A
The service VPC that the private NAT gateway belongs to.
The selected VPC cannot be changed after the private NAT gateway is purchased.
Subnet
Subnet-A01
The subnet that the private NAT gateway belongs to.
The subnet must have at least one available IP address.
The selected subnet cannot be changed after the private NAT gateway is purchased.
Specifications
Small
The specifications of the private NAT gateway.
Enterprise Project
default
The enterprise project that the private NAT gateway belongs to. If you have not configured any enterprise project, select the default enterprise project.
You can configure the enterprise project to which the private network NAT gateway belongs only after the enterprise project function is enabled for you.
Tag
Not required
The private NAT gateway tag. A tag is a key-value pair. You can add up to 20 tags to each private NAT gateway.
Description
Not required
Supplementary information about the private NAT gateway. Enter up to 255 characters. Angle brackets (<>) are not allowed.
- Click Buy Now.
- In the private NAT gateway list, check the gateway status.
Step 4: Assign a Transit IP Address
- On the Private NAT Gateways page, click Transit IP Addresses < Assign Transit IP Address.
Figure 3 Assigning a transit IP address
- Configure required parameters. For details, see Table 2.
Table 2 Parameter descriptions of a transit IP address Parameter
Example
Description
Transit VPC
-
The VPC to which the transit IP address belongs.
Transit Subnets
-
A transit subnet is a transit network and is the subnet to which the transit IP address belongs.
The subnet must have at least one available IP address.
Transit IP Address
Automatic
The transit IP address can be assigned in either of the following ways:
Automatic: The system automatically assigns a transit IP address.
Manual: You need to manually assign a transit IP address.
Enterprise Project
default
The enterprise project to which the transit IP address belongs.
Tag
Not required
The transit IP address tag, which consists of a key and value pair. You can add up to 20 tags to each transit IP address.
- Click OK.
Step 5: Add an SNAT Rule
- Go to the private NAT gateway list page.
- On the Private NAT Gateways page, click the name of the private NAT gateway on which you need to add an SNAT rule.
- On the SNAT Rules tab, click Add SNAT Rule.
- Configure required parameters. For details, see Table 3.
Table 3 Descriptions of SNAT rule parameters Parameter
Example
Description
Subnet
Existing
The subnet type of the SNAT rule. Select Existing or Custom.
Select a subnet where IP address translation is required in the service VPC.
Monitoring
-
You can create alarm rules to watch the number of SNAT connections.
Transit IP Address
-
The transit IP address you assigned in Step 4: Assign a Transit IP Address.
Description
Not required
Supplementary information about the SNAT rule. Enter up to 255 characters. Angle brackets (<>) are not allowed.
- Click OK.
- View details in the SNAT rule list. If Status is Running, the rule has been added.
Step 6: Add a Route
- Go to the route table list page.
- In the route table list, click the name of the route table associated the service VPC.
- Click Add Route and configure required parameters.
Table 4 Route parameters Parameter
Example
Description
Destination
10.0.0.0/24
The destination CIDR block.
Set it to the CIDR block used by your on-premises data center.
Next Hop Type
NAT gateway
Type of the next hop.
Next Hop
private-nat-01
Set Next Hop to the private NAT gateway.
Description
Not required
(Optional) Supplementary information about the route.
Enter up to 255 characters. Angle brackets (<>) are not allowed.
- Click OK.
Step 7: Add a Security Group Rule
- Go to the security group list page.
- Locate the target security group and click Manage Rules in the Operation column.
The page for configuring security group rules is displayed.
- On the Inbound Rules tab, click Add Rule. In the displayed dialog box, configure required parameters.
You can click + to add more inbound rules.
Table 5 Description of inbound rule parameters Parameter
Example
Description
Priority
1
Priority of a rule. A smaller value indicates a higher priority.
Action
Allow
Allow or Deny
- If the Action is set to Allow, access from the source is allowed to ECSs in the security group over specified ports.
- If the Action is set to Deny, access from the source is denied to ECSs in the security group over specified ports.
Protocol & Port
TCP
Protocol: Network protocol. The value can be All, TCP, UDP, ICMP, or GRE.
22 or 22-30
Port: The port or port range over which the traffic can reach your ECS. The value ranges from 1 to 65535.
Source
0.0.0.0/0
Source of the security group rule. The value can be a single IP address, an IP address group, or a security group, to allow access from the specified IP address, IP address group, or instances in another security group.
For more information about IP address groups, see IP Address Group Overview.
Description
Not required
(Optional) Supplementary information about the security group rule.
Enter up to 255 characters. Angle brackets (<>) are not allowed.
- Click OK.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
