Enabling Internet Connectivity for an ECS Without an EIP Bound
Scenarios
To ensure platform security and conserve EIPs, EIPs are only assigned to specified ECSs. The ECSs that have not EIPs bound cannot access the Internet directly.
- (Recommended) Using NAT Gateway
A NAT gateway provides SNAT and DNAT to enable multiple ECSs in the same VPC to share an EIP to access the Internet or provide services for the Internet.
- Using a Linux Proxy ECS
If you already have an ECS that has an EIP bound, you can use the ECS as the proxy to provide an Internet access channel for other ECSs that are in the same network segment, in the same security group, and have no EIPs bound.
(Recommended) Using NAT Gateway
Prerequisites for this solution:
- You have purchased an EIP and a public NAT gateway.
- The public NAT gateway and the ECSs that need to access the Internet are in the same VPC.
|
Scenario |
Gateway Rule |
Reference |
|---|---|---|
|
Enabling ECSs without EIPs bound to access the Internet |
SNAT |
Using a Public NAT Gateway to Enable Servers to Share One or More EIPs to Access the Internet |
|
Enabling ECSs without EIPs bound to provide services for the Internet |
DNAT |
Using a Public NAT Gateway to Enable Servers to Be Accessed by the Internet |
Using a Linux Proxy ECS
Prerequisites for this solution:
- A proxy ECS with an EIP bound is available.
- The IP address of the proxy ECS is in the same network and same security group as the ECSs that need to access the Internet.
The following uses CentOS 7.9 as an example. The operations apply to CentOS 7.9 and earlier versions as well as Huawei Cloud EulerOS 2.0.
For other OSs and versions, see the help documentation of the corresponding official website or (Recommended) Using NAT Gateway.
- Log in to the management console.
- Click
in the upper left corner and select your region and project. - Click
. Under Compute, click Elastic Cloud Server. - In the search box above the upper right corner of the ECS list, enter the proxy ECS name for search.
- Click the name of the proxy ECS. The page providing details about the ECS is displayed.
- On the Network Interfaces tab, click
. Then, disable Source/Destination Check.
Figure 1 Disabling source/destination check
By default, the source/destination check function is enabled. When this function is enabled, the system checks whether source IP addresses contained in the packets sent by ECSs are correct. If the IP addresses are incorrect, the system does not allow the ECSs to send the packets. This mechanism prevents packet spoofing, thereby improving system security. However, this mechanism prevents the packet sender from receiving returned packets. Therefore, disable the source/destination check.
- Log in to the proxy ECS.
For more details, see Login Overview (Linux).
- Check whether the proxy ECS can access the Internet.
ping www.huaweicloud.com
The proxy ECS can access the Internet if information similar to the following is displayed:
Figure 2 Checking connectivity
- (Optional) Install the iptables service and set the automatic startup of iptables.
Perform this step only for ECSs running CentOS 7.x.
yum install iptables-services -y
systemctl start iptables
systemctl enable iptables
- Check whether IP forwarding is enabled on the proxy ECS.
cat /proc/sys/net/ipv4/ip_forward
- Open the IP forwarding configuration file in the vi editor.
- Press i to enter editing mode.
- Change the parameter value.
Set the net.ipv4.ip_forward value to 1.
If the sysctl.conf file does not contain the net.ipv4.ip_forward parameter, run the following command to add it:
echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf
- Press Esc, type :wq, and press Enter.
The system saves the configurations and exits the vi editor.
- Apply the change.
- Delete the original iptables rules.
- Configure source network address translation (SNAT) to enable ECSs in the same network segment to access the Internet through the proxy ECS.
iptables -t nat -A POSTROUTING -o eth0 -s subnet/netmask-bits -j SNAT --to nat-instance-ip
For example, if the proxy ECS is in network segment 192.168.125.0, the subnet mask has 24 bits, and the private IP address is 192.168.125.4, run the following command:
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.125.0/24 -j SNAT --to 192.168.125.4
To retain the preceding configuration even after the ECS is restarted, run the vi /etc/rc.local command to edit the rc.local file. Specifically, copy the rule described in step 17 into rc.local, press Esc to exit Insert mode, and enter :wq to save the settings and exit.
- Save the iptables configuration and set the automatic startup of iptables.
chkconfig iptables on
- Check whether SNAT has been configured.
SNAT has been configured if information similar to Figure 3 is displayed.
- Add a route.
- Log in to the management console.
- Click in the upper left corner and select your region and project.
- Under Networking, click Virtual Private Cloud.
- Choose Route Tables in the left navigation pane. In the route table list, click a target route table. On the displayed page, click Add Route.
- Set route information on the displayed page.
- Destination: indicates the destination network segment. The default value is 0.0.0.0/0.
- Next Hop: indicates the private IP address of the proxy ECS.
You can obtain the private IP address of the ECS on the Elastic Cloud Server page.
- Delete the added iptables rules as needed.
iptables -t nat -D POSTROUTING -o eth0 -s subnet/netmask-bits -j SNAT --to nat-instance-ip
For example, if the proxy ECS is in network segment 192.168.125.0, the subnet mask has 24 bits, and the private IP address is 192.168.125.4, run the following command:
iptables -t nat -D POSTROUTING -o eth0 -s 192.168.125.0/24 -j SNAT --to 192.168.125.4
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
