Create a Public NAT Gateway

Public NAT gateways enable instances to access the Internet via network address translation (NAT), preventing address exposure and enhancing security.

Prerequisites

  • You can create an elastic IP in advance for the SNAT rule configuration. See Create an Elastic IPv4 for more details.

  • The public NAT gateway supports IPv4 traffic only. If the subnet allows IPv6 public access, IPv6 traffic may bypass the NAT gateway and connect to the Internet directly. Avoid enabling the public IPv6 stack for associated subnets.

  • DNAT rules can only be configured when the public NAT gateway is associated with Elastic IPs.

Procedures

1

Select NAT gateway region

Choose the region where you want your NAT gateway to be located.

2

Attach NAT gateway to subnets

Select the global VPC and subnets you want to associate with. Instances within the selected subnets can access the Internet via the NAT gateway.

  • You can select all subnets within a global VPC, including the future subnets in this VPC. In this way, all instances with the global VPC can access the Internet.

  • As the NAT gateway only supports IPv4 traffic, avoid enabling the public IPv6 stack for associated subnets.

  • If no desired VPC and subnets exist, click New Global VPC or New Subnet to create new ones. See Create a Global VPC and Create a Subnet for more details.

3

Associate NAT gateway to a security group

Select a security group to achieve fine-grained traffic control. If none exists, click New Security Group to create one. See Create a Security Group for more details.

4

(Optional) Enable SNAT to Access Public Network

  1. Check Enable SNAT to Access Public Network to apply default SNAT rules to map private IPs to public IPs for secure internet access.

  2. Select elastic IPv4 addresses and the public egress IP addresses. If you want to customize and edit the SNAT rules, go to the details page and adjust them in NAT Rules.

5

Label NAT gateway

Enter a name for the gateway.

6

Select the resource group

Select a resource group where the NAT gateway belongs.

Results

Once created, the NAT gateway will appear in the Public NAT Gateway list. A NAT gateway route will be generated automatically and can only be deleted with the NAT gateway.

What to Do Next

1

Bind elastic IPs to the NAT gateway

A public NAT gateway functions properly only once it is associated with an elastic IP.

If SNAT was enabled during the creation of the NAT gateway, at least one elastic IP has already been bound. In this case, you can skip the following steps or choose to bind additional elastic IPs.

If SNAT was not enabled, please follow the steps below to bind elastic IPs to the NAT gateway.

  1. Click the NAT gateway name to view the details page.

  2. Go to Information > Bound elastic IPv4 addresses > Bind Elastic IPv4.

  3. Select the desired IPs in Selector or enter IPv4 addresses in Parser, and click .

  4. Click Confirm to finish binding.

2

Configure NAT rules

After binding elastic IPs, you can configure NAT rules in NAT Rules on the details page.

See Configure SNAT Rules and Configure DNAT Rules for more details.

Last updated