Halaman ini belum tersedia dalam bahasa lokal Anda. Kami berusaha keras untuk menambahkan lebih banyak versi bahasa. Terima kasih atas dukungan Anda.
- What's New
- Function Overview
- Service Overview
- Billing
-
Getting Started
- Using a Public NAT Gateway to Enable Servers to Share One or More EIPs to Access the Internet
- Using a Public NAT Gateway to Enable Servers to Be Accessed by the Internet
- Using a Private NAT Gateway to Connect Cloud and On-premises Networks
- Using Multiple Public NAT Gateways Together in Performance-Demanding Scenarios
-
User Guide
- Public NAT Gateways
- Private NAT Gateways
- Permissions Management
- Tag Management
- Managing Quotas
- Monitoring
- Auditing
-
Best Practices
- Enabling Private Networks to Access the Internet Using a Cloud Connection and SNAT
- Using a Public NAT Gateway and Direct Connect to Accelerate Internet Access
- Using a Private NAT Gateway and Direct Connect to Enable Communications Between a VPC and an On-premises Data Center
- Using a Public NAT Gateway and VPC Peering to Enable Communications Between VPCs and the Internet
- Preserving Your Network with NAT Gateways During Cloud Migration
-
API Reference
- Before You Start
- API Overview
- Calling APIs
- APIs of Public NAT Gateways
- APIs for Private NAT Gateways
- Application Examples
- Permissions Policies and Supported Actions
- Appendixes
- Out-of-Date APIs
- SDK Reference
-
FAQs
-
Public NAT Gateways
- What Is the Relationship Between a VPC, Public NAT Gateway, EIP Bandwidth, and ECS?
- How Does a Public NAT Gateway Offer High Availability?
- Which Ports Cannot Be Accessed?
- What Are the Differences Between Using a Public NAT Gateway and Using an EIP for an ECS?
- What Should I Do If I Fail to Access the Internet Through a Public NAT Gateway?
- Can I Change the VPC for a Public NAT Gateway?
- Does Public NAT Gateway Support IPv6 Addresses?
- What Security Policies Can I Configure to Implement Access Control If I Use a Public NAT Gateway?
- What Can I Do If Connection Between My Servers and the Internet Fails After I Add SNAT and DNAT Rules?
- Can a Public NAT Gateway Limit the Bandwidth of a Server?
- What Can I Do If the Number of Lost Packets of a Public NAT Gateway Exceeds the Threshold (or EIP Port Allocation Exceeds the Threshold)?
-
Private NAT Gateways
- How Do I Troubleshoot a Network Failure After a Private NAT Gateway Is Configured?
- How Many Private NAT Gateways Can I Buy in a VPC?
- Can I Increase the Numbers of SNAT and DNAT Rules Supported by a Private NAT Gateway?
- Can Private NAT Gateways Translate On-premises IP Addresses Connected to the Cloud Through Direct Connect?
- What Are the Differences Between Private NAT Gateways and Public NAT Gateways?
- Can a Private NAT Gateway Be Used Across Accounts?
-
SNAT Rules
- Why Do I Need SNAT?
- What Are SNAT Connections?
- What Is the Bandwidth of a Public NAT Gateway That Is Used by Servers to Access the Internet? How Do I Configure the Bandwidth?
- How Do I Resolve Packet Loss or Connection Failure Issues When Using a NAT Gateway?
- What Should I Do If My ECS Fails to Access a Server on the Public Network Through a Public NAT Gateway?
- What Are the Relationships and Differences Between the CIDR Blocks in a NAT Gateway and in an SNAT Rule?
- DNAT Rules
-
Public NAT Gateways
- Videos
- Glossary
-
More Documents
-
User Guide (ME-Abu Dhabi Region)
- Overview
- Getting Started
- Managing NAT Gateways
- Managing SNAT Rules
- Managing DNAT Rules
- Monitoring Management
-
FAQs
-
NAT Gateway
- What Is the Relationship Between VPC, NAT Gateway, EIP Bandwidth, and ECS?
- How Does A NAT Gateway Offer High Availability?
- Which Ports Cannot Be Accessed?
- What Can I Do If I Fail to Access the Internet Through the NAT Gateway?
- Can I Change the VPC for a NAT Gateway After It Is Created?
- What Is the Quota of the NAT Gateway?
-
SNAT
- Why SNAT Is Used?
- What Are SNAT Connections?
- What Is the Bandwidth of the NAT Gateway When a Server Accesses the Internet Through the NAT Gateway? Where Can I Configure the Bandwidth?
- How Do I Resolve Packet Loss or Connection Failure Issues When Using a NAT Gateway?
