# Create a Public NAT Gateway

Public NAT gateways enable instances to access the Internet via network address translation (NAT), preventing address exposure and enhancing security.

## Prerequisites

* You can create an elastic IP in advance for the SNAT rule configuration. See [Create an Elastic IPv4](/welcome/elastic-compute/get-started/manage-networking/create-an-elastic-ipv4.md) for more details.
* The public NAT gateway supports IPv4 traffic only. If the subnet allows IPv6 public access, IPv6 traffic may bypass the NAT gateway and connect to the Internet directly. Avoid enabling the public IPv6 stack for associated subnets.
* DNAT rules can only be configured when the public NAT gateway is associated with Elastic IPs.

## Procedures

{% stepper %}
{% step %}

#### Select NAT gateway region

Choose the region where you want your NAT gateway to be located.
{% endstep %}

{% step %}

#### Attach NAT gateway to subnets

Select the global VPC and subnets you want to associate with. Instances within the selected subnets can access the Internet via the NAT gateway.

* You can select all subnets within a global VPC, including the future subnets in this VPC. In this way, all instances with the global VPC can access the Internet.
* As the NAT gateway only supports IPv4 traffic, avoid enabling the public IPv6 stack for associated subnets.
* If no desired VPC and subnets exist, click **New Global VPC** or **New Subnet** to create new ones. See [Create a Global VPC](/welcome/elastic-compute/get-started/manage-networking/create-a-global-vpc.md) and [Create a Subnet](/welcome/bare-metal/get-started/create-a-subnet.md) for more details.

{% hint style="info" %} <mark style="color:blue;">**Note**</mark>

<mark style="color:blue;">When you select all subnets in a global VPC during configuration, the NAT gateway will exclusively occupy the entire VPC. You cannot create another NAT gateway in the same VPC.</mark>
{% endhint %}
{% endstep %}

{% step %}

#### Associate NAT gateway to a security group

Select a security group to achieve fine-grained traffic control. If none exists, click **New Security Group** to create one. See [Create a Security Group](/welcome/elastic-compute/get-started/manage-network-security/create-a-security-group.md) for more details.
{% endstep %}

{% step %}

#### (Optional) Enable SNAT to Access Public Network

1. Check **Enable SNAT to Access Public Network** to apply default SNAT rules to map private IPs to public IPs for secure internet access.
2. Select elastic IPv4 addresses and the public egress IP addresses. If you want to customize and edit the SNAT rules, go to the details page and adjust them in **NAT Rules**.
   {% endstep %}

{% step %}

#### Label NAT gateway

Enter a name for the gateway.
{% endstep %}

{% step %}

#### Select the resource group

Select a resource group where the NAT gateway belongs.
{% endstep %}
{% endstepper %}

## Results

Once created, the NAT gateway will appear in the Public NAT Gateway list. A NAT gateway route will be generated automatically and can only be deleted with the NAT gateway.

<figure><img src="/files/HcmmVaBhbhDCFJUii9eb" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/zeUT4VBS3NAZkjw85Jdz" alt=""><figcaption></figcaption></figure>

## What to Do Next

{% stepper %}
{% step %}

#### Bind elastic IPs to the NAT gateway

A public NAT gateway functions properly only once it is associated with an elastic IP.

If SNAT was enabled during the creation of the NAT gateway, at least one elastic IP has already been bound. In this case, you can skip the following steps or choose to bind additional elastic IPs.

If SNAT was not enabled, please follow the steps below to bind elastic IPs to the NAT gateway.

1. Click the NAT gateway name to view the details page.
2. Go to **Information** > **Bound elastic IPv4 addresses** > **Bind Elastic IPv4**.
3. Select the desired IPs in Selector or enter IPv4 addresses in Parser, and click <img src="/files/29SVw2aMdKD9KmfZqfkr" alt="" data-size="line">.

   <figure><img src="/files/7i05gYfoebBshRjnq5u6" alt=""><figcaption></figcaption></figure>
4. Click **Confirm** to finish binding.
   {% endstep %}

{% step %}

#### Configure NAT rules

After binding elastic IPs, you can configure NAT rules in **NAT Rules** on the details page.

<figure><img src="/files/fQoJOw6c3Zb7iK9vyxqa" alt=""><figcaption></figcaption></figure>

See [Configure SNAT Rules](/welcome/elastic-compute/get-started/manage-networking/create-a-public-nat-gateway/configure-snat-rules.md) and [Configure DNAT Rules](/welcome/elastic-compute/get-started/manage-networking/create-a-public-nat-gateway/configure-dnat-rules.md) for more details.
{% endstep %}
{% endstepper %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.console.zenlayer.com/welcome/elastic-compute/get-started/manage-networking/create-a-public-nat-gateway.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.