Help Center/ NAT Gateway/ Best Practices/ NAT Gateway Security Best Practices
Updated on 2025-08-06 GMT+08:00
View PDF
Share

NAT Gateway Security Best Practices

  1. Enhance permission management and improve access control.

    If you need to perform fine-grained permissions control on your NAT gateways, you can use Identity and Access Management (IAM). For details, see Permissions Management.

  2. Properly manage identity authentication to prevent data leaks.

    With IAM, NAT Gateway provides three identity authentication methods: username and password, access key, and temporary access key. In addition, Login Protection and Login Authentication Policy are provided.

    1. Use a temporary AK/SK.

      When you use NAT Gateway APIs or SDKs to manage resources, identity authentication is required to ensure the confidentiality, integrity, and correctness of requests. You are advised to configure an IAM agency to obtain a temporary access key, or directly configure temporary AK/SKs for your applications or cloud services. Temporary AK/SKs will expire after a short period, which reduces data leakage risks. For details, see Temporary Access Keys and Obtaining Temporary Access Keys and Security Tokens of an Agency.

    2. Periodically change permanent access keys.

      If you have to use a permanent AK/SK pair for access, periodically change it and store it after encryption. This can prevent data leaks in case you lose the preset plaintext credentials. For details, see Access Keys.

    3. Regularly change your username and password and avoid weak passwords.

      Regularly resetting passwords is one important measure to enhance system and application security. This practice not only lowers the chances of password exposure but also helps you meet compliance requirements, mitigate internal risks, and boost your security awareness. Also, complex passwords are recommended to reduce risks. For details, see Password Policy.

  3. Use the latest SDKs for better experience and security.

    You are advised to use the latest version of NAT Gateway SDKs to better protect your data. You can download the latest SDKs in your desired language from NAT Gateway SDKs.

  4. Do not use high-risk ports for DNAT rules.

    DNAT enables servers in a VPC to share an EIP to provide services accessible from the Internet. With an EIP, a public NAT gateway can forward all requests to the servers regardless of which port they originated on. However, high-risk ports are blocked by carriers by default. In this case, change these ports to common ports.