Help Center/ NAT Gateway/ Best Practices/ Using a Private NAT Gateway to Enable an ECS in a VPC to Access a Load Balancer in Another VPC
Updated on 2025-08-06 GMT+08:00

Using a Private NAT Gateway to Enable an ECS in a VPC to Access a Load Balancer in Another VPC

Scenarios

There are two applications (A and B) deployed in different VPCs. VPCs are isolated from each other by default, so the two applications cannot communicate with each other. To enable an application to access another, you can create a private NAT gateway and add a DNAT rule to it.

Solution Architecture

The following describes how to use a private NAT gateway to access a load balancer from a different VPC.

  1. Applications A and B are deployed in VPC-A and VPC-B, respectively. The two applications are isolated from each other.
  2. You can add a DNAT rule to a private NAT gateway to enable the application A on the ECS in VPC-A to use the transit IP address in the same VPC to access the load balancer in VPC-B.
  3. No route is required in this practice.
Figure 1 Application A accessing ELB in a different VPC

Advantages

  1. Applications A and B are deployed in different VPCs, keeping their networks isolated and enhancing security.
  2. A DNAT rule allows only specific instances in VPC-B to provide services accessible from VPC-A, hiding other services in VPC-B from VPC-A. This enables refined network control.

Constraints

A load balancer can only be configured for one DNAT rule of a private NAT gateway in the same VPC. You cannot configure multiple transit IP addresses in different VPCs to access this load balancer.

Resource Planning

In this example, you need to create VPCs, ECSs, a private NAT gateway, and a load balancer. For details about the resource planning, see Table 1.

Table 1 Resource planning

Resource

Quantity

Description

VPC and subnet

Two VPCs, each with a subnet

  • VPC-A, with the CIDR block of 192.168.0.0/16
  • subnet-A01, with the CIDR block of 192.168.0.0/24
  • VPC-B, with the CIDR block of 10.0.0.0/16
  • subnet-B01, with the CIDR block of 10.0.0.0/24

Private NAT gateway

1

In this example, the name of the private NAT gateway is private_nat_gateway. It is used to connect VPC-A and VPC-B through a DNAT rule.

Load balancer

1

The load balancer in VPC-B to be accessed by the ECS in VPC-A

ECS

2

  • ECS-A running in VPC-A
  • ECS-B running in VPC-B

Preparations

  • Create two ECSs (ECS-A in VPC-A and ECS-B in VPC-B) and configure an application on each ECS. For details about how to purchase an ECS, see Purchasing and Using a Linux ECS (New Edition).
  • Create an HTTP backend server group (backend server group-B) and add ECS-B in VPC-B to it. Do not associate a load balancer with the backend server group. For details about how to create a backend server group, see Creating a Backend Server Group.

Step 1: Create a Load Balancer

  1. Go to the Buy Elastic Load Balancer page.
  2. Complete the basic configurations based on Table 2.
    Table 2 Parameters for configuring the basic information

    Parameter

    Example Value

    Description

    Type

    Dedicated load balancer

    Specifies the type of the load balancer. The type cannot be changed after the load balancer is created.

    Region

    CN North-Beijing4

    Specifies the desired region. Resources in different regions cannot communicate with each other over internal networks.

    AZ

    • AZ1
    • AZ2

    Specifies the AZs where the load balancer works. An AZ is a part of a region and has its own independent power supplies and networks. AZs are physically isolated but interconnected through internal networks.

    Name

    ELB01

    Specifies the load balancer name.

  3. Select specifications for the dedicated load balancer based on Table 3.
    Table 3 Load balancer specifications

    Parameter

    Example Value

    Description

    Specifications

    • Elastic
    • Application load balancing

    Specify the required specifications.

  4. Complete the network configurations based on Table 4.
    Table 4 Configuring network parameters

    Parameter

    Example Value

    Description

    Network Type

    Private IPv4 network

    Specifies the network type of the load balancer.

    VPC

    VPC-B

    Specifies the VPC where the dedicated load balancer works. You cannot change the VPC after the load balancer is created. Plan the VPC as required.