- What Are the Relationships and Differences Between the CIDR Blocks in a NAT Gateway and in an SNAT Rule?
- DNAT
-
NAT Gateway
- Change History
- API Reference (ME-Abu Dhabi Region)
-
User Guide (Paris Region)
- Overview
-
Getting Started
- Allowing a Private Network to Access the Internet Using SNAT
- Allowing Internet Users to Access a Service in a Private Network Using DNAT
- Allowing On-Premises Servers to Communicate with the Internet
- Using Private NAT Gateways to Enable Communications Between Cloud and On-premises Networks
- Using Multiple Public NAT Gateways Together in Performance-Demanding Scenarios
- Public NAT Gateways
- Private NAT Gateways
- Permissions Management
- Monitoring
-
FAQs
-
Public NAT Gateways
- What Is the Relationship Between a VPC, Public NAT Gateway, EIP Bandwidth, and ECS?
- How Does a Public NAT Gateway Offer High Availability?
- Which Ports Cannot Be Accessed?
- What Are the Differences Between Using a NAT Gateway and Using an EIP for an ECS?
- What Should I Do If I Fail to Access the Internet Through a NAT Gateway?
- Can I Change the VPC for a NAT Gateway?
- What Is the Quota of the NAT Gateway?
- Can I Update NAT Gateways and SNAT Rules?
- Does NAT Gateway Support IPv6 Addresses?
- What Security Policies Can I Configure to Implement Access Control If I Use a NAT Gateway?
- What Can I Do If Connection Between My Servers and the Internet Fails After I Add SNAT and DNAT Rules?
-
Private NAT Gateways
- How Do I Troubleshoot a Network Failure After a Private NAT Gateway Is Configured?
- How Many Private NAT Gateways Can I Create in a VPC?
- Can I Increase the Numbers of SNAT and DNAT Rules Supported by a Private NAT Gateway?
- Can an SNAT Rule and a DNAT Rule of a Private NAT Gateway Share the Same Transit IP Address?
- Can Private NAT Gateways Translate On-premises IP Addresses Connected to the Cloud Through Direct Connect?
- What Are the Differences Between Private NAT Gateways and Public NAT Gateways?
- Can a Private NAT Gateway Be Used Across ?
-
SNAT Rules
- Why Do I Need SNAT?
- What Are SNAT Connections?
- What Is the Bandwidth of a NAT Gateway That Is Used by Servers to Access the Internet? How Do I Configure the Bandwidth?
- How Do I Resolve Packet Loss or Connection Failure Issues When Using a NAT Gateway?
- What Should I Do If My ECS Fails to Access a Server on the Public Network Through a NAT Gateway?
- What Are the Relationships and Differences Between the CIDR Blocks in a NAT Gateway and in an SNAT Rule?
- DNAT Rules
-
Public NAT Gateways
- Change History
- API Reference (Paris Region)
-
User Guide (Kuala Lumpur Region)
- Overview
- Getting Started
- Managing NAT Gateways
- Managing SNAT Rules
- Managing DNAT Rules
- Permissions Management
- Monitoring Management
-
FAQs
- NAT Gateway
-
SNAT
- Why Is SNAT Used?
- What Are SNAT Connections?
- What Is the Bandwidth of the NAT Gateway When a Server Accesses the Internet Through the NAT Gateway? Where Can I Configure the Bandwidth?
- How Do I Resolve Packet Loss or Connection Failure Issues When Using a NAT Gateway?
- What Are the Relationships and Differences Between the CIDR Blocks in a NAT Gateway and in an SNAT Rule?
- DNAT
- Change History
- API Reference (Kuala Lumpur Region)
-
User Guide (Ankara Region)
- Service Overview
- Getting Started
- Public NAT Gateways
- Private NAT Gateways
- Permissions Management
- Monitoring
-
FAQs
- Public NAT Gateways
-
Private NAT Gateways
- How Do I Troubleshoot a Network Failure After a Private NAT Gateway Is Configured?
- How Many Private NAT Gateways Can I Create in a VPC?
- Can Private NAT Gateways Translate On-premises IP Addresses Connected to the Cloud Through Direct Connect?
- What Are the Differences Between Private NAT Gateways and Public NAT Gateways?
- Can a Private NAT Gateway Be Used Across Accounts?
- SNAT Rules
- DNAT Rules
- Change History
-
API Reference (Ankara Region)
- Before You Start
- API Overview
- Calling APIs
- APIs for Public NAT Gateways
- Private Nat API
- Permissions Policies and Supported Actions
- Common Parameters
- Change History
-
User Guide (ME-Abu Dhabi Region)
- General Reference
Show all
Copied.
