Create a Public NAT Gateway
Public NAT gateways enable instances to access the Internet via network address translation (NAT), preventing address exposure and enhancing security.
Prerequisites
You can create an elastic IP in advance for the SNAT rule configuration. See Create an Elastic IPv4 for more details.
The public NAT gateway supports IPv4 traffic only. If the subnet allows IPv6 public access, IPv6 traffic may bypass the NAT gateway and connect to the Internet directly. Avoid enabling the public IPv6 stack for associated subnets.
DNAT rules can only be configured when the public NAT gateway is associated with Elastic IPs.
Procedures
Attach NAT gateway to subnets
Select the global VPC and subnets you want to associate with. Instances within the selected subnets can access the Internet via the NAT gateway.
You can select all subnets within a global VPC, including the future subnets in this VPC. In this way, all instances with the global VPC can access the Internet.
As the NAT gateway only supports IPv4 traffic, avoid enabling the public IPv6 stack for associated subnets.
If no desired VPC and subnets exist, click New Global VPC or New Subnet to create new ones. See Create a Global VPC and Create a Subnet for more details.
Associate NAT gateway to a security group
Select a security group to achieve fine-grained traffic control. If none exists, click New Security Group to create one. See Create a Security Group for more details.
(Optional) Enable SNAT to Access Public Network
Check Enable SNAT to Access Public Network to apply default SNAT rules to map private IPs to public IPs for secure internet access.
Select elastic IPv4 addresses and the public egress IP addresses. If you want to customize and edit the SNAT rules, go to the details page and adjust them in NAT Rules.
Results
Once created, the NAT gateway will appear in the Public NAT Gateway list. A NAT gateway route will be generated automatically and can only be deleted with the NAT gateway.


What to Do Next
Bind elastic IPs to the NAT gateway
A public NAT gateway functions properly only once it is associated with an elastic IP.
If SNAT was enabled during the creation of the NAT gateway, at least one elastic IP has already been bound. In this case, you can skip the following steps or choose to bind additional elastic IPs.
If SNAT was not enabled, please follow the steps below to bind elastic IPs to the NAT gateway.
Click the NAT gateway name to view the details page.
Go to Information > Bound elastic IPv4 addresses > Bind Elastic IPv4.
Select the desired IPs in Selector or enter IPv4 addresses in Parser, and click
.
Click Confirm to finish binding.
Configure NAT rules
After binding elastic IPs, you can configure NAT rules in NAT Rules on the details page.

See Configure SNAT Rules and Configure DNAT Rules for more details.
Last updated