    Frontend Subnet

    subnet-B01

    Specifies the frontend subnet from which an IP address will be assigned to the dedicated load balancer to communicate with resources over the private network.

    After the load balancer is created, you can unbind the existing IP address and bind IPv4 and IPv6 addresses in a different subnet to the load balancer. Unbinding an IP address may affect service running.

    IPv4 Address

    Automatically assign IP address

    Specifies how you want the IPv4 address to be assigned if Network Type is set to Private IPv4 network.

    Backend Subnet

    Subnet of the load balancer

    Specifies the backend subnet from which IP addresses will be assigned to the dedicated load balancer to forward requests to and perform health checks on backend servers.

  5. Retain the default values for other parameters and click Buy Now.

Step 2: Add an HTTP Listener and Associate It with a Backend Server Group

Add an HTTP listener for ELB01 and associate the listener with backend server group-B you have created. Set Access Control to All IP addresses. For details, see Adding an HTTP Listener.

Step 3: Assign a Transit IP Address

  1. Go to the private NAT gateway list page.
  2. On the Private NAT Gateways page, click Transit IP Addresses > Assign Transit IP Address.
    Figure 2 Assigning a transit IP address
  3. Configure required parameters based on Table 5.
    Figure 3 Assigning a transit IP address
    Table 5 Parameter for configuring a transit IP address

    Parameter

    Example Value

    Description

    Transit VPC

    VPC-A

    The VPC where the transit IP address is located.

    Transit Subnets

    subnet-A01

    The subnet from which the transit IP address is assigned. A transit subnet is a transit network.

    Transit IP Address

    Automatic

    How you want the transit IP address to be assigned.

  4. Click OK.

Step 4: Create a Private NAT Gateway

  1. Go to the Buy Private NAT Gateway page.
  2. Configure the basic information about the private NAT gateway. For details about the key parameters, see Table 6. Use the default values for other parameters.
    Table 6 Parameter descriptions

    Parameter

    Example Value

    Description

    Name

    private_nat_gateway

    The name of the private NAT gateway.

    VPC

    VPC-B

    The VPC where the private NAT gateway is created.

    Subnet

    subnet-B01

    The subnet where the private NAT gateway is created.

    Specifications

    Small

    The specifications of the private NAT gateway.

  3. Click Next.

Step 5: Add a DNAT Rule

  1. Go to the private NAT gateway list page.
  1. On the Private NAT Gateways page, click the name of the private NAT gateway on which you need to add a DNAT rule.
  2. On the private NAT gateway details page, click the DNAT Rules tab.
  3. Click Add DNAT Rule.
  4. Configure required parameters based on Table 7.
    Table 7 Parameter descriptions

    Parameter

    Example Value

    Description

    Local Network

    Port Type

    Specific port

    Specific port: The private NAT gateway only forwards requests with a specific protocol and port on the transit IP address to the specified port of the target server.

    Protocol

    TCP

    The protocol can be TCP or UDP.

    Instance Type

    Load balancer

    Select the instance that provides services accessible from the external private network. In this example, select ELB01 created in Step 1.

    Internal Port

    80

    The port used by the instance to provide services accessible from the external private network.

    Transit Network

    Transit IP Address

    192.168.0.144

    Select the transit IP address that will be used to access on-premises data centers or other VPCs. In this example, select the transit IP address assigned in Step 3.

    Transit IP Address Port

    80

    The transit IP address port that will be used to access the load balancer.

  5. Click OK. Once the DNAT rule is created, its status changes to Running.

Step 6: Verify the Network Connectivity

  1. Remotely log in to ECS-B and start the backend application of ELB01.

    Multiple methods are available for logging in to an ECS. For details, see Logging In to an ECS.

    Example command:
    python3 -m http.server 80
    Figure 4 Starting backend application of ELB01
  2. Remotely log in to ECS-A.
  3. Run the following command to check the network connectivity:
    curl http://${transit-IP-address}

    If information similar to the following is displayed, ECS-A can access ELB01 in another VPC.

    Figure 5 Verifying cross-VPC access to the load balancer