Permissions Management
You can use Identity and Access Management (IAM) to manage NAT Gateway permissions and control access to your resources. IAM provides identity authentication, permissions management, and access control.
With IAM, you can create IAM users and assign permissions to control their access to specific resources. For example, you can create IAM users for software developers and assign specific permissions to allow them to use NAT Gateway resources but prevent them from being able to delete resources or perform any high-risk operations.
If your account does not require individual IAM users for permissions management, you can skip this section.
IAM is a free service. You only pay for the resources in your account. For more information about IAM, see Identity and Access Management User Guide.
NAT Gateway Permissions
New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.
NAT Gateway is a project-level service deployed and accessed in specific physical regions. When assigning NAT Gateway permissions to a user group, specify region-specific projects where the permissions will take effect. If you select All projects, the permissions will be granted for all region-specific projects. When accessing NAT Gateway, the users need to switch to a region where they have been authorized to use this service.
You can grant users permissions by using roles and policies.
- Roles: A type of coarse-grained authorization mechanism that provides only a limited number of service-level roles. Cloud services depend on each other. When using roles to grant permissions, you also need to assign dependency roles. However, roles are not an ideal choice for fine-grained authorization and secure access control.
- Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization for more secure access control. For example, the account administrator can grant users only permission to manage a certain type of NAT gateways and SNAT rules. Most policies define permissions based on APIs. For the API actions supported by NAT Gateway, see section "Permissions Policies and Supported Actions" in the NAT Gateway API Reference.
Policy Name |
Description |
Type |
---|---|---|
NAT FullAccess |
All operations on NAT Gateway resources. |
System-defined policy |
NAT ReadOnlyAccess |
Read-only permissions for all NAT Gateway resources. |
System-defined policy |
NAT Administrator |
All operations on NAT Gateway resources. To be granted this permission, users must also have the Tenant Guest permissions. |
System-defined role |
Table 2 lists the common operations supported by each NAT Gateway system policy or role. Select the policies or roles as required.
Operation |
NAT FullAccess |
NAT ReadOnlyAccess |
NAT Gateway Administrator |
---|---|---|---|
Creating a NAT gateway |
√ |
x |
√ |
Querying NAT gateways |
√ |
√ |
√ |
Querying NAT gateway details |
√ |
√ |
√ |
Updating a NAT gateway |
√ |
x |
√ |
Deleting a NAT gateway |
√ |
x |
√ |
Adding an SNAT rule |
√ |
x |
√ |
Viewing an SNAT rule |
√ |
√ |
√ |
Modifying an SNAT rule |
√ |
x |
√ |
Deleting an SNAT rule |
√ |
x |
√ |
Adding a DNAT rule |
√ |
x |
√ |
Viewing a DNAT rule |
√ |
√ |
√ |
Modifying a DNAT rule |
√ |
x |
√ |
Deleting a DNAT rule |
√ |
x |
√ |
Creating a transit subnet |
√ |
x |
√ |
Querying transit subnets |
√ |
√ |
√ |
Querying details of a transit subnet |
√ |
√ |
√ |
Modifying a transit subnet |
√ |
x |
√ |
Deleting a transit subnet |
√ |
x |
√ |
Assigning a transit IP address |
√ |
x |
√ |
Querying a transit IP address |
√ |
√ |
√ |
Releasing a transit IP address |
√ |
x |
√ |
- Note the following when creating a DNAT rule:
- If you set Instance Type to Server and select an ECS, you also need to obtain the ECS ReadOnlyAccess permissions or the fine-grained permissions for actions ecs:cloudServers:get and ecs:cloudServers:list. For details, see the Elastic Cloud Server API Reference.
- If you set Instance Type to Server and select a BMS, you also need to obtain the BMS ReadOnlyAccess permissions or the fine-grained permissions for actions bms:servers:get and bms:servers:list. For details, see the Bare Metal Server API Reference.
- If you create a DNAT rule on a private NAT gateway and select Load balancer for Instance Type, you need to obtain the ELB ReadOnlyAccess permissions or the fine-grained permissions for actions elb:loadbalancers:get and elb:loadbalancers:list. For details, see the Elastic Load Balance API Reference.
- After a DNAT rule is created, add a security group rule to allow the Internet to access servers for which the DNAT rule is configured. Otherwise, the DNAT rule does not take effect. Obtain the VPC FullAccess permissions or the fine-grained permissions for action vpc:securityGroups:create by referring to the Virtual Private Cloud API Reference.
- To view metrics, obtain the CES ReadOnlyAccess permissions. For details, see the Cloud Eye API Reference.
- To view access logs, obtain the LTS ReadOnlyAccess permissions. For details, see the Log Tank Service API Reference.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot